WordPress Security Checklist: Step-by-Step Guide to Protect Your Site

The median time from a WordPress vulnerability going public to automated attacks hitting sites across the web is now 5 hours. Not days. Five hours.

That’s not a theoretical risk. In 2025 alone, researchers discovered 11,334 new vulnerabilities in the WordPress ecosystem — a 42% jump from the year before.

About 13,000 WordPress sites are compromised every single day. When a small business gets hit, the average recovery cost is $14,500. That includes malware removal, emergency developer time, and the months of work it takes to undo injected spam links and Google penalties.

I’ve been managing WordPress sites for years, and I’ve worked through every step in this guide on my own installations. Some take five minutes. A few are more involved. All of them are worth doing before something goes wrong.

Here’s what you’ll take away from this guide:

• Plugins are the real threat. 91% of WordPress vulnerabilities are in plugins and themes, not core. Keeping them updated and removing the ones you don’t use is your most important habit.
• A WAF alone won’t save you. Standard web application firewalls blocked only 12% of WordPress-specific attacks in 2025. You need layers, not one tool.
• Backups are your fallback when everything else fails. A backup you can restore in minutes changes what a hack actually costs you.
• The 5-hour exploitation window is real. Once a vulnerability is public, automated attacks start fast. Patching can’t wait.
• 46% of vulnerabilities have no developer patch when disclosed. Updates matter, but monitoring matters just as much.
• Post-hack recovery has a specific order. Most checklists skip this. We cover it step by step, including how to get back in when you’re locked out of wp-admin.

Table of Contents

Why Is WordPress Security Important?

A hacked site isn’t just a technical problem. It’s a business problem.

When attackers compromise a WordPress site, they typically inject spam links, redirect visitors, steal user data, or install backdoors for future access.

Google may flag the site as dangerous. Your hosting provider may take it offline. If you’re running an ecommerce store, customer data could be at risk.

In 2025, over 11,000 new WordPress vulnerabilities were recorded. That’s more than 30 per day.

The average small business recovery cost is $14,500, and that figure doesn’t include the months of work required to recover search rankings after injected spam links trigger a Google manual penalty.

Your site’s reputation, your visitors’ trust, and your organic traffic are all on the line.

Your WordPress Security Checklist

As a beginner, you may be thinking, where do I get started?

I’ve created a full WordPress security checklist for you! Simply go through each step and by the end you’ll have a fully secure site.

Quick WordPress Security Checklist:

• Find a Secure Web Host: Choose hosting with strong security protocols, SSL certificates, firewalls, and regular backups
• Back Up Your Website: Use plugins like Duplicator to automate cloud backups and protect your data
• Update Software: Keep WordPress core, plugins, and themes updated to patch vulnerabilities
• Remove Unused Plugins and Themes: Delete inactive software to eliminate potential security holes
• Use Strong Passwords: Create unique, complex passwords with mixed characters and avoid common phrases
• Update Admin Access: Limit admin users, remove inactive accounts, and assign minimal privileges
• Hide the WordPress Login Page: Customize your login URL to prevent brute force attacks
• Monitor User Activity: Track user actions to identify security breaches and unwanted changes
• Install a WordPress Security Plugin: Use tools like Sucuri for malware scanning and security notifications
• Use a Web Application Firewall (WAF): Block malicious traffic with DNS or application-level firewalls
• Scan For Malware: Regularly check your site for viruses and threats with security plugins
• Move to SSL/HTTPS: Enable SSL certificates to encrypt data between users and your server
• Change Your Username: Avoid predictable usernames like “admin” to reduce login vulnerabilities
• Update File Permissions: Set proper permissions (755 for folders, 644 for files) to control access
• Disable File Editing: Turn off the WordPress file editor to prevent hackers from injecting malicious code
• Disable PHP File Execution: Block PHP files from running in upload directories to stop attacks
• Limit Login Attempts: Restrict the number of login tries from a single IP address
• Use Two-Factor Authentication: Add an extra verification step with mobile codes for login security
• Change the WordPress Database Prefix: Replace the default “wp_” prefix to make table names harder to guess
• Password Protect Admin and Login Pages: Add an extra password layer before users reach the login screen
• Disable Directory Indexing and Browsing: Hide directory contents to protect files from being viewed
• Disable XML-RPC: Turn off this API to prevent hackers from exploiting password-guessing vulnerabilities
• Log Out Idle Users: Automatically log out inactive users to prevent session hijacking
• Hide Your WordPress Version: Remove version numbers from source code to avoid targeted attacks
• Restore Your Site After Hacks: Use backup tools with disaster recovery (Duplicator Pro) to quickly restore compromised sites

