WordPress Security Hardening Checklist

WordPress runs ~40% of the web, which makes it a permanent target. Most attacks are automated and opportunistic — they probe for weak passwords, outdated software, and exposed admin URLs. Real hardening reduces the attack surface so most attempts fail without you noticing. This post is the practical checklist.

Attack surface basics

Most WordPress attacks come through:

• Brute-force login attempts (guessing admin password).
• Exploits in outdated plugins/themes.
• Vulnerabilities in WordPress core (rare but happens).
• Compromised credentials (leaked from other sites).
• Server-level issues (host’s job mostly).

Hardening addresses each of these.

1. Strong passwords + 2FA

The single highest-impact security measure.

• Use a unique, long password (20+ characters).
• Use a password manager (1Password, Bitwarden, LastPass).
• Never reuse passwords across sites.
• Enable two-factor authentication (2FA) for all admin accounts.

2FA plugins: Wordfence (includes 2FA), WP 2FA, Two Factor Authentication.

Method preference: authenticator app (Authy, Google Authenticator) over SMS.

2. Username hygiene

Don’t use “admin” as your username. Common attack vector.

If your site uses “admin”:

1. Create a new admin user with a different username.
2. Log in as the new user.
3. Delete the old “admin” account (attribute content to the new user).

3. Limit login attempts

Block IPs after N failed login attempts.

Plugins:

• Limit Login Attempts Reloaded (free, popular).
• Wordfence (includes this).
• iThemes Security / Solid Security (includes this).

Typical settings: lock after 5 failed attempts, 20-minute lockout, longer for repeat offenders.

4. Keep everything updated

Most exploits target known vulnerabilities in outdated software.

• WordPress core: enable auto-updates for minor releases.
• Themes: update within a week of release.
• Plugins: update promptly.
• PHP: keep on a supported version (currently 8.1+).

Configure auto-updates in Dashboard → Updates → Enable.

Plugins like Easy Updates Manager give granular control.

5. Remove unused plugins and themes

Inactive plugins/themes can still have exploitable vulnerabilities.

• Deactivate isn’t enough — delete unused plugins.
• Keep one backup theme (a default WordPress theme).
• Periodically audit: when did you last actually use this plugin?

6. Use SSL (HTTPS)

• Free Let’s Encrypt SSL via most hosts.
• Force HTTPS site-wide.
• Mixed content: ensure all resources (images, scripts) load via HTTPS.

Plugin: Really Simple SSL (handles redirects, mixed content fixes).

Without HTTPS: browsers warn visitors, Google ranks lower, and login credentials transmit unencrypted.

7. Disable file editing in dashboard

WordPress lets admins edit theme/plugin files directly in the dashboard. Attackers love this.

Add to wp-config.php:

define('DISALLOW_FILE_EDIT', true);

Real edits happen via FTP/SSH anyway. Disabling this in the dashboard blocks a major attack vector.

8. Change the login URL (security through obscurity)

Default WordPress login: yourdomain.com/wp-admin or wp-login.php.

Change to something custom: yourdomain.com/secret-login.

Plugins: WPS Hide Login (free).

Not a real security measure (determined attackers find it). But it cuts noise from automated bots by ~90%.

9. Disable XML-RPC if you don’t use it

XML-RPC is an old WordPress API used by some clients (mobile WordPress apps, Jetpack).

If you don’t use those: disable XML-RPC. Common attack target.

Most security plugins offer a toggle for this.

10. Install a security plugin

Wordfence

• Most popular free option.
• Firewall, malware scan, login security, 2FA.
• Free tier solid; paid tier ($119/year) adds real-time updates.

Sucuri

• Free WordPress plugin + paid cloud WAF service.
• Strong malware cleanup if compromised.
• Cloud WAF starts $199/year.

iThemes Security / Solid Security

• Comprehensive feature set.
• Free + Pro tiers.

WP Cerber

• Free + Pro.
• Strong anti-spam and login security.

