WordPress powers over 43% of the web — which makes it the single most targeted CMS on the planet. If you’re building or maintaining WordPress sites professionally, security isn’t optional. This checklist covers every layer of a hardened WordPress deployment, from server configuration to post-launch monitoring.

What this checklist covers

1. Server and hosting configuration

Security starts before WordPress is even installed. Choosing a managed host with server-level hardening saves significant remediation time down the road.

Security starts before WordPress is even installed. Choosing a managed host with server-level hardening saves significant remediation time down the road.

Use PHP 8.2 or higher – Older PHP versions are unsupported and contain known vulnerabilities. Always run the latest stable release.

Enable a web application firewall (WAF) – Cloudflare, Sucuri, or a server-level WAF blocks malicious traffic before it hits your application.

Disable directory listing – Add Options -Indexes to your .htaccess to prevent exposing file structure to crawlers.

Restrict file permissions- Directories should be 755, files 644, and wp-config.php set to 440 or 400.

2. WordPress core hardening

These configurations directly reduce the attack surface of your WordPress installation and are often overlooked on developer-built sites.

Keep WordPress core up to date – Enable auto-updates for minor releases. Major updates should go through a staging environment first.

Disable the file editor in wp-admin – Add define(‘DISALLOW_FILE_EDIT’, true); to wp-config.php to prevent in-dashboard code edits.

Hide the WordPress version number – Remove the generator meta tag from your theme’s functions.php to avoid revealing your version to scanners.

Protect wp-config.php – Move it one directory above the webroot or use .htaccess rules to block direct access.

Disable XML-RPC if unused – XML-RPC is a common brute-force vector. Disable it unless you have a specific use case requiring it.

3. Authentication and access control

Credential-based attacks account for the majority of WordPress compromises. Hardening authentication is your highest-ROI security investment.

Enforce strong passwords for all users – Use a plugin like WP Password Policy Manager to enforce minimum complexity requirements site-wide.

Implement two-factor authentication (2FA) – Require 2FA for all admin accounts. Plugins like WP 2FA or Google Authenticator make this straightforward.

Change the default admin username – Never use “admin” as a username. Create a custom admin account and delete the default one.

Limit login attempts – Use Limit Login Attempts Reloaded or your firewall plugin to lock out IPs after repeated failures.

Use IP allowlisting for wp-admin – Restrict access to /wp-admin to known IP ranges wherever your workflow allows it.

4. Plugins and themes

Third-party code is the leading cause of WordPress vulnerabilities. Treat every plugin as a potential attack vector.

Monitor for known plugin vulnerabilities- Use WPScan or Patchstack to get alerts when installed plugins receive CVE disclosures.

Audit installed plugins regularly – Delete anything unused. Inactive plugins still present an attack surface if they contain vulnerabilities.

Only install plugins from reputable sources – Stick to the official WordPress repository or well-known premium vendors. Nulled plugins are a common malware vector.

5. Database security

Change the default table prefixReplace the default wp_ prefix with a unique string (e.g. xk72_) to make SQL injection harder.

Use a dedicated database user with minimal privilegesThe WordPress DB user should only have SELECT, INSERT, UPDATE, DELETE — never GRANT or DROP.

6. SSL, HTTPS, and security headers

Force HTTPS site-wide – Redirect all HTTP traffic to HTTPS and set FORCE_SSL_ADMIN to true in wp-config.php.

Implement critical HTTP security headers – Set Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, and Strict-Transport-Security headers via your server config or a plugin.

7. Backups and incident response

Automate daily off-site backups – Use UpdraftPlus or BlogVault to store encrypted backups to an external location (S3, Google Drive) — never only on the same server.

Test your restore process – A backup you’ve never restored is a backup you can’t trust. Test quarterly on a staging environment.

Set up file integrity monitoring – Wordfence or iThemes Security can alert you when core files are modified — a strong indicator of a breach.

Security is not a one-time setup it’s an ongoing discipline. Revisit this checklist after every major deployment, whenever you add new plugins, and at least quarterly as a routine audit. The cost of prevention is always lower than the cost of recovery.