1. Find a Secure Web Host

Choosing a web host is more than just checking the price tag. What you need is a host that’s passionate about security.

Look for a web host that offers the latest in security protocols. Their servers should be maintained and up-to-date. It’s also great if it has a strong firewall and offers SSL certificates. 

And finally, find out if the web host offers regular backups and site restorations. You’d hope you never need this safety net, but it’s good to have one, just in case.

If you currently have a shared hosting plan, you might want to upgrade to managed WordPress hosting. With a shared host, you’ll share resources with other sites. If someone on your server has a security breach, it could affect your website as well.

But, reputable shared hosts like Bluehost, Hostinger, and SiteGround will protect you from many basic security issues.

Once you find a WordPress host that’s secure, here’s how to migrate your site to the new server. 

2. Back Up Your Website

When you first start your website, you’ll probably be excited to write new blog posts or sell products. However, you’ll also need to regularly back up your site.

Backups are an insurance policy for your digital content. They allow you to restore your site to its original state if something goes wrong.

Duplicator is a backup plugin that makes it easy to create copies of your site. It supports automatic backups and cloud storage, so you’ll never lose data.

It’s often best to store backups on a separate cloud server for an added layer of security. This way, your backups won’t be lost if a server issue happens.

With Duplicator, you can back up your site to the cloud. Simply connect your preferred cloud storage service and select it when you create a backup. It even has its own custom cloud storage built for WordPress backups: Duplicator Cloud.

You’ll be able to customize what data is saved in the backup. So, you can effortlessly back up just your database, media library, or other data if you need to.

Your website is constantly being updated with new content, so you’ll need to back it up regularly. Fortunately, Duplicator allows you to automate backups.

By setting up schedules, you’ll never have to worry about manual backups! Your site will constantly be secure from any problems because you can just roll back your site when they happen.

Along with Duplicator, there are many other backup plugins you can use. UpdraftPlus, Jetpack, and BlogVault are some popular options. 

3. Update Software

Software updates play a crucial role in WordPress security. They don’t just add extra functionality but also patch any potential vulnerabilities. 

WordPress will automatically install minor updates. But, you’ll have to manually install any major versions. 

Find the Updates page and perform any updates for your core software, plugins, and themes.

Security updates happen all the time, so you’ll have to keep an eye on them. For your convenience, you can also automate them. 

However, I’d recommend testing new versions of WordPress, plugins, and themes on a staging site first. This helps you avoid any software conflicts that sometimes happen after bad updates.

4. Remove Unused Plugins and Themes

Cleaning up your site can give it a nice security boost. It’s a good idea to toss out any WordPress themes and plugins you’re not actively using. 

This is because hackers can use outdated plugins and themes to access your website. By deleting inactive software, you’ll harden your WordPress security. 

Need a rule of thumb? If you haven’t used it in the past six months, say goodbye. It’s an easy way to optimize your WordPress site and enhance its security. 

5. Use Strong Passwords

A good password should be unique, unpredictable, and known only to you. We’d recommend using a mix of upper and lower-case letters, numbers, and symbols. 

Remember, ‘Password123’ is a rookie mistake! It’s like leaving the key to your home under the doormat – practically inviting potential cyber threats for a site visit.

In brute force attacks, hackers or bots will try to guess your password. They’ll try out popular options until they get in. So, the more complex your password, the better. 

Aside from that, avoid using any identifiable information related to you. Don’t use your name, birthday, or your pet’s name (no matter how adorable they might be).

Try not to use the same password for all your sites and users. Just like you wouldn’t use the same key for your house, car, and office, keep your digital keys varied to avoid a security breach.

