According to the 2020 Cyber-security Report by ISACA, 46% of enterprises experienced more attacks this year than the prior year.
In this WordPress security checklist, you’ll find:
- Minimum WordPress security checklist for all WordPress websites
- Advance WordPress security recommendations with Pros & cons
- Regular WordPress security monitoring tasks
- Best WordPress security plugins
WordPress is known for being one of the most user-friendly content management systems, which also makes WordPress a popular target for hackers and spammers.
According to a Q3 2017 study by Sucuri, WordPress infections rose from 74% in 2016 Q3 to 83% in 2017.
Hacked website is the worst nightmare for any webmaster as it can cause a lot of troubles like data loss, time, money, website traffic, even your hosting can block your account, and search engines can blacklist your site as well because of malware.
We are confident that this WordPress security checklist will help you minimize the chances of your website getting hacked.
Let’s get started.
Basic WordPress Security Checklist
WordPress is the most popular CMS, which makes it popular among the hacking community.
This is the reason; we highly recommend that you follow this WordPress security checklist which includes all necessary basic security measures for all WordPress websites to minimize the hacking risk.
Keep the Core WordPress Software Up to Date
It is one of the vital WordPress security best practices that you must keep the WordPress software updated and maintained regularly.
The benefits of keeping the core WordPress updated are:
- Reduced WordPress security issues
- Better compatibility
- Access to new WordPress features
- A bug-free healthy WordPress website
- Having a faster WordPress experience
You can also enable the auto-updates by using the WP-Config file by simply adding a single line i-e:-
Although you can set the updates automatically, we highly recommend keeping an eye on the updates regularly to fix the missed auto-updates or any conflicts after the auto-updates.
Just by having the latest version of WordPress core you can reduce the chances of hacking significantly.
Keep the Plugins & Themes Up to Date
WordPress plugins and themes allow you to enhance the functionality of your WordPress website.
Themes and plugin updates arrive when developers add new features or make a few tweaks and mostly when the updates are because of bugs and security vulnerabilities. Sometimes plugins/themes need to be updated to meet new WordPress version requirements.
The benefits of keeping all the plugins and themes updated are:
- Increased WordPress security
- Repair of bugs
- New features and functionalities
- Having a better website performance
Your WordPress dashboard notifies you whenever there are any updates.
The first indication is there will be a number against the update icon on the admin toolbar.
Moreover from updates, you can see how many plugins or which theme of your website needs to be updated, and for more details redirect to the plugin or theme tab respectively.
You can also enable the auto-updates using the theme’s functions.php file or a site-specific plugin by merely adding a single line i-e:-
add_filter( 'auto_update_theme', '__return_true' );add_filter( 'auto_update_plugin', '__return_true' );
Please don’t add this code to the functions file if you are not familiar with coding.
It’s better to take a quick overview of your complete website after updating the plugins and the themes and check the layout and all the functionalities like testing the forms, etc.
Avoid Use Common User Names
Here is the list of usernames to avoid while configuring your WordPress website:
- adm/ admin/ admin1
It’s essential to choose your user name carefully. Go for something unique, memorable, and avoid basing it on personal information that is easy to guess.
If you already have these admin user names, it is a good idea to replace them with some unique user names.
There are two ways you can change your existing usernames:
- You can change the username manually by navigating on your WordPress dashboard.
Here you can add a new user or edit the previous one.
- You can use a plugin to update the username like Easy Username Updater.
This method is simple and doesn’t involve creating a new account and you get to keep your email address.
It’s lightweight, well-reviewed, and straightforward to use.
You can tweak its options under Users > Username Updater.
Don’t forget; it’s essential to pick a unique user name and secure credentials on your WordPress website.
Try to use plugins as less as possible, or once you have used that plugin to update user names you can delete the plugin as it’s not something you need all the time.
Enforce Strong Password
Your WordPress security is only as good as your WordPress password is.
If you have a simple password, it means you have a simple site to hack.
A few basics of WordPress password security are:
- Include numbers, capitals, special characters (@, #, *, etc.)
