The essential WordPress security checklist: 10 expert steps for peace of mind
The truth about WordPress security is that the platform itself is highly secure. However, it's a popular target for security threats. Breachage typically occurs in the space between the platform and the user’s actions. Our essential WordPress security tips will help you make your WordPress website strong and secure and lock down your digital investment.
The essential WordPress website security checklist
Pillar 1: server-level security (the foundation)
Choose a good hosting provider
Your site's security starts with its foundation. Opting for the cheapest hosting plan leaves your site vulnerable because budget hosts often cut corners on server-side security, firewall management, and resource isolation, which increases security vulnerabilities.
Every WordPress hosting plan at hosting.com includes the mission-critical security that eliminates 90% of your risk:
Web Application Firewall (WAF): Blocks malicious traffic (like bots and DDoS attacks) before it reaches your server.
Automatic core updates: We handle core WordPress updates and patches to ensure you never run outdated software.
Free SSL Certificate: Keeps all data encrypted (HTTPS), which is non-negotiable for security and SEO.
This keeps core WordPress vulnerabilities at bay and your site safer than if you choose the cheapest hosting provider.
2. Implement redundant, automated backups
A backup is not a security feature but your final defense against disaster. Whether a hack or a bad update takes your site down, a clean backup ensures minimal downtime.
Action: Ensure your backups are automated, daily, and stored offsite (not on the same server). You must be able to restore your entire site with a single click.
Pillar 2: user and login hardening
3. Enforce strong credentials and 2FA
Weak passwords and generic usernames are the easiest entry points for brute-force attacks.
Action 3a: Eliminate the default 'admin' user. If your WP admin username is admin, create a new administrator account with a unique name, assign all content to it, and delete the original.
Action 3b: Mandate Two-Factor Authentication (2FA). Use a plugin (e.g., WP 2FA) or a host-provided feature to require a unique code (via phone or app) alongside the password. This makes your login virtually unhackable.
Action 3c: Limit login attempts. Use a plugin (e.g., Limit Login Attempts Reloaded) to automatically block IP addresses after a few failed login attempts, halting brute-force attacks in their tracks.
4. Practice the principle of least privilege
Not everyone on your team needs full control. Granting excessive permissions is a major security loophole. Not to mention, giving everyone full access can break your website is ways even your dev team didn't know were possible!
Action: Review your Users list. Downgrade roles where possible. An Editor should never have Administrator access, for example.
This not only limits what slightly more inexperienced team members can change (and break) on your site. It also limits the damage an attacker can do if they compromise a low-level account.
Pillar 3: software and file management
5. Delete unused themes and plugins (completely)
Deactivating a plugin is not enough; unused software is dead code that can contain known vulnerabilities, even when idle.
Action: Go to your Plugins and Themes folders and completely delete any software that is not currently active and necessary for your site to run. The less code you have, the smaller your attack surface.
For the SEO lovers out there, you'll also be happy as the site will have less code bloat and load a bit quicker, too.
6. Keep everything updated (core, themes, and plugins)
Outdated software is the number one reason WordPress sites are breached. Updates contain critical security patches. This goes for WordPress core software and WordPress plugins.
Action: While we handle core updates for our customers, it is your responsibility to update themes and plugins when a patch is available. Schedule a quick review at least once a week.
If your hosting provider doesn't manage core updates for you, keep on top of these as well. This prevents security breaches from core and plugin vulnerabilities.
7. Secure sensitive files with pro-level hardening
For the technically minded, a few simple steps can dramatically harden your security posture:
Action 7a: Secure wp-config.php: Set its file permissions to 440 or 400 to prevent unauthorized viewing or editing. (Consult your hosting documentation or support for the safest method.)
Action 7b: Change the Database Prefix: When installing WordPress, avoid the default wp_ database prefix. This simple change blocks a large volume of common, automated SQL injection attempts.
If phrases like "disable PHP file execution" and "disable directory indexing" make you feel a little uncomfortable and confused, IT support or developers can generally do this in no time at all for a small fee.
Pillar 4: technical and site-wide defenses
8. Disable XML-RPC (if not needed)
XML-RPC is an older WordPress feature often exploited for DDoS and brute-force attacks.
Action: If you don't use the Jetpack mobile app or certain remote publishing tools, disable XML-RPC. You can do this via your host's control panel, a dedicated security plugin, or by adding a code snippet to your .htaccess file.
Quick tip: Some mobile apps and remote publishing tools still rely on XML-RPC. If you aren't 100% sure that your site no longer needs it, don't disable it until you have confirmation.
9. Lock down file editing
Disabling the ability to edit theme and plugin files from within the WordPress dashboard prevents a hacker who gains access from immediately injecting malicious code.
Action: Add the following line to your wp-config.php file:
define( 'DISALLOW_FILE_EDIT', true );
10. Invest in a firewall/security plugin (optional, but recommended)
While your host provides a server-level WAF, an application-level security plugin (like Wordfence or Sucuri) provides a valuable second layer for monitoring and deep scanning.
Action: Use a reputable security plugin for on-demand malware scanning, file integrity checks, and additional login hardening features.
Keep your WordPress website safe with hosting.com
Following the tips on this checklist will help keep your website safe from hackers and WordPress users. If you're running an online business, these security checks are essential for securing your site and making money.
Our managed WordPress hosting environment can also help keep you that much safer. However, if you decide to go with another hosting company, please make sure they are hot on security!
.webp)
