Get the Best WordPress Backup
& Migration Plugin Today
Get Duplicator Now
Announcement for Duplicator's new inline help

[NEW] Introducing Inline Help to Clarify Backups and Migrations

Are you not sure what the Duplicator plugin can do? You can now use inline help to immediately find answers…
WordPress security

WordPress Security Checklist: Step-by-Step Guide to Protect Your Site 

Written By: author image Joella Dunn
author image Joella Dunn
Joella is a writer with years of experience in WordPress. At Duplicator, she specializes in site maintenance — from basic backups to large-scale migrations. Her ultimate goal is to make sure your WordPress website is safe and ready for growth.
     Reviewed By: John Turner
reviewer image John Turner
John Turner is the President of Duplicator. He has over 20+ years of business and development experience and his plugins have been downloaded over 25 million times.

Do you need to improve your WordPress security?

If you don’t protect your WordPress site, it’s vulnerable to hackers. They might find weak areas, change your content, steal user information, or break your site. This could seriously damage your business and reputation. 

In this blog post, I’ll give you a full WordPress security checklist! You’ll learn security best practices, so your site never gets hacked.

Is WordPress Secure?

Yes, WordPress is fundamentally secure. With that said, like any other online platform, it isn’t immune to risks. 

With millions of websites worldwide relying on WordPress, you can bet the platform takes security seriously. They release regular updates to keep the software secure.

But since it’s an open-source platform, anyone can look into the source code, potentially finding vulnerabilities to exploit. 

However, many hackers gain access to WordPress sites through a site owner’s neglect. If your WordPress core software is outdated or you have a weak password, it can leave your site extremely vulnerable. 

This tells us that WordPress security isn’t something to take lightly. WordPress has a strong foundation, but you’ll still have some routine maintenance tasks to boost your security. 

Why WordPress Security Is Important

You’ve been working tirelessly on your blog or e-commerce store. All is going well until you wake up one morning to find everything gone. 

This is why WordPress security is so important. Using good security measures, you’ll protect your site against threats. This significantly reduces your chances of falling victim to hacks and data breaches. 

Besides keeping your content safe, a secure site is also more attractive to visitors. When visitors know they’re safe, they’re more likely to stick around. 

Plus, search engines tend to favor secure sites in rankings too. The more you secure WordPress, the more your SEO will improve

All in all, investing in WordPress security is like buying a house alarm. It might be a bit of a chore getting it all up, but it’s definitely worth it in the end.

WordPress Security Checklist

As a beginner, you may be thinking, where do I get started?

Fortunately, I’ve created a full WordPress security checklist for you! Simply go through each step and by the end you’ll have a fully secure site.

1. Find a Secure Web Host

Choosing a web host is more than just checking the price tag. What you need is a host that’s passionate about security.

Look for a web host that offers the latest in security protocols. Their servers should be maintained and up-to-date. It’s also great if it has a strong firewall and offers SSL certificates. 

And finally, find out if the web host offers regular backups and site restorations. You’d hope you never need this safety net, but it’s good to have one, just in case.

If you currently have a shared hosting plan, you might want to upgrade to managed WordPress hosting. With a shared host, you’ll share resources with other sites. If someone on your server has a security breach, it could affect your website as well.

But, reputable shared hosts like Bluehost, Hostinger, and Siteground will protect you from many basic security issues.

Once you find a WordPress host that’s secure, here’s how to migrate your site to the new server

2. Back Up Your Website

When you first start your website, you’ll probably be excited to write new blog posts or sell products. However, you’ll also need to regularly back up your site.

Backups are an insurance policy for your digital content. They allow you to restore your site to its original state if something goes wrong.

Duplicator is a backup plugin that makes it easy to create copies of your site. It supports automatic backups and cloud storage, so you’ll never lose data.

Duplicator Pro plugin

It’s often best to store backups on a separate cloud server for an added layer of security. This way, your backups won’t be lost if a server issue happens.

With Duplicator, you can back up your site to the cloud. Simply connect your preferred cloud storage service and select it when you create a backup.