- Have a lengthy password (10 -50 characters)
- Include spaces
- Avoid using the same password in multiple places
- Change passwords after every 1 or 2 months
Many plugins can help you to enforce strong WordPress Passwords for all users on your website like the iThemes Security plugin.
It is easy to generate strong passwords from your WordPress admin dashboard.
By utilizing the password protection features found in web hosting, WordPress, as well as plugins, you can quickly and easily add this extra layer of protection to any WordPress site.
Sometimes it’s hard to remember these passwords so you can use tools like LastPass, Keeper, or 1Password tools which can help you to remember all your passwords over the cloud and can generate strong passwords as well.
Remove Inactive Themes & Plugins
Many WordPress users often install plugins or themes for testing and then deactivate them.
Inactive plugins and themes are harmful to your website security because they may:
- Makes your website vulnerable to attacks
- Deteriorate the performance of your website with time
- Break any related functionality
- Lead to WordPress security issues
Delete all themes and plugins from your WordPress website, which are:
- No longer in use
- Lead to security breaches
Before you do that make sure to take a fresh backup of your website because if something goes wrong, you can always revert to the previous version, without any risks. Follow this WordPress security checklist to remove inactive themes.
For removing inactive themes, navigate to our WordPress website dashboard.
Open Appearance > Themes and delete inactive themes.
For removing inactive plugins, navigate to our WordPress website dashboard.
Open Plugins > installed plugins and delete the inactive plugins, which you don’t need anymore.
Each plugin you uninstall, leaves behind tables and rows in your website database. Over time, this can add a lot of data and even begin to slow down your site. So you should clean your database as well each plugin have its own options, or you may have to do it manually.
Ensure SSL Certificate Installed & HTTPs Option is Enforced
The idea of HTTPs has always been a good one. Most website owners implemented it a long time ago. Further, SSL certificates are now a requirement for all websites. This is the most important point of the WordPress security checklist.
The browsers like Google Chrome and Mozilla Firefox have mandated all sites to serve encryption via HTTPS. The browsers have created a new security warning if your website does not have an SSL certificate and missing https protocol to accomplish this transition.
HTTPs make your site more secure for your users. More specifically, it’s safer when a user is giving you any sort of information. Most payment services, such as Authorize.net, PayPal IPN, etc. require an SSL to receive payments, to process the payment on your website.
HTTPs can provide multiple layers of protection.
The benefits of having an HTTPs website provide you with many facilities like:
- Data integrity
- Security & Privacy
- Boost up in SEO
- Good Website Performance
Follow How to Install SSL Certificate on Your WordPress Website blog post and switch your website from HTTP to HTTPs.
If you can get paid SSL that is good but if not you can always use Let’s Encrypt which now widely available and most host companies providing it as well within your hosting package as free. You can always check your SSL Certificate validity and working on https://sslchecker.com
Limited Admin Users
WordPress website has five types of users:
The Administrator has the highest access level of the site users who can use all enabled site features.
That’s the reason why you should have to keep the limited admin users. In case, any admin user account is hacked, it will be terrible for your WordPress security.
You have three options to deal with extra admin user accounts to improve WordPress security:
Option 1: Delete All Unnecessary Admin User Accounts.
Delete all admin user accounts which are unnecessary and not in use.
Option 2: Provide Limited Access to Admin Users
Many WordPress websites owners hesitate to give theme developers, plugins developers, or support agents admin access to their dashboard.
Here is the best option for them. Provide limited access to admin users.
For example, You can create an admin user who can only update plugins and themes.
You can use the Controlled Admin Access plugin to do so.
Install the Controlled Admin Access plugin, activate it, and create a new admin user from your WordPress admin dashboard.
Option 3: Generate a Strong Admin User Password.
If all the admin user accounts are necessary and you have to provide them complete access, then try to generate a strong password.
It’s better to change the password after every 1 or 2 months.
Open your WordPress admin dashboard.
Navigate to All users > Edit the user’s id and generate a new password.
It’s good WordPress security best practices to review your user list frequently and remove all anonymous or unauthenticated users.