Consider using a password manager like LastPass to safely store your passwords. It can automatically generate strong options and simplify the login process.

6. Limit Admin Access

When it comes to WordPress security, updating your admin access is a must. This step makes your site less vulnerable to unwanted intrusions or hacks. 

First, limit the number of users with an ‘administrator’ role. Having multiple admin users can be a security risk. Ensure you have only a few trusted admins. 

Next, check your list of users regularly, deleting any accounts no longer in use. This reduces the risk of dormant accounts being exploited by hackers. 

Lastly, assign the least privileges necessary for a user role. Not everyone needs admin access.

A user should have enough rights to do their job, but no more. This minimizes the possibility of damage if that account is hacked.

If you’re not sure which users should get certain access, read this guide on WordPress user roles and permissions.

7. Hide the WordPress Login Page

Every day, you use the login page to sign into your WordPress site. All WordPress sites have login pages that end with wp-admin or wp-login. So, malicious users could access yours and abuse it. 

Hiding your WordPress login page can protect your site from hacking attempts. When hackers can’t find the login page, they can’t try brute force attacks to open your admin dashboard.

Some plugins can help you to easily achieve this, such as WPS Hide Login. You can simply customize your login URL so only you know where it is.

8. Monitor User Activity

When your site has a lot of users, one might get hacked or share login credentials with the wrong person. If the user account has admin access, your themes, plugins, or settings could be altered.

To identify the security breach, you could monitor user activity. You’ll identify which user made the unwanted change, and quickly remove it from your site.

The Activity Log plugin helps you keep track of your WordPress users. It gives you a comprehensive log of what happened and when.

If something ever happens, you can filter the log by activity severity, user, and date range. You’ll figure out how to harden your security so your data is safer next time.

This can be especially useful if you manage a WordPress multisite. You may have a ton of different website owners, authors, editors, and other users. It’s important to know exactly which user caused a vulnerability.

9. Install a WordPress Security Plugin

Security plugins do exactly what you expect — add extra security to your site. They are designed to identify and address potential vulnerabilities. For example, they provide regular security scans, firewall protection, and spam filtering. 

One of the best WordPress security plugins is Sucuri Security. This tool offers remote malware scanning, security notifications, and post-hack solutions.

Using Sucuri, you can easily harden your security. In the Hardening settings, you can enable a firewall, disable plugin and theme editors, hide your WordPress version, and more.

This is a beginner-friendly way to boost your WordPress security. Plus, there’s a free version on WordPress.org!

Wordfence is another solid option with a strong firewall and a large vulnerability database. Pick one and run it consistently.

10. Use a Web Application Firewall (WAF)

A Web Application Firewall (WAF) is a tool that oversees and filters incoming traffic to your website. It helps shield your WordPress site from threats like SQL injection and cross-site scripting (XSS).

A firewall can deter many common cyber threats. It acts as a protective barrier between your site and all incoming traffic, blocking malicious requests.

Here are the different types of firewalls:

• DNS level firewall: sends and evaluates traffic through cloud proxy servers
• Application level firewall: firewall plugins that evaluate traffic once it gets to your server

Sucuri offers the easiest way to set up a firewall on your WordPress website. It’s such an effective tool that it helped WPBeginner block 450,000 cyber attacks in just 3 months.

With Sucuri, you’ll avoid malware, DDoS attacks, brute force attacks, and other security concerns. 

11. Scan For Malware

Regularly scanning your website for malware is a crucial part of maintaining your WordPress security. Popular plugins such as Wordfence and Sucuri can help you with this task. 

These security tools are specifically designed to find and eliminate any potential threats on your website. They actively monitor your website, quickly alerting you to any suspicious activity, and provide solutions for their removal.

Sucuri also has a free malware checker. By entering your website’s URL, you’ll find out if there are any viruses.

12. Move to SSL/HTTPS

SSL (Secure Sockets Layer) is a protocol that encrypts data between a user’s browser and your server. It makes it harder for cyber attackers to intercept and steal data.

