The Ultimate WordPress Security Checklist for 2026
WordPress powers over 43% of all websites — making it the most popular CMS in the world and, by extension, the most targeted platform for attackers. In 2024 alone, over 24,000 WordPress plugins were flagged for security vulnerabilities. If you're running a WordPress site, you need a systematic approach to security, not a reactive one.
This checklist covers everything you need to lock down your WordPress installation — from basic hardening to advanced monitoring. At the end, we'll show you how to automate most of these checks.
1. Core WordPress Hardening
Keep Everything Updated
- WordPress core: Enable auto-updates for minor releases; test major releases on staging first
- Themes & plugins: Delete unused ones. Outdated plugins are the #1 attack vector — 56% of known vulnerabilities come from third-party plugins
- PHP version: Run PHP 8.1+ (7.4 reached EOL in November 2022 and has known security holes)
Strengthen Authentication
- Enforce strong passwords for all users (use a password manager)
- Enable Two-Factor Authentication (2FA) — the single most effective step against brute force
- Limit login attempts — plugins like Wordfence or CSF (ConfigServer Security & Firewall) can block IPs after 3-5 failed attempts
- Change the default "admin" username — if you're still using it, create a new admin and delete the old one
Secure wp-config.php
// Move wp-config.php one directory above the web root if possible
// Add these lines:
define('DISALLOW_FILE_EDIT', true); // Disable file editor in admin
define('AUTOSAVE_INTERVAL', 300); // Reduce autosave frequency
define('WP_POST_REVISIONS', 5); // Limit post revisions
2. File System & Server Security
Protect Sensitive Files
Block access to these files via .htaccess or nginx config:
-
wp-config.php— contains DB credentials -
.git/and.env— if using Git deployment -
readme.htmlandlicense.txtin the root — these leak your WordPress version - XML-RPC if not needed (often used for DDoS amplification)
Directory Permissions
-
wp-config.php: 400 or 440 (read-only) -
wp-content/: 755 (directories), 644 (files) - Never use 777 — it's an open invitation
Disable Directory Browsing
Add to .htaccess:
Options -Indexes
Implement a Web Application Firewall (WAF)
A WAF sits in front of your site and blocks malicious requests before they reach WordPress. Options:
- Cloudflare (free tier available) — blocks SQL injection, XSS, and known bad bots
- Wordfence — WordPress-native WAF with real-time threat defense feed
- Sucuri — CDN + WAF with DDoS protection
3. Database Security
Change the Table Prefix
The default wp_ prefix is well-known. Change it during installation, or use a plugin like WP-DBManager to rename it on an existing site.
Regular Backups (3-2-1 Rule)
- 3 copies of your data
- 2 different media (server + cloud)
- 1 offsite (Google Drive, Dropbox, S3)
- Recommended: UpdraftPlus, BlogVault, or your host's built-in backup
Limit Database Access
- Create a dedicated MySQL user with only the necessary privileges
- Never use the root MySQL user for WordPress
4. SSL/TLS & HTTPS
Install an SSL Certificate
- Free options: Let's Encrypt (most hosts support one-click install)
- Verify HTTPS is enforced site-wide (301 redirect HTTP → HTTPS)
- Check for mixed content warnings (Chrome DevTools → Console)
HSTS Header
Add to your server config:
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" always;
5. Content Security Policy (CSP)
A CSP header tells browsers which resources are allowed to load. Start with a report-only mode:
Content-Security-Policy: default-src 'self'; script-src 'self' https://trusted.cdn.com; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:;
Then monitor the reports and tighten over time.
6. Monitoring & Alerts
Uptime Monitoring
- UptimeRobot (free, 50 monitors)
- StatusCake — also monitors SSL expiry
Change Detection
- WPScan — checks if your WordPress version/plugins have known vulnerabilities
- WordPress Site Health (built-in, Tools → Site Health)
Security Logging
Enable WordPress debug logging (WP_DEBUG_LOG in wp-config.php) and review regularly. For production, use a plugin like WP Activity Log.
7. Common Mistakes That Undermine Everything
| Mistake | Why It's Dangerous | Fix |
|---|---|---|
Using admin as username |
Brute force bots target it first | Create new admin, delete admin
|
| No 2FA | Credential stuffing is rampant | Use Wordfence 2FA or WP 2FA plugin |
| Outdated PHP | PHP 7.x has unpatched CVEs | Upgrade to PHP 8.1+ |
| Nulled plugins/themes | Often contain backdoors | Buy from official sources only |
| No backups | Ransomware can wipe everything | Automated offsite backups, test restores |
| XML-RPC enabled | Used for DDoS and brute force | Disable if not using Jetpack/mobile apps |
8. Automate Your Security Audit
Manually checking all 37+ security items above every month is unrealistic. That's why we built wpSEO — a free tool that automates WordPress security scanning:
- ✅ 37 security checks — version exposure, security headers, WAF, 2FA, PHP version, and more
- ✅ 125+ total checks combining security + SEO in one report
- ✅ No signup required — paste your URL and get results in seconds
- ✅ 10 languages — available in English, Chinese, Japanese, Korean, German, Russian, Arabic, French, Spanish, Portuguese
- ✅ PDF reports — export and share with your team or clients
- ✅ Actionable fixes — every check includes a "how to fix" description
Try it free: https://app.wpseo.help
Final Word
WordPress security isn't a one-time setup — it's ongoing hygiene. The checklist above covers the fundamentals. Run through it quarterly, stay on top of updates, and use an automated scanner to catch what you miss.
Your WordPress site is your business. Lock it down.
Got questions about WordPress security? Drop a comment or reach out — happy to help.
Top comments (0)