WordPress security checklist: 30 measures to safeguard your site
WordPress is built with strong security measures. It also gets regular updates to patch any vulnerabilities. But no system is foolproof. Gaps like outdated plugins, weak passwords, and poor hosting security can leave the doors open for hackers.
Luckily, there are ways to safeguard your site. In this article, we’ll walk you through 30 practical measures you should have on your WordPress security checklist to protect your site. Some of these tips even apply beyond WordPress and help you avoid cyber threats on other platforms.
A complete checklist of WordPress security measures
Protecting your WordPress site isn’t just about a one-time fix. You want to layer multiple safeguards to maintain the highest security standards. Here are 30 essential security tips to help keep your WordPress site safe from attacks.
1. Use a secure web host
No matter how many security measures you implement, your site is only as safe as the server it runs on. A good provider should offer strong firewall protection, automatic malware scanning, and frequent software updates.
Shared hosting is convenient but less secure since multiple sites share the same resources. If security is a top priority, consider a Virtual Private Server (VPS) or dedicated hosting. These options provide much higher isolation and control.
When choosing a provider, also look for features like automatic backups, real-time monitoring, and 24/7 support. If your current host doesn’t meet these standards, it may be time to make a switch.
Hostinger includes an anti-DDoS traffic analyzer, malware protection, and regular backups. We also provide resilient data centers, proactive monitoring, firewalls, malware scanners, and automatic updates. All these features are available to our customers for free.
2. Update the WordPress core software
We’ve all skipped an update notification at some point. However, ignoring WordPress updates can leave your site vulnerable to security risks, bugs, and compatibility issues. Updates bring new features, but also address defects like security and performance issues.
Before updating, make sure to complete the following steps. This is essential for maintaining your database hygiene and should be at the top of your WordPress security checklist.
- Backup your site to avoid data loss.
- Check the changelog for details on what’s new.
- Disable caching plugins to prevent conflicts.
- Deactivate incompatible plugins that may break after an update.
Once you complete the backup process, updating your WordPress site is straightforward. In your WordPress dashboard, go to Dashboard → Updates and click Update Now. If you want to run these updates manually, use FTP (File Transfer Protocol) or WP-CLI.
Hostinger users can easily manage the updates through their hPanel. This keeps all your WordPress core, themes, and plugins up to date.
Regardless of how you do it, don’t put updates off. Keeping your WordPress site updated is one of the easiest ways to protect your website.
3. Update themes and plugins
Themes and plugins are responsible for your website’s appearance and functions. But outdated versions can turn into bugs and security risks. Developers release updates to fix bugs, patch vulnerabilities, and resolve compatibility issues.
To update, go to Dashboard → Updates and install available updates for plugins and themes. You can update them all at once or selectively. You can also enable auto-updates for essential plugins using Easy Updates Manager for more convenience.
4. Use trusted WordPress themes and plugins
Not all themes and plugins are safe. Many of them have hidden vulnerabilities that can expose your site to malware, spam, or backdoor attacks. Even worse, you might come across nulled themes (premium themes with their copy protection removed), which often contain harmful code and leave your site open to hackers.
Since nulled themes are illegal, you won’t get updates or support. If something breaks, you’re stuck fixing it yourself. The safest option is to stick to themes and plugins from the official WordPress repository or trusted theme sources like Astra or Sydney.
5. Remove unnecessary themes and plugins
Unused themes and plugins are another security risk, even if they’re deactivated. An example is the TimThumb vulnerability, which results in hacked WordPress sites.
Fortunately, all you need to do is to delete them completely. A safe approach would be to remove anything you’re not actively using. To clean up your site, go to Appearance → Themes, and delete any unused themes.
Then, go to Plugins → Installed Plugins in your WordPress dashboard to remove inactive items.
Make it a habit to review your themes and plugins regularly, ideally every few months.
6. Install an SSL certificate
An SSL certificate encrypts data between your website and its visitors. That’s why it’s a must for any website that collects information in the form of login details, contact forms, or payment data. Without it, browsers may even flag your site as “Not Secure”, which can drive your visitors away.
SSL also improves your site’s SEO ranking since Google prioritizes HTTPS websites. Besides the algorithm, it gets higher clicks because of the little padlock icon in the browser that reassures visitors they’re entering a safe site.
Many hosting providers offer free SSL certificates with their plans. Hostinger offers free lifetime Let’s Encrypt SSL on all WordPress plans, check status via hPanel: Websites → Security → SSL.
7. Install a WordPress security plugin
A WordPress security plugin acts as a watchguard for your website. It protects it from malware, brute-force attacks, and other vulnerabilities. As we mentioned earlier, WordPress has built-in security features. However, a dedicated plugin adds extra layers of protection and makes your site much harder to breach.