Duplicator backup storage locations

You’ll be able to customize what data is saved in the backup. So, you can effortlessly back up just your database, media library, or other data if you need to.

Duplicator custom package components

Your website is constantly being updated with new content, so you’ll need to back it up regularly. Fortunately, Duplicator allows you to automate backups.

Duplicator automatic backup schedule

By setting up schedules, you’ll never have to worry about manual backups! Your site will constantly be secure from any problems because you can just roll back your site when they happen.

Along with Duplicator, there are many other backup plugins you can use. UpdraftPlus, Jetpack, and BlogVault are some popular options. 

3. Update Software

Software updates play a crucial role in WordPress security. They don’t just add extra functionality but also patch any potential vulnerabilities. 

WordPress will automatically install minor updates. But, you’ll have to manually install any major versions. 

Find the Updates page and perform any updates for your core software, plugins, and themes.

Update WordPress software

Security updates happen all the time, so you’ll have to keep an eye on them. For your convenience, you can also automate them. 

However, I’d recommend testing new versions of WordPress, plugins, and themes on a staging site first. This helps you avoid any software conflicts that sometimes happen after bad updates.

4. Remove Unused Plugins and Themes

Cleaning up your site can give it a nice security boost. It’s a good idea to toss out any WordPress themes and plugins you’re not actively using. 

This is because hackers can use outdated plugins and themes to access your website. By deleting inactive software, you’ll harden your WordPress security. 

Need a rule of thumb? If you haven’t used it in the past six months, say goodbye. It’s an easy way to optimize your WordPress site and enhance its security. 

5. Use Strong Passwords

A good password should be unique, unpredictable, and known only to you. We’d recommend using a mix of upper and lower-case letters, numbers, and symbols. 

New WordPress password

Remember, ‘Password123’ is a rookie mistake! It’s like leaving the key to your home under the doormat – practically inviting potential cyber threats for a site visit.

In brute force attacks, hackers or bots will try to guess your password. They’ll try out popular options until they get in. So, the more complex your password, the better. 

Aside from that, avoid using any identifiable information related to you. Don’t use your name, birthday, or your pet’s name (no matter how adorable they might be).

Try not to use the same password for all your sites and users. Just like you wouldn’t use the same key for your house, car, and office, keep your digital keys varied to avoid a security breach.

Lastly, consider using a password manager like LastPass to safely store your passwords. It can automatically generate strong options and simplify the login process.

6. Update Admin Access

When it comes to WordPress security, updating your admin access is a must. This step makes your site less vulnerable to unwanted intrusions or hacks. 

First, limit the number of users with an ‘administrator’ role. Having multiple admin users can be a security risk. Ensure you have only a few trusted admins. 

Next, check your list of users regularly, deleting any accounts no longer in use. This reduces the risk of dormant accounts being exploited by hackers. 

Lastly, assign the least privileges necessary for a user role. Not everyone needs admin access.

A user should have enough rights to do their job, but no more. This minimizes the possibility of damage if that account is hacked.

If you’re not sure which users should get certain access, read this guide on WordPress user roles and permissions.

7. Hide the WordPress Login Page

Every day, you use the login page to sign into your WordPress site. All WordPress sites have login pages that end with wp-admin or wp-login. So, malicious users could access yours and abuse it. 

Hiding your WordPress login page can protect your site from hacking attempts. When hackers can’t find the login page, they can’t try brute force attacks to open your admin dashboard.

Some plugins can help you to easily achieve this, such as WPS Hide Login. You can simply customize your login URL so only you know where it is.

WPS Hide Login plugin

8. Monitor User Activity

When your site has a lot of users, one might get hacked or share login credentials with the wrong person. If the user account has admin access, your themes, plugins, or settings could be altered.

To identify the security breach, you could monitor user activity. You’ll identify which user made the unwanted change, and quickly remove it from your site.

Here are a few plugins that can help you keep track of your WordPress users:

These tools can be especially useful if you manage a WordPress multisite. You may have a ton of different website owners, authors, editors, and other users. It’s important to know exactly which user caused a vulnerability.