When you enable SSL, your site’s URL uses HTTPS (Hypertext Transfer Protocol Secure). This is shown with a lock icon next to your domain in a browser window.

To move to HTTPS, you will need to purchase and install an SSL certificate on your server. Many hosting providers offer a free SSL certificate via Let’s Encrypt. After that, ensure your WordPress site uses HTTPS in its settings and URLs. 

If you don’t have an SSL certificate yet, here’s how to set one up!

13. Change Your Username

Using “admin” as a username is a common practice but it’s one of the serious WordPress security mistakes you want to avoid. It gives half of your login details away to attackers.

To help secure your website, consider changing your username to something less predictable and more unique. 

Head over to your WordPress dashboard and create a new user with admin privileges. Once you’ve done this, log out and log back in as the new administrator.

Next, delete the old “admin” user. Make sure to transfer all content from the deleted user to the new one. It’s as simple as that. 

14. Update File Permissions

File permissions regulate who can read, write, and execute your files. Misconfigured permissions could offer an open door to intruders.

Here are the settings we’d recommend using:

• 755 for folders and sub-folders
• 644 for all files

Keep in mind that fixing file and folder permissions can be complex without technical experience. If unsure, it’s always best to consult with your hosting provider or a skilled developer.

15. Disable File Editing

The WordPress dashboard allows admins to change the PHP files for plugins and themes. It can be helpful but also dangerous.

If a hacker gets into your dashboard, they can misuse the file editor to put harmful code into your WordPress files. To avoid this security threat, you should turn off file editing by adjusting your wp-config.php file.

While this sounds technical, it’s actually a straightforward process. Access your WordPress installation via FTP, and locate the wp-config.php file. Open this file and add the following code snippet: 

define( 'DISALLOW_FILE_EDIT', true );

Once you save the file, the updated settings start working right away to protect against harmful code. 

Only do this if you’re okay with changing your website’s files. If you’re unsure, ask for expert help. 

16. Disable PHP File Execution

Disabling PHP file execution in certain WordPress directories is a key step in protecting your site. If not done, it opens a gateway for malicious attacks. 

Hackers can take advantage of this loophole by deploying php files in your uploads folder or other directories. These files can then execute malicious code, compromising your website.

To solve this problem, you can disable PHP file execution in any directories that don’t need it (like /wp-content/uploads/). 

Open a text editor and paste this coding:

<Files *.php>

deny from all

</Files>

Name the file .htaccess and add it to the uploads folder. 

17. Limit Login Attempts

As I mentioned earlier, bots could try to access your site by trying to log in again and again.  To keep your site safe, set a limit on how many login tries can come from a single IP address.

By limiting login attempts, you’ll lower the odds of a successful brute force attack. Although WordPress allows unlimited logins, you can set a limit with a plugin like Limit Login Attempts Reloaded.

Limit Login Attempts Reloaded will block an IP address after a certain number of unsuccessful login attempts. You can create a custom lockout time and automatically get emails about new lockouts. 

18. Use Two-Factor Authentication

Two-factor authentication (2FA) adds an extra layer of protection to your WordPress site. Besides your password, you need a verification code that’s usually sent to your mobile phone. 

This dual-check system boosts security, making it tricky for hackers to break in. Even if they crack your password, they still need the verification code. 

WP 2FA is a plugin that quickly sets up two-factor authentication on your WordPress site. It’ll generate login codes for authentication apps like Google Authenticator or Authy. Users enter a code along with their password.

With this feature, hackers or bots can’t get into your site even if they get your password. There’s an extra step for logins, which can’t be easily accessed. 

19. Change the WordPress Database Prefix

WordPress assigns a prefix to your database tables. The default prefix is wp_.

If it’s left as the default, hackers can easily guess your table names. So, it’s good practice to change it.

However, this isn’t very easy for beginners. And, you could end up breaking your site.

If you’re sure you want to follow through, follow this guide on how to properly change the WordPress database prefix. 

20. Password Protect Admin and Login Pages

Another way to protect your WordPress login pages is to add password protection to your admin directory. Whenever someone tries to access the admin area, they’ll have to enter a password before ever seeing a login page.