To install it, go to Plugins → Add New and search for Wordfence, Sucuri, or Solid Security. Install, activate, and configure it to enable firewalls, malware scanning, and login protection.
You can also monitor security through your hosting provider’s control panel, if available. Some web hosts offer built-in security tools.
8. Use spam protection
Receiving spam is annoying, but it can also damage your site’s credibility and SEO. Bots and scammers flood your comment sections and contact forms with junk messages. Most of these often include malicious links which can lead to search engines to penalize your site.
The easiest way to stop spam is with an anti-spam plugin. Akismet Anti-Spam is a top choice, which automatically filters out spam comments and messages before they appear on your site. You can set it up by going to Plugins → Add New, search for Akismet, and then install it.
To get started, you’ll need an API key from the Akismet website. Once activated, you can track spam activity from your Akismet account page. If spam is still slipping through or genuine comments are getting flagged, monitoring helps you adjust your settings for better filtering.
9. Use secure credentials for WordPress admin
Weak credentials make your site an easy target for brute-force attacks. You want to avoid generic usernames like admin or test. Instead, use a strong password with a combination of numbers, symbols, and mixed-case letters, which are at least 12 characters long.
To simplify password management, use tools like 1Password to generate and store complex passwords. Alternatively, use your hosting provider’s password protection feature to restrict access to your website or specific sections with a password.
10. Set permissions for crucial WordPress core files
File permissions control who can read, write, or execute files on your WordPress site. If they’re too permissive, hackers can gain unauthorized access.
To secure your site, set the correct permissions:
- wp-config.php → 400 or 440 (restricts access to only the owner)
- wp-admin/ → 755 (allows execution but prevents modification)
- wp-content/ → 755 (protects themes and plugins)
You can adjust permissions via FTP, cPanel, or a file manager plugin like WP File Manager. However you decide to manage this, keeping strict file permissions is a must.
11. Enable two-factor authentication
Two-factor authentication (2FA) adds an extra layer of security since it requires both your password and a temporary code to log in. Even if someone gets hold of your password, they can’t access your site without the second step.
WordPress doesn’t have built-in 2FA, so you’ll need an authenticator. You can use Google Authenticator or a plugin like WP 2FA. Both of these tools let you authenticate via apps, email, or SMS.
For an extra layer of security, set up backup codes in case you lose access to your phone. This requires a few extra seconds at login. But, in turn, it can ensure access to your site under any circumstances.
12. Back up your site regularly
Things don’t always go as planned. Servers crash, hackers disable a website trying to break in, and even updates can sometimes break sites. Regular backups are a great practice if you don’t want to lose your data on your site.
There are three main ways to back up your WordPress site:
- Hosting backups – If you’re using a managed WordPress host, check if automatic backups are included.
- Plugins – Tools like UpdraftPlus let you schedule backups and store them in the cloud.
- Manual backups – Download your website files via File Manager or FTP and export your database through phpMyAdmin.
As a rule, your backup frequency should depend on how often you update your website. For instance, run daily backups for very active sites and weekly for slower ones. It’s important to always keep a copy of it somewhere safe.
13. Scan for malware regularly
Regular malware scans help detect and remove threats before they can cause serious harm. A solution is to use security plugins like Sucuri, Wordfence, or Jetpack. All these plugins provide automatic malware detection and real-time threat monitoring.
You can also manually check your website files via FTP or File Manager and look for unfamiliar scripts or modified files. Another measure is using Google Safe Browsing or other online virus scanners to see if your site has been flagged as unsafe.
Make sure to remove WordPress malware as soon as you detect it by deleting all the infected files. Then, restore your data from a clean backup.
14. Use Web Application Firewall (WAF)
A Web Application Firewall (WAF) filters out harmful traffic before it can do any damage. There are two main types of WAFs. Cloud-based firewalls, such as Cloudflare and Sucuri, filter out malicious traffic before it even reaches your server.
Then, plugin-based firewalls like Wordfence and All-In-One Security (AIOS) work directly within your WordPress site. These plugins offer features like real-time threat monitoring and login protection.
Overall, a WAF shields your site from DDoS attacks, SQL injections, and brute-force login attempts, while getting legitimate traffic through.
15. Use a Content Delivery Network (CDN) to prevent DDoS attacks
A Content Delivery Network (CDN) increases website speed and security by distributing content across multiple servers. It also helps protect against DDoS attacks, which could overwhelm your site with fake traffic.