Download Plugin & Themes From a Trusted Source
There are thousands of free WordPress plugins and themes available for download. However, not all of them can be trusted.
A bad plugin or theme can damage your website. It may give a bad or even worst WordPress user experience by disturbing the interface and may also slow down the speed of your website.
Most alarmingly, some plugins/themes can create security risks and give hackers a backdoor into your website. Before using any theme or plugin on your website, make sure look out for these tips first:
- Average ratings, higher the better
- User reviews prefer positive reviews
- Active installations, higher the better
- Updates and compatibility, updated regularly
- Support and documentation are readily available
It’s better to download the theme and plugin from the official site of WordPress.
Or download the plugin or theme from your WordPress admin dashboard.
Navigate to WP admin dashboard:
Open Plugins > add new. Search for the plugin, install it, and activate the plugin.
Open Appearance > Themes > add new. Search for the theme, install, and activate the theme.
Advanced WordPress Security Best Practices
Everyone knows a hacker can try different ways to gain access to the website, which is why we indulged these advanced WordPress security practices in our WordPress security checklist.
Hackers know a way around things and how to execute/exploit to takeover websites or perform unauthorized actions and even take them down.
Change the WordPress Admin Login URL
A hacker can try to hack your site by making multiple attempts with bots from the default admin URL.
Usually, the WordPress admin login URL is the domain name followed by https://www.domainname.com/wp-admin.
Two main reasons for changing the default wp-admin URL are to protect your website from:
- Brute Force Attacks
- Cyberpunks – not to access the username
Before we look into the two options you have to change the WordPress admin URL but before that make sure to take the backup of your website.
Change WordPress Database Prefix
All of the necessary website data is stored in the WordPress database, not just the basic information like usernames or passwords but also posts, pages, and comments, even the website theme, and WordPress configuration settings.
Mostly, people forget to change the database prefix, which makes it easier for the hacker to hack the website, and that’s the reason why it’s the favorite place for a hacker to attack.
Two main reasons for changing default WordPress database prefixes are to protect your website from:
You have two options to change the WordPress database prefixes but before that make sure to take the fresh backup of your website and export your database too.
Use the Latest PHP Version
The bulk of the core WordPress software is written in PHP, which makes PHP an essential language for the WordPress community.
Each major release of PHP is typically fully supported for two years after its release, in which bugs and security issues are fixed and patched on a regular basis.
PHP is the backbone of your WordPress, so keep the PHP updated.
The benefits of using the Latest PHP version on your WordPress website are:
- Faster Website
- More Secured Website
- Improved Efficiency in Processing
- Stricter Development Standards
According to the official WordPress Stats page, over 49.8% of WordPress users are still on PHP 5.6 or lower.
You can check the latest version of PHP from WP_admin dashboard > Home > At a Glance.
Before updating, make sure to follow these tips:
- Make a backup of your website
- Update WordPress, themes, and plugins
- Check PHP compatibility
- Fix any PHP compatibility issues
Limit Login Attempts
To keep your website secured from a brute force attack, one of the best possible solutions is to keep the login attempts limited.
By default, WordPress allows users to try passwords unlimited times.
Hackers exploit this and attempt various combinations of Usernames and Passwords until they guess the right one.
Benefits of having limited login attempts on your WordPress website are:
- Protection Brute force attacks
- More Secured Website
- Malware protection
- A temporary lockout helps to deter an attack.
There are many plugins available, that help you for having limited login attempts on your WordPress website i-e: WP limits login attempts
The benefits of using this particular plugin are:
- It’s free.
- Most Popular and Well-rated plugin
- Easy to use.
According to the survey from Wordfence, brute force attacks were the second most popularly known type of attack.
This shows that a limit login attempts plugin is indeed for protecting your website from brute force attacks.
Add a Firewall
A web firewall helps to filter, monitor, and to block traffic to and from a website.
Some other features are:
- Block hackers and DDoS prevention
- Prevents hacks and malware
- Brute force protection
- Geo-blocking based on country/IP
- CDN with caching and compression support to reduce the server load
A great option to keep your WordPress website safe and secure from all kinds of attacks, especially if you have the budget for the pro version.