9. Install a WordPress Security Plugin

Security plugins do exactly what you expect — add extra security to your site. They are designed to identify and address potential vulnerabilities. For example, they provide regular security scans, firewall protection, and spam filtering. 

One of the best WordPress security plugins is Sucuri Security. This tool offers remote malware scanning, security notifications, and post-hack solutions.

Sucuri Security plugin

Using Sucuri, you can easily harden your security. In the Hardening settings, you can enable a firewall, disable plugin and theme editors, hide your WordPress version, and more.

Sucuri security hardening

This is a beginner-friendly way to boost your WordPress security. Plus, there’s a free version on!

10. Use a Web Application Firewall (WAF)

A Web Application Firewall (WAF) is a tool that oversees and filters incoming traffic to your website. It helps shield your WordPress site from threats like SQL injection and cross-site scripting (XSS).

A firewall can deter many common cyber threats. It acts as a protective barrier between your site and all incoming traffic, blocking malicious requests.

Here are the different types of firewalls:

  • DNS level firewall: sends and evaluates traffic through cloud proxy servers
  • Application level firewall: firewall plugins that evaluate traffic once it gets to your server

Sucuri offers the easiest way to set up a firewall on your WordPress website. It’s such an effective tool that it helped WPBeginner block 450,000 cyber attacks in just 3 months.

With Sucuri, you’ll avoid malware, DDoS attacks, brute force attacks, and other security concerns. 

11. Scan For Malware

Regularly scanning your website for malware is a crucial part of maintaining your WordPress security. Popular plugins such as Wordfence and Sucuri can help you with this task. 

These security tools are specifically designed to find and eliminate any potential threats on your website. They actively monitor your website, quickly alerting you to any suspicious activity, and provide solutions for their removal.

Sucuri also has a free malware checker. By entering your website’s URL, you’ll find out if there are any viruses.

Sucuri malware scanner

12. Move to SSL/HTTPS

SSL (Secure Sockets Layer) is a protocol that encrypts data between a user’s browser and your server. It makes it harder for cyber attackers to intercept and steal data.

When you enable SSL, your site’s URL uses HTTPS (Hypertext Transfer Protocol Secure). This is shown with a lock icon next to your domain in a browser window.

To move to HTTPS, you will need to purchase and install an SSL certificate on your server. Many hosting providers offer a free SSL certificate via Let’s Encrypt. After that, ensure your WordPress site uses HTTPS in its settings and URLs. 

If you don’t have an SSL certificate yet, here’s how to set one up!

13. Change Your Username

Using “admin” as a username is a common practice but it’s one of the serious WordPress security mistakes you want to avoid. It gives half of your login details away to attackers.

To help secure your website, consider changing your username to something less predictable and more unique. 

Head over to your WordPress dashboard and create a new user with admin privileges. Once you’ve done this, log out and log back in as the new administrator.

Next, delete the old “admin” user. Make sure to transfer all content from the deleted user to the new one. It’s as simple as that. 

14. Update File Permissions

File permissions regulate who can read, write, and execute your files. Misconfigured permissions could offer an open door to intruders.

Here are the settings we’d recommend using:

  • 755 for folders and sub-folders
  • 644 for all files

Keep in mind that fixing file and folder permissions can be complex without technical experience. If unsure, it’s always best to consult with your hosting provider or a skilled developer.

15. Disable File Editing

The WordPress dashboard allows admins to change the PHP files for plugins and themes. It can be helpful but also dangerous.

If a hacker gets into your dashboard, they can misuse the file editor to put harmful code into your WordPress files. To avoid this security threat, you should turn off file editing by adjusting your wp-config.php file.

While this sounds technical, it’s actually a straightforward process. Access your WordPress installation via FTP, and locate the wp-config.php file. Open this file and add the following code snippet: 

define( 'DISALLOW_FILE_EDIT', true );

Once you save the file, the updated settings start working right away to protect against harmful code. 