You can set up a CDN using free options like Cloudflare. Alternatively, hosting providers like Hostinger include built-in CDN integration. If your site experiences high traffic or is at higher risk of attacks, consider premium services like Akamai.
16. Assign proper user roles
Managing a site with multiple users requires setting appropriate permission and access controls. Assigning proper WordPress user roles helps keep your site secure and organized by making sure that each team member has only the access they need.
WordPress comes with five default user roles, each with different levels of control.
- Subscribers can only read content.
- Authors can publish their own posts but can’t edit others.
- Editors have more control over the content.
- Administrators have full access to everything, including site settings and plugins.
If you’re managing a WordPress multisite, you’ll also have a Super Admin role to oversee all websites in the network.
To assign or update roles, go to Users → Add New in your WordPress dashboard, enter the user’s details, and select the appropriate role.
If you need custom roles or advanced permissions, plugins like Members or PublishPress Capabilities let you have even more control over user access.
17. Set up a whitelist and blacklist for the admin page
Limiting access to your WordPress admin page is an easy way to block unauthorized logins. Whitelisting trusted IPs means only authorized users can enter, while blacklisting helps block known malicious IPs.
One way to implement this is via security plugins like Sucuri or Cloudflare, which allow you to configure IP-based access rules. If you prefer a hands-on approach, you can edit your site’s .htaccess file to restrict access to wp-login.php and wp-admin to specific IPs.
18. Limit login attempts
Allowing unlimited login attempts leaves room for hackers to try multiple username and password combinations until they get in. You can prevent this by limiting the number of failed login attempts before temporarily locking out users.
A great option is installing a security plugin like Limit Login Attempts Reloaded. These tools let you set a maximum number of login attempts before the user gets locked out for a certain period.
19. Use a custom URL for the login page
By default, every WordPress site has the same login URL: yourwebsite.com/wp-admin. Unfortunately, hackers know this. Changing your login page URL adds an extra layer of security, making it harder for attackers to find the entry point to your site.
Plugins like WPS Hide Login or LoginPress can help customize your login page URL. They basically change your default login path to something unique, like yourwebsite.com/my-secret-login.
20. Log idle users out automatically
We all multitask, and sometimes we forget to log out. The problem is if someone else uses the same device, they could gain access to your account and sensitive information. Many banking sites already do this to protect their clients, and your WordPress site can do it too.
Setting up an automatic logout for inactive users can solve this issue. A simple way to implement this is by using the Inactive Logout plugin. Besides signing out idle users, it displays a warning message before doing so to give them a chance to stay logged in if they must.
21. Hide the WordPress version
Displaying which WordPress version you are using can also put your site at risk. Hackers often target known security flaws in specific versions, especially outdated ones. By hiding this information, you reduce the risk of being an easy target.
You can remove the WordPress version number by adding a simple code snippet to your theme’s functions.php file. This prevents it from appearing in your site’s header and RSS feeds. Installing a plugin-based solution like WP Ghost is another way to hide version details.
22. Disable error reporting
PHP error reporting is helpful for debugging. However, it also exposes sensitive information about your website’s file structure and plugins. If these errors fall into the wrong hands, they can exploit the existing vulnerabilities. That’s why you need to disable error reporting.
You can turn off error reporting by modifying your wp-config.php file with a simple code snippet. Alternatively, you just need to modify your hosting provider’s PHP settings. For a plugin-based solution, install a security plugin. It can help manage security settings, including turning off error messages.
23. Turn off file editing
WordPress comes with a built-in file editor that allows you to modify theme and plugin files directly from the dashboard. As convenient as this is, it can also be a security risk. Unauthorized access to your admin panel puts your website at risk, such as malicious link injection.
To prevent this, disable file editing by adding this line to your wp-config.php file:
define( 'DISALLOW_FILE_EDIT', true );
If you prefer a plugin-based approach, security tools like Sucuri offer a one-click hardening feature to disable the file editor. Alternatively, use WordPress Tweaks to turn off file editing without touching code.
24. Disable PHP file execution
If attackers get to upload malicious PHP scripts to directories like wp-content/uploads, they can execute harmful code, gain control of your site, or inject malware. Since upload folders don’t require PHP execution, the best approach is to disable them.
To turn off PHP execution in vulnerable directories, you can modify the .htaccess file. Simply add the following code snippet to your wp-content/uploads or other user-writable directories:
<FilesMatch "\.(php|phtml)$">
Order Allow,Deny
Deny from all
</FilesMatch>
Here also you can use security plugins like Sucuri or Wordfence to disable PHP execution with just a few clicks. Either way, implementing this measure reduces the risk of unauthorized scripts running on your server.
