Padlock on keyboard security

How to Secure Your WordPress Site: A Complete Security Checklist

by

WordPress powers over 40% of the web, which makes it the number one target for automated attacks. The good news: most WordPress hacks are entirely preventable. This checklist covers everything you need to lock down your site properly.

1. Start With Secure Hosting

Your hosting provider is your first line of defence. Cheap, shared hosting with outdated PHP versions and no server-level firewall is a liability regardless of what security plugins you install on top.

For WordPress-specific security at the server level, consider:

  • Cloudways: Managed cloud hosting with server-level firewalls, automated security patches, and regular backups built in. You don’t need to worry about server hardening — it’s handled for you.
  • Hostinger Business or Cloud hosting: LiteSpeed server with built-in WAF, malware scanning, and DDoS protection at an affordable price point.

👉 Try Cloudways free for 3 days | 👉 Get started with Hostinger

2. Keep WordPress, Themes, and Plugins Updated

The vast majority of WordPress hacks exploit known vulnerabilities in outdated plugins, themes, or WordPress core. Enable automatic updates for minor WordPress releases, and check for plugin/theme updates at least weekly.

  • Go to Dashboard → Updates and apply all pending updates
  • Enable auto-updates for trusted plugins: Plugins → click “Enable auto-updates” next to each
  • Delete unused themes and plugins entirely — inactive plugins with vulnerabilities can still be exploited

3. Harden Your Login Page

The WordPress login page at /wp-login.php is hammered by brute-force bots constantly. Several steps reduce this attack surface significantly:

Use a strong, unique password and a password manager

Use a randomly generated password of at least 20 characters. Store it in a password manager like 1Password — never reuse passwords from other accounts.

👉 Try 1Password free for 14 days

Enable two-factor authentication (2FA)

Install a plugin like WP 2FA or Wordfence to require a TOTP code at login. Even if your password is compromised, 2FA prevents unauthorised access.

Change the default admin username

Never use “admin” as your WordPress username. Brute-force tools try “admin” first by default. Create a new admin user with a different username, then delete the original “admin” account.

Limit login attempts

Install Limit Login Attempts Reloaded (free) to automatically block IPs after a set number of failed login attempts. This kills brute-force attacks dead.

4. Install SSL and Force HTTPS

Every WordPress site must run over HTTPS. Without SSL, passwords and session tokens are transmitted in plaintext. Most decent hosting providers include free Let’s Encrypt SSL — enable it if you haven’t already.

Once SSL is active, force HTTPS by adding this to your .htaccess file (Apache) or nginx config:

# Force HTTPS (Apache)
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

5. Set Up Automatic Backups

Backups are your last line of defence. If everything else fails and your site gets compromised, a clean backup lets you restore in minutes rather than rebuilding from scratch.

  • UpdraftPlus (free): Automated backups to Google Drive, Dropbox, Amazon S3, or remote FTP. Schedule daily backups and keep at least 7 copies.
  • Cloudways includes automated backups at the server level — a significant advantage over self-managed hosting.
  • Store backups offsite — a backup on the same server as the compromised site is useless.

6. Use a Security Plugin

Wordfence Security (free) is the most widely used WordPress security plugin for good reason. It provides:

  • Web Application Firewall (WAF) that blocks malicious requests
  • Malware scanner that checks core files, themes, and plugins against known clean versions
  • Login security with 2FA, reCAPTCHA, and login attempt limiting
  • Real-time IP blocking of known malicious actors

7. Disable File Editing in the Dashboard

WordPress allows editing theme and plugin files directly from the admin dashboard — a massive risk if an attacker gains admin access. Disable it by adding this line to wp-config.php:

define('DISALLOW_FILE_EDIT', true);

Quick Security Checklist

  • ✅ Hosting with server-level security (Cloudways or Hostinger)
  • ✅ WordPress, themes, and plugins all up to date
  • ✅ Strong, unique admin password stored in 1Password
  • ✅ Two-factor authentication enabled
  • ✅ No “admin” username
  • ✅ Login attempts limited
  • ✅ SSL installed and HTTPS forced
  • ✅ Automated offsite backups configured
  • ✅ Wordfence installed and WAF active
  • ✅ File editing disabled in wp-config.php

Disclosure: This article contains affiliate links. I may earn a commission if you sign up through these links, at no extra cost to you.

Leave a comment