Pick one. Don’t run multiple security plugins simultaneously — they conflict.

11. Web Application Firewall (WAF)

WAF sits between attackers and your site, blocking known attack patterns before they reach WordPress.

Options:

• Cloudflare: free tier provides basic WAF rules.
• Sucuri: dedicated WordPress WAF, $199/year.
• Wordfence Premium: includes WAF.

Cloudflare’s free tier is usually enough for small blogs.

12. Backups

Hardening prevents most attacks. Backups are your safety net for the ones that succeed.

• Daily for active sites.
• Weekly minimum.
• Off-site (don’t rely on your host).
• Test restore occasionally — untested backups aren’t backups.

Plugins: UpdraftPlus, BackWPup, Duplicator. Or host-level backups (WP Engine, Kinsta include them).

13. Hide WordPress version

By default, WordPress outputs its version in HTML meta tags. Attackers use this to target known vulnerabilities.

Hide via security plugin or theme functions.php:

remove_action('wp_head', 'wp_generator');

Minor measure; combined with prompt updates it’s relatively low value but free.

14. Disable directory browsing

If someone navigates to /wp-content/uploads/ on your site, they shouldn’t see a directory listing.

Most hosts have this disabled by default. Verify by visiting that URL.

If exposed, add to .htaccess: Options -Indexes

15. Strong user permissions

• Limit who has Administrator role. Most contributors should be Author or Editor.
• Review user list quarterly. Remove inactive users.
• Don’t share admin credentials. Create separate accounts.

16. Secure wp-config.php

The wp-config.php file contains database credentials. Protect it:

• Move above the WordPress root if possible (some hosts allow this).
• Set file permissions to 600 or 640.
• Add to .htaccess:

<Files wp-config.php>
order allow,deny
deny from all
</Files>

17. Database table prefix

Default: wp_. Some attacks assume this.

Change to custom (e.g., xkj_) at install time. Existing sites can change via plugin (iThemes Security has this feature).

Minor measure. Worth doing on fresh installs.

18. Hosting matters

Cheap shared hosting often has weaker security at the server level.

Managed WordPress hosts (WP Engine, Kinsta, Flywheel) include:

• Server-level firewalls.
• Daily backups.
• Malware scanning.
• Faster security updates.

Worth the upgrade as your site grows.

19. SSH/SFTP, not FTP

FTP transmits passwords unencrypted. Use SFTP or SSH.

Most modern hosts have SFTP available.

20. Monitor for suspicious activity

Set up monitoring:

• Security plugin notifications (failed logins, file changes).
• Uptime monitoring (Uptime Robot, free).
• Google Search Console security issues notifications.
• Periodic site review.

What to do if compromised

1. Don’t panic.
2. Change all passwords (admin, FTP, database, hosting).
3. Scan with security plugin (Wordfence, Sucuri).
4. If malware found, clean or restore from clean backup.
5. Consider professional cleanup (Sucuri offers paid service).
6. Investigate cause: outdated plugin, weak password, compromised user.
7. Submit to Google Search Console “Request review” if Google flagged the site.

What’s security theater

Things that feel secure but don’t add much:

• Hiding the WordPress version (only useful if you also update promptly).
• Custom database prefix on existing sites (minor benefit).
• Renaming wp-admin to “wp-admin-2025” (most attackers don’t care).
• “Security through obscurity” without underlying real security.

These aren’t harmful, just lower priority than the real basics.

The honest summary

WordPress security comes down to: strong unique admin password, 2FA, limit login attempts, updates promptly, SSL, security plugin (Wordfence or Sucuri), backups. Do those seven and you’ve blocked 95% of real-world attacks. The advanced measures (WAF, file restrictions, custom login URLs) help further but yield diminishing returns. Most “compromised WordPress sites” had basic gaps — weak admin password, outdated plugin, no 2FA. Cover the basics; don’t get distracted by exotic theater.