25. Disable directory browsing
Directory browsing allows visitors to see the files and folders in your website’s directories, which can expose sensitive information about your site’s structure. Apart from displaying vulnerable plugins, themes, or configuration files, it can lead to unauthorized access to sensitive content.
You can disable directory browsing by adding a simple rule to your .htaccess file. Just insert this line at the bottom of the file:
Options -Indexes
After saving and uploading the updated .htaccess file, visitors will see a 403 Forbidden message instead of a file directory. Alternatively, install security plugins like Solid Security to disable directory browsing without editing code.
26. Disable XML-RPC
XML-RPC is an outdated WordPress feature that allows remote connections to your site. While it was once useful for mobile publishing and trackbacks, it is now a serious security risk. Leaving it enabled can be an easy entry point for attackers to compromise your site.
The easiest way to disable XML-RPC is through a plugin like Disable XML-RPC-API. Simply install and activate the plugin, and it will automatically block all XML-RPC requests. Alternatively, disable it manually by editing your .htaccess file and adding a rule to block access to xmlrpc.php.
27. Change the default WordPress database prefix
WordPress uses wp_ as the prefix for all database tables by default. This is an easy target for SQL injection attacks. Prevent these automated attacks by changing them to a unique prefix.
To change the database prefix, update the wp-config.php file and rename all database tables using phpMyAdmin or an SQL query. If you’re setting up a new site, it is best to modify the prefix during installation.
For existing sites, you need to first back up your database and then make the changes. An easier way is using security plugins like Solid Security.
28. Keep track of user activities
Maintaining your website security is tied to monitoring all that goes on your WordPress site. For example, tracking user activity helps you catch suspicious behavior and troubleshoot issues. Spotting unauthorized changes or repeated failed login attempts could indicate a security threat.
You can monitor activity using a WordPress activity log plugin like WP Activity Log or Simple History. These tools provide a detailed record of user actions, from content edits to plugin updates, and even let you set up alerts for critical changes.
29. Use a VPN when accessing the admin page using a public network
Logging into your WordPress admin panel on a public network can put your site at risk. Hackers can intercept unencrypted data and steal your login credentials. Cybercriminals even set up fake public networks to trick users into connecting and exposing their data.
But sometimes, we just have to log in. That’s where a Virtual Private Network (VPN) comes in. It adds an extra layer of security by encrypting your internet connection. A VPN can secure your login details if you often work on your website from different locations.
Some popular VPN options are NordVPN, ExpressVPN, and CyberGhost, all of which offer strong encryption and global server coverage.
30. Monitor your site regularly
No one enjoys a website that is slow, goes down often, or has security issues. These issues can frustrate visitors and even hurt your business. Monitoring helps you find these issues as well as any lingering security vulnerabilities.
This is a resource-heavy process and you don’t have to do it all manually. Tools like WP Umbrella help track uptime, performance, and security, while WP Activity Log helps you monitor user actions.
Your hosting provider should also offer comprehensive monitoring features that support your website’s stability. With the right tools and support, you can catch problems early and keep your site secure.
Conclusion
With WordPress powering over 43.5% of websites, vulnerabilities are inevitable. As a rule of thumb, the more security measures you have in place, the better your defense against potential threats.
Security is not about being impenetrable. It’s an ongoing practice with a focus on being prepared. As threats evolve, so should your defense strategies. This means running regular updates, setting strong authentication measures, and continuous monitoring to see where you can improve.
Every layer of protection makes it harder for attackers to succeed. This checklist will help you fortify your WordPress site, minimize risks, and proactively manage potential security threats.
WordPress security FAQ
Is WordPress secure?
Yes, WordPress is secure. However, its safety depends on regular updates, strong passwords, and secure hosting. The core software is well-maintained, but vulnerabilities can arise from weak security practices.
Is a free WordPress security plugin good?
Yes, a free WordPress security plugin can offer basic protection like firewall rules, malware scanning, and login security. However, premium versions typically provide advanced features like real-time threat detection and automated malware removal. If you’re on a budget, a free security plugin is a great start.
How can I tell if my site has been hacked?
Signs of a hacked WordPress site could be sudden drops in traffic, unauthorized admin accounts, defaced pages, or unexpected redirects. You may also see a slower-than-usual performance, strange pop-ups, or even receive warnings from Google Safe Browsing. Security plugins like Wordfence or Sucuri can confirm if there is any malware or suspicious activity.
Elena Mazaheri is a freelance writer and content marketer specializing in SaaS, WordPress, and eCommerce. Her expertise lies in product-led storytelling and creating compelling content that elevates brands and connects with audiences.
