The WordPress Security Checklist
5 min read
Most WordPress security advice arrives as a pile of tips with no order to them. Change this setting, install that plugin, tick this box. What's missing is the shape of the thing: what actually matters, what's just noise, and what order to do it in.
This is the checklist I work through on a site. It's grouped the way I think about it, from the ground up, because the layers build on each other. There's no point hardening logins on a site sitting on a neglected server, and no point obsessing over file permissions if your admin password leaked two years ago.
Work down it in order. Each item is a real reduction in risk, not a box ticked for the sake of it.
Hosting and server
This is the floor everything else stands on. Get it wrong and nothing above it holds.
- Choose a host that isolates your site from others on the same server
- Run a supported, current version of PHP (8.3 or 8.4)
- Disable root SSH login and enforce SSH key authentication
- Disable directory listing on the server
Good hosting does real work here, but only at this layer. Everything below this point is yours, and it's where most compromises actually happen.
WordPress core
A default WordPress install ships with a handful of choices that suit a first-time user, not a site you care about.
- Always run the latest version of WordPress core
- Change the default
wp-login.phplogin URL - Disable the built in file editor in the dashboard
- Disable XML-RPC if you are not actively using it
- Replace WP-Cron with a real server side cron job
- Remove any unused themes, including the default ones
- Remove any unused plugins
The file editor one matters more than it looks. It hands direct code execution to anyone who gets into the dashboard. Turning it off costs you nothing and closes a door.
Users and authentication
A correct login with valid credentials looks exactly like you. No firewall can tell the difference, so this layer is entirely down to how you manage accounts.
- Delete or rename the default "admin" user account
- Use a strong, unique password for every user account
- Enable two factor authentication for all admin users
- Limit login attempts to block brute force attacks
- Block user enumeration via author archives and the REST API
- Review user roles and remove accounts that no longer need access
Two factor authentication is the single highest-value item on this whole list. A breached or reused password becomes almost harmless once a second factor stands behind it.
Files and database
The layer beneath the dashboard. Locked down properly, it limits how far an attacker can get even after a foothold.
- Set correct file permissions (755 for directories, 644 for files, 440 for
wp-config.php) - Change the default database table prefix from
wp_ - Restrict the database user to only the privileges WordPress actually needs
- Restrict access to
wp-config.php
That last file holds your database credentials and security keys. It deserves the tightest permissions on the whole site.
SSL and HTTPS
Non-negotiable now, and quick to get right.
- Install a valid SSL certificate
- Force all traffic over HTTPS, including redirects from HTTP
- Set the HSTS header to prevent protocol downgrade attacks
A certificate alone isn't enough if HTTP still answers. The redirect and the HSTS header are what actually close the gap.
Firewall and plugins
Plugins are the single most common entry point for WordPress compromises. This is where most of the ongoing work lives.
- Install and configure a WordPress firewall plugin
- Set up a cloud based WAF such as Cloudflare in front of your site
- Run regular malware scans on the site
- Keep all plugins and themes updated at all times
The update line looks obvious and gets ignored constantly. An outdated plugin with a known, published vulnerability is the most common way sites get hit. Updates are the cheapest security work you'll ever do.
Backups and monitoring
The layer that decides how bad a bad day gets. Everything above reduces the chance of a compromise. This is what you're glad of when one happens anyway.
- Set up automated daily backups
- Store backups off site, not just on your server
- Test your backup restore process at least once
- Set up uptime monitoring so you know immediately if the site goes down
- Verify Google Search Console is set up with notifications enabled
- Enable activity logging to track changes and login attempts
A backup you have never restored is a guess, not a safety net. Test it once, now, while nothing is on fire.
Working through it
None of these items is hard on its own. The difficulty is knowing which matter most, what each one actually protects against, and how to configure it properly rather than just installing a plugin and hoping.
That's what the Protect My WP handbook is for. It walks through every item on this list in detail, layer by layer, with the exact settings and the reasoning behind each one. The checklist tells you what to do. The book tells you how, and why.
If this list left you unsure about even one section, that uncertainty is worth resolving before something forces the issue.
Get the book for £19.
Get the free WordPress Security Checklist
The security checks I'd run through on any WordPress site, delivered straight to your inbox.
Want to go deeper?
The first chapter of Protect My WP is free. Start with the foreword, then read Chapter 1 on hosting and server security.