WordPress Security Checklist, how to secure wordpress site

A Comprehensive WordPress Security Checklist for Secure Websites

WordPress powers more than one-third of the whole internet(43%). With such a great user base comes even greater security threats! 

No, we’re not just guessing; statistics show that approximately 70,000 attacks on WordPress websites occur every minute. This is why one of your first and foremost important responsibilities is to ensure your WordPress site’s security.

If you don’t know how to approach it, this piece will provide a complete and comprehensive checklist you can follow to secure your WordPress website.

Why should a WordPress site prioritize security?

Running a WordPress website without proper security is akin to going to bed without closing the door. An insecure website jeopardizes much more than just your website’s data or content.

If your WordPress site gets hacked, you might find yourself in a situation where the following scenarios can happen:

  • Serious damage to your business reputation 
  • A huge loss in revenue
  • Stolen user information like passwords, credit card info, etc.
  • Integration of malicious software and malware on your website
  • Having to pay for ransomware 

If you’re not prioritizing your website’s security, you’ll expose yourself to the aforementioned possibilities.

Besides, Google straight-up hates unsecured websites so much that it blacklists around 20,000 websites for malware and around 50,000 for phishing every week. So if you want to reach your audience, ensuring your website’s security is a must! 

Let’s look at the scene from a different angle now. Would you share your information on an unsecured website as a user? 

—No, right? 

So, even if you ignore Google’s concerns, you should ensure the security of your website for the sake of your visitors’ security and comfort. 

Check out this article to learn how website security affects SEO.

Types of security breaches in wordpress sites

While building a WordPress website is becoming super easy by the day, hackers are coming up with new types of security threats like viruses, malware, and trojan horses. And before we dig deep into the ways of securing a website, we must know the types of security breaches.

Here are some of the most common types of security breaches that you should be aware of:


Malware is a broad term given to malicious softwares that takes advantage of the loopholes of vulnerable sites to fulfill many malicious intents.

There could be various vulnerabilities inside the themes and plugins many websites use. Hackers take advantage of these loopholes to install malware, insert malicious codes and take control of your site.


WordPress phishing is basically creating a counterfeit website and tricking unsuspecting users into thinking this is the website it is impersonating. 

Users could share their private info like usernames and passwords on those counterfeit phishing sites thinking they’re browsing the right website. This enables the impersonators to collect private information from the users.

The hackers will use this information to demand ransom or use them for their personal. And guess what? Every year, phishing costs both users and website owners billions of dollars!

Credit card skimming

You probably heard about credit card skimmers installing microchips in ATM machines to steal credit card information! Well, here is some bad news for you, this has long shifted into WordPress. 

WordPress credit card skimmers insert malicious code into PHP files in WordPress plugins to steal credit card info. These skimmers primarily target popular plugins like WooCommerce, as free plugins like this have a massive user base.

Brute force attack

Brute force attackers attempt to figure out your login credentials. They repetitively try out combinations of probable passwords until they retrieve the correct login details. Brute force attacks target not only logins but also every kind of password-protected information.  

Structured Query Language or SQL Injections

SQL Injection or database injection is yet another kind of WordPress security breach where hackers try to insert malicious SQL scripts through input fields in the website. This usually happens through forms. SQL scripts can cause a complete loss of data if injected successfully.

Cross-site Scripting (XSS)

In these attacks, the hacker prompts the site owner to upload an XSS file or simply submit a user form containing malicious codes. With those files uploaded, the attacker can steal data or demand ransomware to give you back your information.

WordPress security checklist: 15 tips to follow

Security breaches can cause many unwanted issues for a website, including destroying your brand reputation. So you need to avoid security breaches at any cost.

That’s exactly why we made this checklist. Follow the below WordPress security checklist to keep security threats at bay. Needless to say, you don’t need to be an IT expert to perform these!

Choose a secure web hosting

The first step you should take toward securing your website is to choose a secure web hosting provider. Without a quality host backing your site, the site will load slowly, having high downtime. It’ll be alarmingly less secure and prone to hacking. 

You could use regular web hosting to host your WordPress site, or you could use a WordPress-specific web hosting plan which gives you an edge by being specially optimized for WordPress and many other benefits.

Look for a web hosting that provides the following:

  • The hosting should be able to monitor their network to avoid suspicious activity.
  • It should be able to defend against large-scale DDOS attacks
  • The hosting must keep their server software, PHP versions, and hardware updated, so hackers can not exploit a known security vulnerability of the old version.

Edit default login URL

WordPress will assign you a login URL upon creating a website by default. Your default login URL can be one of these:




Using default WordPress login URLs makes gaining access to your site easier for spam bots and hackers, as they always target the default WP admin login. So, consider changing your default login URL to add another layer to your security.

You should edit your WordPress login from the default to something like this:


Use strong passwords

Hacking efforts like brute-force attacks mainly succeed because of the usage of weak passwords. To secure your WordPress site, encourage your users to use strong passwords. 

Generating a strong and complex password and remembering that would be close to impossible for most of your users. Provide these tools for your users so the process becomes easier for them:

  • A strong password generator
  • A Password management system to store the passwords

Use two-factor authentication

Even the strongest long-string password isn’t enough against an ever-consistent brute-force attack. The attackers will keep trying until they get your credentials right. 