Add a Robots.txt File
Robots.txt file provides instructions to web crawling bots.
It contains a set of instructions that request the bot to ignore specific files or directories may be because of privacy or if the content is irrelevant to the categorization.
The robots.txt file is part of the robots exclusion protocol(REP), a group of web standards that regulate how robots crawl the web, access, and index content, and serve that content up to users.
The benefits of including the Robots.txt file are:
- Keeping entire sections private
- Specifying the location of the sitemap
- Preventing search engines from indexing specific files like pdf.
- Preventing duplicate content
- Specifying the crawl delay to prevent your servers from being overloaded
The basic format on Robots.txt is:
User-agent: [user-agent name]
Disallow: [URL string not to be crawled]
Shared hosting allows multiple users with individual Internet domains to share and utilize one web server.
No doubt, it is beneficial for small businesses, blogs, and personal websites because they are looking for cost-efficient, easy-to-use, and safe hosting services but don’t forget it’s risky too.
They are many benefits of having shared hosting like they are:
- Fast support and maintenance
- User friendly
- A room to grow
Now, let’s have a look at some cons of shared hosting:
- Limited security features
- A higher incident of hacking
- Poor website speed
- Only support utilities of their web hosting company
- Servers can get overloaded.
If you are on a shared hosting plan, you should follow the following steps to keep your website secured and isolated:
- Stronger passwords
- Update software regularly
- Choose a safer hosting provider
- Create (ensure) regular backups
- Embrace two-factor authentication
- Avoid untrusted sources
- Use DDoS protection
- Cloud firewall
The Shared Hosting service is only suitable for those who are looking for the lowest possible price and have minimal expectations in terms of performance and security.
If you have a high-traffic website, you should consider switching from shared hosting to managed or dedicated hosting.
Use Two-Factor Authentication
Often, two-factor authentication might seem like a hassle but it adds a layer of security to the authentication process. Which protects both the user’s credentials and the resources the user can access better.
The benefits of having Two-factor Authentication on your website are:
- Improved security
- Increase productivity and flexibility
- Reduced Data Theft
- Lower security management costs
- Reduce fraud
- Hard access/hack the site.
Secure WP-Config File
Every WordPress site contains a file called wp-config.php, and we all are familiar with this.
This file holds critical configuration information for your WordPress site, and it’s essential to protect it from intruders.
A wp-config.php file includes:
- Database Settings
- Security Settings
- File Permissions for wp-config.php
- Language Settings
- Performance Settings
- Debug Settings
- Multisite Settings
- Site Settings
All these points clearly show how vital the wp-config.php file is. So, keep this file secured and protected.
Disable PHP File Execution
Do you know, specific WordPress folders such as Uploads, Themes, Plugins are writable by default.
It allows users to upload images and videos on the site or install themes and plugins on a website.
Although customization is the main reason why people choose WordPress, it also opens up chances of an attack.
The benefits of disabling PHP File execution are:
- Improved security
- Reduced Data Theft
Disable XML-RPC feature
The XML-RPC.php allows remote connection to WordPress and aims to standardize communications between different systems.
Functionalities of XML-RPC include
- Upload a new file
- Get a list of comments
- Edit comments
- Publish a post
- Edit a post
- Delete a post
But the two biggest problems of XML-RPC are:
Regular WordPress Security Monitoring
It’s easy to keep WordPress secure if you follow the following WordPress security guidelines.
Update WordPress Core, Themes & Plugins
Keeping a website up-to-date is one of the most important aspects of website maintenance.
Benefits of Updating the WordPress Core, Themes, Plugins are:
- Better speed
- Enhanced functionality
- Improved security
Try to update all your plugins, themes, and WordPress Core weekly, and don’t forget to take a fresh backup before updating anything.
Once updated, make sure to check the layout and all functionalities of your website once.
Keep Regular Backup of Your Website
Take WordPress backup frequently enough to ensure that you can restore your site without significant data loss.