Only do this if you’re okay with changing your website’s files. If you’re unsure, ask for expert help. 

16. Disable PHP File Execution

Disabling PHP file execution in certain WordPress directories is a key step in protecting your site. If not done, it opens a gateway for malicious attacks. 

Hackers can take advantage of this loophole by deploying php files in your uploads folder or other directories. These files can then execute malicious code, compromising your website.

To solve this problem, you can disable PHP file execution in any directories that don’t need it (like /wp-content/uploads/). 

Open a text editor and paste this coding:

<Files *.php>

deny from all


Name the file .htaccess and add it to the uploads folder. 

17. Limit Login Attempts

As I mentioned earlier, bots could try to access your site by trying to log in again and again.  To keep your site safe, set a limit on how many login tries can come from a single IP address.

By limiting login attempts, you’ll lower the odds of a successful brute force attack. Although WordPress allows unlimited logins, you can set a limit with a plugin like Limit Login Attempts Reloaded.

Limit Login Attempts Reloaded plugin

Limit Login Attempts Reloaded will block an IP address after a certain number of unsuccessful login attempts. You can create a custom lockout time and automatically get emails about new lockouts. 

18. Use Two-Factor Authentication

Two-factor authentication (2FA) adds an extra layer of protection to your WordPress site. Besides your password, you need a verification code that’s usually sent to your mobile phone. 

This dual-check system boosts security, making it tricky for hackers to break in. Even if they crack your password, they still need the verification code. 

WP 2FA is a plugin that quickly sets up two-factor authentication on your WordPress site. It’ll generate login codes for authentication apps like Google Authenticator or Authy. Users enter a code along with their password.

WP 2FA plugin

With this feature, hackers or bots can’t get into your site even if they get your password. There’s an extra step for logins, which can’t be easily accessed. 

19. Change the WordPress Database Prefix

WordPress assigns a prefix to your database tables. The default prefix is wp_.

If it’s left as the default, hackers can easily guess your table names. So, it’s good practice to change it.

However, this isn’t very easy for beginners. And, you could end up breaking your site. If you’re sure you want to follow through, follow this guide on how to properly change the WordPress database prefix

20. Password Protect Admin and Login Pages

Another way to protect your WordPress login pages is to add password protection to your admin directory. Whenever someone tries to access the admin area, they’ll have to enter a password before ever seeing a login page.

Password protected WP admin

To enable admin password protection, you can use cPanel’s directory privacy. This will allow you to protect your admin directory without using any code.

Bluehost directory privacy

21. Disable Directory Indexing and Browsing

Directory browsing can be a weak spot in your website security. If this feature is enabled, anyone can view the contents of directories on your website. Hackers could take advantage of this if they see any files with vulnerabilities. 

To resolve this problem, add a simple line of code at the bottom of your .htaccess file. 

Options -Indexes

This stops people from looking through your site’s folders and protects hidden files.

22. Disable XML-RPC

Since WordPress 3.5, XML-RPC is a core WordPress API. It allows developers to use remote applications to update WordPress.

XML-RPC allows you to use mobile apps to publish blog posts. It also makes it possible to connect your site with third-party services like Zapier. 

This WordPress feature lets other apps talk to your website. But, it also creates a security loophole that hackers can use. 

If someone tries to hack your login page, they make separate login attempts. With XML-RPC, hackers could use a system.multicall function to guess thousands of password options in only about 20-50 requests.

So, turning off XML-RPC can help you avoid possible cyber threats.

23. Log Out Idle Users

Unattended logins can become a gateway for unauthorized access. Their session could get hijacked. This is why your banking website logs you out after a certain amount of time.

It’s best to have your WordPress site auto-log out users when they’re inactive. This can majorly reduce the chances of any trouble.

You can use plugins like Inactive Logout to automate this process. With this free plugin, you’ll set idle timeout periods. 

Inactive Logout plugin

It’ll also allow you to customize session logout messages. You’ll let users know when they’re being logged out due to inactivity. 