To fight that, enable two-factor authentication in your site’s login. When you enable two-factor authentication by installing a plugin, along with a username and password, a user must authenticate his login using another device or app.

This significantly reduces the risk of brute-force attacks and other security risks that come with them.                                                                                                                                                 

You can employ the newly released authorization & security plugin FluentAuth to secure your website with Login Security, two-factor email authentication, login/logout redirects, social logins, detailed audit logs, and more.

FluentAuth ensures that only an appropriate person has entry to your admin panel. Furthermore, it’ll prevent excessive login attempts and protect your site from brute-force attacks.

And the best part? —it’s free!

Backup up your website

With such a huge user base in WordPress, the possibility of getting hacked is immense. It might seem like nothing’s going to go wrong until it does. You might wake up one day to find your website hacked. 

There’s a simple way of protecting your data from being lost by creating backups of your website. There are different ways a backup could be conducted, which are:

  • Through your web hosting provider
  • With a WordPress backup plugin
  • Creating a copy of your website data manually

We suggest a complete backup of your site’s files and database, even things that might not seem important, so you can retrieve any minute things if you need them.

Install an SSL certificate for your WordPress site

This used to be a fearsome process, but it has become easier these days. Secure Sockets Layer, or SSL, is a security protocol that encrypts all communications on your website. 

Websites with installed SSL show a lock (🔒) icon next to their URL. It also changes your site’s protocol from HTTP to HTTPS.

WordPress security checklist, Websites with installed SSL show a lock icon next to their URL

Create a backup of your website before installing an SSL certificate in your website, lest something goes wrong and you end up with an inaccessible site.

Disabling XML-RPC

XML-RPC or xmlrpc.php is a feature that dates back to the early days of WordPress. It remotely connects your site with external applications so you can interact with your WordPress site through different operating systems and devices. 

This used to be a useful feature in the early days of the internet because it lets a site’s owner edit content offline and publish it later when reconnected to the internet.

These days, however, this feature turned into a vulnerability because sites with XML-RPC enabled are often targets of brute force and DDOS attacks. XML-RPC is enabled by default from WordPress version 3.4, but it can be disabled easily by some simple coding. 

We can safely assume most people these days don’t need it; hence,  it’s not a much-needed feature anymore. Disable XML-RPC to secure your site from frequent attacks.

Use a wordpress security plugin

If you’re a basic user or don’t want to get into the complex WordPress security rabbit hole, installing a security plugin is the right way to go for you. A good security plugin would check all the security boxes for you, so you don’t need to do all this work manually.

Look for these while choosing your security plugin:

  • Private security plugin
  • Not open source, as these can be modified
  • Brute force attack protection
  • File scanning
  • Malware scanning
  • Blocklist monitoring
  • Security hardening
  • Post-hack actions
  • Firewalls

Keep the WordPress core version updated

WordPress is constantly working to patch up its vulnerabilities and to make itself as secure as possible. Whenever a security issue is detected, WordPress tries to resolve it in the next update. 

If you don’t keep your WordPress core version updated, you expose your site to the security threats the hackers might’ve already known of. Besides updating the core version, hide the WordPress version so no one can take advantage if you don’t update it on time.

Conduct regular security scan

With the frequency of a site getting hacked on the rise, regular site scanning has become a necessity these days. Scanning your WordPress site regularly for malware and viruses should be a priority for you. 

Implement auto-scan for your site so no security threat goes unnoticed. Keep in mind that security scannings only inform you about security issues; you still need to take measures to tackle them.

Delete abandoned accounts

Users who logged in but then abandoned their accounts put a security risk by exposing their accounts to hackers who could log into their session, change passwords, or make changes to their accounts. To prevent such issues from happening, implement this much-needed functionality on your website. 

Prevent hotlinking

Hotlinking is an illegal practice where someone shows the contents hosted by you on their website as their own without your permission. Hotlinking takes up your server resources and slows your website down.

To prevent hotlinking, you can add the below code snippet to your .htaccess file:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)example.com/.*$ [NC]
RewriteRule \.(gif|jpg|jpeg|bmp|zip|rar|mp3|flv|swf|xml|php|png|css|pdf)$ – [F]

Remove inactive themes and plugins

Removing inactive themes and plugins is crucial to preventing backdoor attacks. In such attacks, hackers target your website through vulnerabilities in outdated and unused themes and plugins. 

These create gateways for hackers to introduce errors, plugin conflicts, and other maliciousness in your website. Obsolete themes and plugins can also cause your website to slow down.

That’s why you should remove the plugins and themes you’re not using. It will not only keep your website secured but also increase the overall performance. 

Follow this comprehensive WordPress maintenance checklist to keep your website in good health.

Wrapping up

Securing your website should be a top priority after creating it. Implementing security measures can take a significant amount of effort and can sometimes be tiring. But these will protect your site from ever being damaged and protect your identity and reputation.

We hope the checklist we provided was helpful in educating you about the necessary steps you should take to secure your website. If you take any other security measures, don’t forget to let us know through comments. 

Similar Posts

Add your first comment to this post