WordPress Security Checklist 2026: 23 Steps to Harden Your Site
WordPress Powers 43% of the Web. Hackers Know It.
WordPress is a target. Not because it’s poorly made. Because it’s everywhere. A vulnerability in one plugin affects millions. Hackers scan for outdated plugins and weak admin passwords at scale.
This checklist hardens your site against 99% of common attacks. It takes 2-3 hours the first time. After that, it’s maintenance.
Access and Authentication
1. Use Strong Admin Passwords
Not “password123” or “WordPress2024.” Use a password manager (1Password, Bitwarden, LastPass) to generate 20+ character passwords with mixed case, numbers, and symbols.
2. Enable Two-Factor Authentication (2FA)
Install Wordfence or Two Factor Authentication plugin. Require 2FA for all admin accounts. When you log in, you enter your password plus a code from your phone. This stops 99% of brute force attacks.
3. Limit Login Attempts
Hackers use bots to guess passwords. Limit failed login attempts to 5 per 15 minutes. After that, lock the account for 30 minutes. Use Wordfence or Sucuri for this.
4. Remove the Default Admin User
WordPress creates a user “admin” by default. Hackers know this. Delete it and create a new admin user with a different username. Give it a strong password and 2FA.
5. Hide Your WordPress Version
Hackers check your WordPress version to find known vulnerabilities. Remove the generator meta tag from your header and add version-hiding code to your functions.php.
Database and Code
⚡ 2-minute scorecard · instant result
Is your website quietly costing you leads?
Answer 5 quick questions. Get your score + the top fixes — free.
1. Does your site load in under 3 seconds on mobile?
2. Is there one clear call-to-action above the fold?
3. Is your main lead form 5 fields or fewer?
4. Is the whole site genuinely mobile-friendly?
5. Are trust signals (proof, reviews) near your CTA?
6. Change Your Database Prefix
WordPress uses “wp_” as the default database table prefix. Change it to something random like “app8x9_”. This makes SQL injection attacks harder. Do this during initial setup—changing it later requires a database migration.
7. Keep WordPress Updated
Update WordPress core, plugins, and themes immediately when updates are available. Most security vulnerabilities are patched within hours of discovery. Enable automatic background updates for minor security releases.
8. Audit and Delete Unused Plugins
Every plugin is a potential vulnerability. Delete anything you’re not actively using. Outdated plugins with unpatched vulnerabilities are how most WordPress sites get hacked. Go to Plugins > Installed Plugins right now and delete anything unused in 6 months.
9. Audit and Delete Unused Themes
You only need one active theme. Delete all others. Outdated themes are attack vectors even when inactive.
10. Restrict File Permissions
WordPress files should have specific permissions. Directories: 755. Files: 644. This prevents unauthorized users from modifying your site code. Check via SFTP client or ask your host.
11. Disable File Editing
Disable the Plugin and Theme Editor in WordPress admin. Add this to wp-config.php: define('DISALLOW_FILE_EDIT', true);
12. Disable XML-RPC
XML-RPC is an older WordPress feature hackers exploit for brute force attacks. Most sites don’t use it. Disable it by adding to .htaccess: <files xmlrpc.php> deny from all </files> Or use the “Disable XML-RPC” plugin.
13. Set Correct File Ownership
WordPress files should be owned by your website user (usually “www-data” or “apache”), not root. If ownership is wrong, file permissions don’t matter. Ask your host to verify.
Server and Network
14. Use HTTPS / SSL Certificate
HTTPS encrypts data in transit. All modern hosts offer free SSL via Let’s Encrypt. Install it and force all traffic to HTTPS. In WordPress admin, go to Settings > General and make sure both URLs use https://
15. Use a Security Plugin
Wordfence or Sucuri scans for malware, blocks bad IP addresses, sets up a firewall, and alerts you to suspicious activity. Cost: free basic tier, $99-299/year for premium.
16. Set Up a Web Application Firewall (WAF)
A WAF blocks malicious traffic before it reaches your server. Cloudflare offers a free WAF. Wordfence and Sucuri include WAF in their premium tiers. This stops SQL injection, XSS, and brute force attacks at the edge.
17. Hide Your Server Information
Hackers can see your server type, version, and PHP version in HTTP headers. Ask your host to disable these header signatures. Stops attackers from targeting known exploits for your specific server version.
18. Disable Directory Listing
If someone visits yoursite.com/wp-content/, they shouldn’t see a folder listing. Add to .htaccess: Options -Indexes inside a Directory directive.
Backups and Recovery
19. Automated Daily Backups
Use UpdraftPlus or BackWPup to back up your database and files daily. Store backups offsite (Google Drive, Dropbox, AWS S3). Test restoring from backup monthly—a backup you can’t restore is useless.
20. Store Backups Offsite
Don’t store backups on your web server. If the server is compromised, so are the backups. Use cloud storage: Google Drive, Dropbox, AWS S3, or Azure.
21. Keep a Clean Database Backup
Before you update plugins, themes, or WordPress core, back up your database. If something breaks, you can restore it within minutes.
Monitoring and Maintenance
22. Monitor for File Changes
Use Wordfence or a file integrity monitoring tool to watch your files. If a hacker modifies a file, you’re notified immediately. This catches attacks in the first minutes, not days later.
23. Review Admin Activity Logs
Keep a log of who logged in, when, and what they changed. Wordfence and Sucuri provide activity logs. Review them monthly. If you see logins from strange IP addresses, change your password immediately and scan for malware.
What to Do If You Get Hacked
- Change all passwords immediately (admin, FTP, database, hosting account)
- Scan with Wordfence or Sucuri to identify the malware
- Delete malicious files (or ask your host to help)
- Update all plugins, themes, and WordPress core
- If you can’t clean it yourself, restore from a clean backup
- Notify your host and ask them to check server-level for malware
The Security Mindset
Security isn’t a one-time project. It’s ongoing. Update every week. Review activity logs monthly. Back up daily. Most hacks are preventable—they happen because sites are out of date, passwords are weak, or backups don’t exist. Do these 23 steps and you’ll be in the top 5% of secure WordPress sites.
Worried your WordPress site might already be compromised? Book a free strategy call with our team. We’ll perform a security audit, identify vulnerabilities, clean any existing malware, and set you up with ongoing monitoring so this doesn’t happen again.