Taking Regular website backup can save you in many ways it may protect you from:
- Website Hack
- Natural Disasters
- Server Crash or Failure
- Unsuccessful Updates
It’s better to take a backup of your WordPress website on a daily or weekly basis. Make sure, to take a fresh backup of your website whenever you are going to work on your website.
There are many WordPress plugins for taking the backup of your website.
These two plugins schedule automatic backups of your website.
Simply install the plugin from the WP admin dashboard and configure them.
Scan Your Website Regularly
Scanning for your website at regular intervals can be handy for website security.
By doing regular WordPress security scans, you can get rid of many standard website vulnerabilities like:
- Security misconfiguration
- Broken authentication
- Site hacking
- SQL Injection
You can scan your website manually or from tools or plugins.
Sucuri SiteCheck Scanner is one of the best tools for scanning your website.
Furthermore, you can also scan the themes and plugins of your website from scanwp.
It is better to scan your website from tools daily. Also, manually scan your website thoroughly once a week. If you found any bug or miscellaneous file, remove it.
Do you know, hackers and their malware are always changing.
Not all hacks are transparent. If a hacker is sniffing around, you need to know.
Here, is the list of some tools which help you to detect the hack in your WordPress website.
Actually, these hack search sites use data tricks as a weapon, allowing you to peek into the same data breach info and see if your info is there.
It’s better to scan your website daily.
Best WordPress Security Plugins
WordPress Security plugins offer a wide range of features to make your WordPress blog secure from threats which is why we include them in our WordPress security checklist.
Plugin companies keep their plugins updated to safeguard your website against WordPress security vulnerabilities.
Here are some best WordPress Security plugins:
WordPress iThemes Security plugin scans the entire website to find the vulnerability in your website. And the best thing about iThemes security plugin is that it not only prevents brute force attacks but also bans IP addresses that try to brute-force.
Features of the iThemes Security plugin are:
- Tracks registered users’ activity
- Adds two-factor authentication
- Import/export settings
- Bans Troublesome Users & Bots
- Malware scanning
It integrates Google reCAPTCHA to prevent comment spam on your website.
The pro version provides an extra layer of protection to your WordPress website.
WordFence security plugin keeps a check on your website for malware infection by scanning all the files of your WordPress core, theme, and plugins and notifying you when it found any issue. It also:
- Scans your posts & comments for malicious code
- Provide advanced manual blocking
- Has a country blocking option
- Supports multi-site
- Offers real-time traffic report
- Can repair files
Furthermore, this plugin has a firewall to block fake traffic, botnet, and scanners and is an excellent choice of security plugin for WordPress, If you want to improve your WordPress security.
Sucuri is a globally recognized authority that specializes in website security.
It is known for taking of WordPress security issues.
Features of the Sucuri Security Plugin are:
- Security activity auditing
- File integrity monitoring
- Malware scanning
- Blacklist monitoring
- Website firewall
Do you know, It protects your website from DOS attacks brute force attacks, and other scanner attacks.
WordPress security is something to be taken seriously. As you can see, there are many techniques to strengthen your WordPress security. To make sure that we never miss a step we religiously follow this WordPress security checklist.
It is necessary to take some time, to implement these best WordPress security best practices, and improve your website security.
No doubt, this WordPress security checklist is a huge task. However, if you haven’t done WordPress security assessment during the development phase, trust us, this will be worth the effort now.
If you have any security questions related to your WordPress website security or this checklist, feel free to ask in the comments below.
Want to Learn More? Here is the list of a few other guides that will help you master WordPress.
- How to Build a Website – Start With Why
- What is WordPress? All You Need to Know
- How to Build a WordPress Website From Scratch
- How to Decide the Best Hosting for WordPress
- What is WordPress Management? All You Need to Know
- 11 Steps to Secure WordPress Website from Security Threats
- 15 Best WordPress Themes for Blogs, Business & Ecommerce
- 65 Types of WordPress Help Requests
- How to Conduct a WordPress Site Audit – A Compete Guide