Inactive logout settings

24. Add Login Security Questions

Security questions add extra safety to your login page. Choose a question that only you can answer and is hard for others to guess. This strengthens your WordPress login security, preventing unwanted access.

With the Two Factor Authentication plugin, you can create custom security questions. 

Two Factor Authentication plugin

The free version allows you to save your answers to two selected questions. You can also add your own question and answer.

Add security questions

Then, when users log in, they’ll have to answer two of the questions you filled out.

WordPress security questions

25. Hide Your WordPress Version

By default, your source code will show your site’s WordPress version.

Source code WordPress version

Exposing your latest version of WordPress might seem harmless, but it could leave your site at risk. Hackers use this information to exploit known security vulnerabilities in specific versions. 

There are many ways to hide your WordPress version, but we’d recommend using WPCode. This code snippets plugin has a pre-made snippet to remove your WordPress version number.

WPCode plugin

All you’ll need to do is search for the snippet and use it. 

Remove WordPress version WPCode snippet

Then, activate the new snippet!

Activate WPCode snippet that hides WP version

26. Restore Your Site After Hacks

Even if you do everything right, a hacker could get into your website and cause damage. In case this ever happens, you’ll need to be prepared. 

Restoring your WordPress site after a hack may seem daunting. But, it’s easy with the right tools.

Duplicator Pro is a WordPress backup plugin that restores your site in seconds. After a hack, find the most recent error-free backup and hit the Restore button next to it.

Duplicator restore button

Some hackers may lock you out of your WordPress admin dashboard. To prevent this, be sure to set disaster recovery beforehand.

Create a full backup of your site. Then, click on the blue house icon next to it.

Duplicator disaster recovery

Once you set up disaster recovery, Duplicator will give you a recovery link and a launcher file. Either of these will immediately restore your site after a cyber attack.

Disaster recovery link

Personally, I prefer the recovery link. You’ll simply need to open a browser window and paste it. This opens the Duplicator recovery wizard (without needing your dashboard).

Disaster recovery

To secure your website, save the recovery link or launcher file in a safe location. It’ll need to be off-site, just in case your website ever goes down. 

If you want to make sure you removed any backdoors and other security vulnerabilities, read this tutorial on how to fix a hacked WordPress site

FAQs About WordPress Security

How do I make a WordPress site secure?

To secure your WordPress site, use a safe web host, automate backups, keep software updated, and monitor user access. For more complex security concerns, don’t hesitate to ask an expert.

Do I really need a security plugin for WordPress?

A security plugin helps shield your site from common threats. We’d recommend it for beginners because you’ll be able to boost your security without touching any code. Sucuri Security is a great option if you’re just getting started or want a hands-off approach to site security. 

What percentage of WordPress sites are hacked?

There’s no exact number of WordPress sites that are hacked every year. But, Sucuri regularly cleans up websites and found that 96.2% of its exploited sites in 2022 were running on WordPress. 49.8% of these were outdated at the time of the cyber attack. 

Does WordPress have vulnerabilities?

Yes, like any other platform, WordPress does have its vulnerabilities. These can range from outdated software, weak passwords, or a lack of WordPress updates. However, if managed properly, these risks can be reduced significantly.

What is the largest danger in WordPress site security?

Your WordPress site’s security may be at risk if you don’t update your system, plugins, and themes regularly. Also, not setting strong passwords or two-factor authentication can make your site vulnerable. This can lead to serious issues like SQL attacks, cross-site scripting, and brute force logins.


At this point, your site is ready to fight off any security threats!

While you’re here, I think you’ll like these extra WordPress guides:

Do you want to avoid data loss from unexpected hacks? Download Duplicator Pro for automatic cloud backups!

author avatar
Joella Dunn Content Writer
Joella is a writer with years of experience in WordPress. At Duplicator, she specializes in site maintenance — from basic backups to large-scale migrations. Her ultimate goal is to make sure your WordPress website is safe and ready for growth.

Disclosure: Our content is reader-supported. This means if you click on some of our links, then we may earn a commission. We only recommend products that we believe will add value to our readers.