To enable admin password protection, you can use cPanel’s directory privacy. This will allow you to protect your admin directory without using any code.

21. Disable Directory Indexing and Browsing

Directory browsing can be a weak spot in your website security. If this feature is enabled, anyone can view the contents of directories on your website. Hackers could take advantage of this if they see any files with vulnerabilities. 

To resolve this problem, add a simple line of code at the bottom of your .htaccess file. 

Options -Indexes

This stops people from looking through your site’s folders and protects hidden files.

22. Disable XML-RPC

Since WordPress 3.5, XML-RPC is a core WordPress API. It allows developers to use remote applications to update WordPress.

XML-RPC allows you to use mobile apps to publish blog posts. It also makes it possible to connect your site with third-party services like Zapier. 

This WordPress feature lets other apps talk to your website. But, it also creates a security loophole that hackers can use. 

If someone tries to hack your login page, they make separate login attempts. With XML-RPC, hackers could use a system.multicall function to guess thousands of password options in only about 20-50 requests.

So, turning off XML-RPC can help you avoid possible cyber threats.

23. Log Out Idle Users

Unattended logins can become a gateway for unauthorized access. Their session could get hijacked. This is why your banking website logs you out after a certain amount of time.

It’s best to have your WordPress site auto-log out users when they’re inactive. This can majorly reduce the chances of any trouble.

You can use plugins like Inactive Logout to automate this process. With this free plugin, you’ll set idle timeout periods. 

It’ll also allow you to customize session logout messages. You’ll let users know when they’re being logged out due to inactivity. 

24. Hide Your WordPress Version

By default, your source code will show your site’s WordPress version.

Exposing your latest version of WordPress might seem harmless, but it could leave your site at risk. Hackers use this information to exploit known security vulnerabilities in specific versions. 

There are many ways to hide your WordPress version, but we’d recommend using WPCode. This code snippets plugin has a pre-made snippet to remove your WordPress version number.

All you’ll need to do is search for the snippet and use it. 

Then, activate the new snippet!

25. Restore Your Site After Hacks

Even if you do everything right, a hacker could get into your website and cause damage. In case this ever happens, you’ll need to be prepared. 

Restoring your WordPress site after a hack may seem daunting. But, it’s easy with the right tools.

Duplicator Pro is a WordPress backup plugin that restores your site in seconds. After a hack, find the most recent error-free backup and hit the Restore button next to it.

Some hackers may lock you out of your WordPress admin dashboard. To prevent this, be sure to set disaster recovery beforehand.

Create a full backup of your site. Then, click on the blue house icon next to it.

Once you set up disaster recovery, Duplicator will give you a recovery link and a launcher file. Either of these will immediately restore your site after a cyber attack.

Personally, I prefer the recovery link. You’ll simply need to open a browser window and paste it. This opens the Duplicator recovery wizard (without needing your dashboard).

To secure your website, save the recovery link or launcher file in a safe location. It’ll need to be off-site, just in case your website ever goes down. 

If you want to make sure you removed any backdoors and other security vulnerabilities, read this tutorial on how to fix a hacked WordPress site. 

FAQs About WordPress Security

Your Last Line of Defense: A Backup You Can Restore

No security checklist is perfect. Plugins get zero-day vulnerabilities. Hosting providers get breached. Team members get phished. The question isn’t only how to prevent attacks, it’s what happens to your site when one gets through.

A tested backup process is what changes the game. If you can restore your site in a few minutes from a clean backup, a hack is a minor disruption. Without one, it’s potentially a $14,500 problem.

More than 1.5 million WordPress professionals use Duplicator for backups and disaster recovery. Automated cloud backups, one-click restoration from cloud storage, and a recovery link that works even when wp-admin is completely locked — it’s the one tool I’d put on this list before any other.

If this guide got you thinking about your site’s overall resilience, these posts are worth reading next.

• How to Clean Up a WordPress Site
• How to Protect Your Website From Hackers
• Is WordPress Secure? Revealing the Truth
• 8+ Best WordPress Security Plugins
• WordPress Maintenance Checklist: 20 Essential Tasks (2026)