The Ultimate WordPress Security Checklist for 2025

Why WordPress Sites Get Hacked

WordPress powers over 43% of all websites on the internet. This massive market share makes it a prime target for attackers. However, WordPress core itself is rarely the vulnerability. The vast majority of successful attacks exploit outdated plugins, weak passwords, and misconfigured hosting environments.

Common attack vectors include brute-force login attempts, SQL injection through vulnerable plugins, cross-site scripting (XSS) via outdated themes, file inclusion vulnerabilities in poorly coded extensions, and compromised hosting accounts with weak credentials.

The good news: most WordPress attacks are automated and opportunistic. They scan for known vulnerabilities in specific plugin versions. By following this checklist, you eliminate the low-hanging fruit that automated scanners target, making your site significantly harder to compromise.

Keep Everything Updated

Updates are your first line of defense. WordPress core, plugins, and themes all receive security patches that close discovered vulnerabilities. Delaying updates leaves known holes open for exploitation.

WordPress Core: Enable automatic minor updates (these are security releases). For major versions, test on a staging site first, then update within one week of release. WordPress minor updates are enabled by default and should never be disabled.

Plugins: Review and update weekly. Enable auto-updates for plugins from trusted developers with good track records. Remove any plugins you are not actively using, even if deactivated, as their code remains on the server.

Themes: Keep your active theme updated. Delete all inactive themes except a default WordPress theme (for fallback). Theme files can contain vulnerabilities even when not active.

PHP Version: Run the latest supported PHP version (currently PHP 8.2 or 8.3). Older PHP versions reach end-of-life and no longer receive security patches. Most quality plugins and themes support current PHP versions.

Strong Passwords and User Management

Weak passwords remain one of the most exploited vulnerabilities. Automated bots attempt thousands of login combinations daily against every WordPress site they find.

Password Requirements: Enforce a minimum of 16 characters using a password manager. Never reuse passwords across sites. WordPress generates strong passwords by default; make sure users actually use them rather than overriding with something simpler.

User Roles: Follow the principle of least privilege. Content authors do not need administrator access. Use WordPress roles correctly: Administrator, Editor, Author, Contributor, and Subscriber each have appropriate permission levels.

Admin Username: Never use "admin" as a username. Create a custom administrator username and, if you inherited a site with "admin," create a new admin account, transfer content ownership, then delete the old account.

Regular Audits: Review user accounts quarterly. Remove former employees, inactive accounts, and any accounts you do not recognize. Check for accounts with elevated privileges that should not have them.

Choose Plugins Wisely

Plugins are responsible for the majority of WordPress vulnerabilities. Every plugin you install increases your attack surface. Be selective and intentional about what you add to your site.

Evaluation Criteria: Before installing any plugin, check: When was it last updated? (Avoid anything not updated in 6+ months.) How many active installations? Does the developer respond to support requests? Has it been audited or reviewed by the WordPress security community?

Minimize Plugin Count: Use only plugins that serve a clear, necessary function. Every plugin adds code that could contain vulnerabilities. If you can accomplish something with a small code snippet in your theme's functions.php, that may be preferable to adding another plugin.

Monitor Vulnerability Databases: Subscribe to WordPress vulnerability databases like WPScan or Patchstack. These services notify you when plugins you use have disclosed vulnerabilities, giving you time to update or deactivate before exploitation.

Backup Strategy

Backups are your safety net. If everything else fails, a good backup lets you recover. Without tested backups, a successful attack could mean permanent data loss.

Follow the 3-2-1 Rule: Maintain at least 3 copies of your data, on 2 different storage types, with 1 copy stored offsite. Your hosting provider's backup alone is not sufficient. Use an independent backup solution that stores copies in a separate location.

Backup Frequency: For most business sites, daily backups are appropriate. High-traffic e-commerce sites may need more frequent backups. Include both files and database in every backup.

Test Your Restores: A backup you have never tested is a backup you cannot trust. Practice restoring to a staging environment at least quarterly. Document the restoration process so anyone on your team can execute it under pressure.

Web Application Firewall Setup

A Web Application Firewall (WAF) filters malicious traffic before it reaches your WordPress installation. It blocks common attack patterns like SQL injection, cross-site scripting, and brute-force attempts at the network level.

DNS-Level WAF: Services like Cloudflare or Sucuri operate at the DNS level, filtering traffic before it reaches your server. This approach blocks attacks without consuming your server resources and provides DDoS protection as a bonus.

Application-Level WAF: Plugin-based firewalls like Wordfence operate within WordPress itself. They offer deep WordPress-specific protection but consume server resources. They are effective but should be paired with server-level protections.

Configuration: Enable rate limiting to prevent brute-force attacks. Block access to sensitive files (wp-config.php, .htaccess). Set up country blocking if your audience is geographically limited. Enable virtual patching for known vulnerabilities.

Login Page Hardening

The WordPress login page is the most attacked endpoint on any WordPress site. Hardening it significantly reduces successful unauthorized access.

Limit Login Attempts: Restrict failed login attempts to 3-5 per IP address before a temporary lockout. This stops brute-force attacks in their tracks. Configure progressive lockout periods (5 minutes, then 15, then 60).

Two-Factor Authentication (2FA): Require 2FA for all administrator and editor accounts. Time-based one-time passwords (TOTP) via apps like Google Authenticator or Authy add a layer that stolen passwords alone cannot bypass.

Custom Login URL: While security through obscurity is not a complete solution, changing wp-login.php to a custom URL reduces automated bot traffic significantly. This eliminates the majority of opportunistic brute-force attempts.

Disable XML-RPC: Unless you specifically need XML-RPC for remote publishing or Jetpack, disable it. XML-RPC allows amplified brute-force attacks by testing multiple passwords in a single request.

File Permission Best Practices

Correct file permissions prevent attackers from modifying your WordPress files even if they find another vulnerability to exploit.

Recommended permission settings:

Disable File Editing: Add this line to wp-config.php to prevent the built-in file editor from being used if an admin account is compromised:

Protect wp-config.php: Move wp-config.php one directory above your WordPress root if your hosting allows it. This places it outside the web-accessible directory, adding protection against direct access attempts.

Security Monitoring and Alerts

You cannot respond to threats you do not know about. Active monitoring catches compromises early, minimizing damage and recovery time.

File Integrity Monitoring: Use a tool that tracks changes to core WordPress files, plugins, and themes. Any unexpected file modification triggers an alert. This catches malware injection and unauthorized code changes immediately.

Uptime Monitoring: Monitor your site availability with external services. Sudden downtime may indicate an attack or compromise. Set up alerts via email and SMS for immediate notification.

Login Activity Logging: Track all login attempts (successful and failed). Log the username, IP address, timestamp, and whether the attempt succeeded. Review these logs weekly for suspicious patterns.

Google Search Console: Register your site with Google Search Console. Google will notify you if they detect malware, hacked content, or spam pages injected into your site. This is free and catches issues that bypass other monitoring.

Incident Response Plan

Having a documented plan before an incident occurs means you can respond quickly and effectively instead of panicking. Every WordPress site should have a basic incident response procedure.

Document Your Recovery Steps: Write down the exact steps to restore your site from backup, who has access to what, and contact information for your hosting provider and security team. Store this document somewhere accessible even if your site is down.

Know Your Escalation Path: Define when to handle an issue internally versus when to call a professional. A defaced homepage may be recoverable in-house. A database breach likely requires professional forensic analysis.

Practice Recovery: Run through your incident response plan at least once. Restore from backup to a staging server. Verify you can actually execute each step. Identify gaps and fix them before a real incident forces you to discover them under pressure.

Related Articles