WordPress Security Hardening Checklist for Site Owners
WordPress Security Hardening Checklist for Site Owners
Running a WordPress site is rewarding, but every additional feature opens a new attack surface. Rather than a step‑by‑step tutorial, this article gives you a concise audit checklist you can run against any WordPress installation. Use it during a routine review or before launching a new project to ensure you’ve covered the most common security gaps.
Core Hardening Essentials
Keep WordPress Core Updated
The core team releases patches for vulnerabilities almost every month. Enable automatic background updates for minor releases, and schedule weekly checks for major updates. If you defer a major version, test it on a staging clone first.
Enforce Strong Authentication
Replace default usernames like “admin” and require passwords with at least 12 characters, mixed case, numbers, and symbols. Enable two‑factor authentication (2FA) for all privileged accounts—Google Authenticator, Authy, or hardware tokens work well.
Limit Login Attempts
Brute‑force bots thrive on unlimited login tries. Use a plugin that caps failed attempts (e.g., 5 per 10 minutes) and blocks the offending IP. Combine this with a “login‑only” URL change to obscure the wp‑login.php endpoint.
Quick Tip: When setting 2FA, enforce it at the network level (e.g., via your hosting control panel) to protect against compromised admin passwords.
Server & Hosting Considerations
Choose a Managed WordPress Host
A solid host handles many low‑level security tasks for you—firewall rules, OS patches, and isolated containers. If you need a flexible environment, you can rely on WordPress Hosting to streamline your deployment while still giving you root‑level control when required.
Enable HTTPS Everywhere
Install a free Let’s Encrypt certificate and force HTTPS via .htaccess or the server configuration. HTTPS protects login credentials, cookies, and any data exchanged between visitors and your site.
Restrict Server Access
Allow SSH access only from known IPs and disable password authentication in favor of SSH keys. Turn off unused services (FTP, Telnet) and keep the underlying OS up to date.
Plugin & Theme Management
Remove Unused Plugins and Themes
Each inactive plugin or theme is a dormant code base that could be exploited. Delete them from the filesystem—not just deactivate.
Install Only Trusted Sources
Prefer plugins and themes from the official WordPress repository or reputable premium marketplaces. Verify the developer’s reputation, recent update frequency, and active install count before installing.
Audit Plugin Permissions
Some plugins request elevated capabilities (e.g., “manage_options”). Review each plugin’s role requirements and remove any that exceed what you actually need.
Database & File Permissions
Secure wp-config.php
Move wp-config.php one level above the web root if your host permits. Define unique authentication keys and salts, and disable file editing via the dashboard by adding define('DISALLOW_FILE_EDIT', true); to the config.
Set Correct File Permissions
Apply the least‑privilege model:
- Directories:
755 - Files:
644 wp-config.php:600
These settings prevent the web server from writing to files that don’t need to be modified.
Monitoring & Incident Response
Install a Security Plugin
Tools like Wordfence, Sucuri, or iThemes Security provide firewall rules, malware scanning, and real‑time alerts. Configure email notifications for critical events (failed logins, file changes).
Set Up Regular Backups
Maintain off‑site backups of both the database and the file system. Automate daily incremental backups and retain at least three weeks of history. Test restoration procedures quarterly.
Enable Activity Logging
Log admin actions, plugin installations, and theme changes. Store logs outside the web root and rotate them weekly to avoid disk bloat.
Warning: Never store backup files in the same directory as your WordPress installation. A compromised site could delete both the site and its backups in one attack.
Quick Audit Checklist
- Core is up to date; automatic minor updates enabled.
- All admin accounts use strong passwords + 2FA.
- Login attempts limited; custom login URL in use.
- Hosting provider offers managed WordPress security features.
- HTTPS enforced with a valid certificate.
- SSH key authentication only; unused services disabled.
- No inactive plugins or themes left on the server.
- All plugins sourced from trusted repositories.
wp-config.phpmoved or protected; file editing disabled.- Directory permissions set to 755, files to 644, config to 600.
- Security plugin installed and configured with alerts.
- Automated off‑site backups scheduled and tested.
- Activity logs stored securely and rotated regularly.
Run this checklist quarterly, or after any major change (new plugin, theme switch, or hosting migration). A disciplined audit routine dramatically reduces the risk of a breach and keeps your WordPress site running smoothly.