WordPress Security Checklist: Easy Ways to Protect Your Website

WordPress is a secure platform out of the box. Still, you can make it even more secure by applying several tried-and-true methods. Read this post to learn about those.


Every year, the number of data compromises is only setting new records. According to the Identity Theft Resource Center’s 2021 Data Breach Report, there were 1,862 data breaches in 2021 alone. Is there anything a website owner can do about it? Totally! Don’t wait till something bad happens – there are easy ways you can take today to secure your WordPress website.

To make your life easier, we put together this simple WordPress security checklist so you know exactly what steps to take to protect your data. This list will include both simple and advanced tips as well as plugin recommendations for users of all levels. Even a few things from this checklist can go a long way in protecting your website.

Potential WordPress Vulnerabilities

Since WordPress is a free, open-source CMS, there will be always potential threats. Naturally, you won’t be able to protect your website from all of them. What you can do, though, is to make sure you’ve done everything you can to minimize the risk. 

Every day, Google blacklists thousands of websites for phishing and malware. And even if you have no intention to spread potentially dangerous software, you can still get backlisted. How? Google may blacklist your website when it suspects that your website is being used to spread malware.

The pages on your site can be hacked and may be programmed to download malware automatically. And you might not even notice it. A good example of such malware is the pharma hack, one of the SEO spam attacks that used legitimate websites to sell illicit drugs. The pharma hack was inserting bad code in outdated versions of WordPress websites and plugins; it quickly became a big problem for website owners. 

Security Check

Now, when you know some of the WordPress vulnerabilities that can harm your website, let’s do a simple security check. Do you think your WordPress site is secure enough? The easiest way to find it out is to use a free or paid WordPress plugin that scans your website to find the potential vulnerabilities. Currently, some of the most popular tools are:

  • SiteCheck quickly shows if the site is blacklisted, infected with some kind of malware, or needs to be updated.
  • Hacker Target is great at checking vulnerable plugins and themes. This plugin will also let you know if you are using an outdated WordPress or PHP version or if your web server configuration should be updated.
  • For a more in-depth scan, you can try using Detectify, an enterprise-ready service that checks more than 500 vulnerabilities, including WordPress-specific ones.

WordPress Security Checklist

☐  Secure WP Hosting

Reliable hosting providers use modern, up-to-date hardware or cloud that positively affects the speed of your website. They also offer protection from various attacks. And if the attack does happen, some hosts even offer to fix your website for free.

☐ Use the Latest PHP Version

Using an outdated software stack is never a good idea. WordPress certainly has its challenges with updates but staying updated is vital for security.

☐  Always Use the Latest WordPress Version

We can’t stress enough how important it is to use the latest WP version. If you go to a website like CVE Details and search for WordPress, you’ll see pages of potential security vulnerabilities. This list might look overwhelming at first, but you’ll quickly notice that most of the vulnerabilities are fixed fairly quickly in new versions of WordPress. Since most of the threats on this list do not have known workarounds, the only way to fix them is to always use the latest WordPress version. 

☐ Update Your Plugins and Themes

WordPress certainly has its challenges with updates but staying updated is vital for security. Nobody likes to deal with incompatibility issues, we get it. But you know what’s worse than having a plugin that stops working after the update? Losing all your information due to a security breach. 

You can always turn on auto-updates but there is a better way: clone your website to a staging or dev environment, run your updates there, and then verify everything is good before updating. This way, you’ll have more control over your website. And, of course, always make a backup of your website before updating anything.

☐ Change Your Passwords

Did you know that it takes less than a second to crack the most common passwords like 12345 or password? Even if your current WordPress password is way more sophisticated, make it a habit to change it once in a while. It’s a good habit to have!

☐ Hide Your WP Version and Other Sensitive Info About Your Website

The less people know about your WordPress site setup, the better. If you are comfortable with editing your functions.php file, you can hide some things like your WP version yourself. Or, even better, use a plugin like WP Hardening that will do it for you.

☐ Hide WP Admin

Another thing you can easily hide is the default admin login for your website. Any hacker knows that by adding “/wp-admin” to your URL they can get direct access to your login page. To make it harder for them, change this URL to something only you know by using a plugin like WPS Hide Login.

☐ Limit the Login Attempts

One of the simplest yet most effective ways to protect your website from brute-force login attempts is to limit them. Any good security plugin has this built-in feature, in addition to two-step authentication, unauthorized logins monitoring, and an ability to block IP addresses. If you’re aiming for full-blown ISO 27001 accreditation, this could form part of the audit process, and is a best practice to implement across your IT assets, not just your website.

☐ Add Basic HTTP Authentication to Your Website

HTTP authentication can add an extra layer of security to your website by asking for a username and password even before showing the login page. Of course, this won’t work for an online store or a membership site, but it can be a great addition to a site with only a few registered users. This method is also frequently used to protect staging and development websites.

☐ Install an SSL Certificate and Use HTTPS

A good SSL certificate costs money. Still, it’s better to get at least a free one than not to use it at all. And if you are an advanced WordPress user and want to take it a step further, you can also update your wp-config file by adding this line:

define(‘FORCE_SSL_ADMIN’, true);

☐ Secure Your WordPress API

WordPress had a nice REST API, which can be both a blessing and a curse. On the bright side, it allows developers to build all kinds of integrations with third-party resources. At the same time, there are some potential dangers associated with exposing your data via the API. Among the things you can do to make sure you use WP API safely are:

  • Always use a secure, encrypted connection (HTTPS)
  • Give your entities access only to the parts of the application they really need
  • Use security plugins like Disable WP REST API plugin or REST API Toolbox 
  • Keep your API stateless
  • Hash the passwords in your WordPress database

Next Steps

Usually, these are the main steps a WordPress user can take in order to protect their website from attacks and bots. If you don’t feel comfortable with editing and moving things yourself, there are advanced security plugins for WordPress that can do all the work for you. And if you want to harden your WordPress security even more, here are a few more ideas:

☐ Update your WordPress Security Keys

☐ Disable XML-RPC 

☐ Check your core files and server permissions

☐ Use the latest HTTP security headers

☐ Improve the security of your WordPress database

☐ Define clear user roles

☐ Disable file editing in WP admin

☐ Disable hotlinking

☐ Move your wp-config.php file

☐ Use SFTP and SSH

☐ Prevent DDoS attacks

☐ Change WordPress Database Prefix

☐ Use two-factor authentication

Superb WordPress Development Services from GetDevDone

Are you still worried that your WordPress website may not be secure enough? Let our expert WordPress developers put your mind at rest. With 16+ years of industry experience and thousands of successfully completed WP projects, we know everything about the world’s most popular CMS.

Contact us with any WordPress-related request, from building a unique theme or tweaking your current one to satisfy your business needs to Core Web Vitals optimization and plugin development.

Valerie Muradian

Valerie is a top writer, software developer, and book lover. She writes on the latest technologies, self-development, life-long learning, creativity, and everything in between. | Follow her on Twitter | Read her on Medium | Connect with her on LinkedIn.