Security March 28, 2026 12 min read

How to Secure Your WordPress Website (Developer's Checklist)

WordPress is the most attacked CMS on the planet. Here's our 25-point security checklist to lock it down.

AR
Alex Rivera Founder & Lead Developer

Why WordPress Is the #1 Target

WordPress powers 43% of all websites. That's ~810 million sites. For hackers, that's an enormous attack surface with a single set of known vulnerabilities to exploit.

  • 90,000+ attacks on WordPress sites per minute
  • 70% of WordPress installations are vulnerable to attack
  • 52% of vulnerabilities come from plugins, not WordPress core

The good news? Most attacks are automated and target low-hanging fruit. Implement these measures and you'll be ahead of 95% of WordPress sites.

Server-Level Security

  • ✅ Use HTTPS everywhere (Let's Encrypt is free)
  • ✅ Keep PHP updated to 8.1+ (older versions have unpatched vulnerabilities)
  • ✅ Disable directory listing in Nginx/Apache config
  • ✅ Block access to wp-config.php, .htaccess, and readme.html
  • ✅ Set proper file permissions (644 for files, 755 for directories)
  • ✅ Use security headers (X-Frame-Options, CSP, HSTS)
  • ✅ Enable a Web Application Firewall (Cloudflare free tier works well)

WordPress Configuration

  • ✅ Use unique authentication keys and salts in wp-config.php
  • ✅ Disable file editing: define('DISALLOW_FILE_EDIT', true);
  • ✅ Change the default database prefix from wp_ to something unique
  • ✅ Disable XML-RPC if you don't use it: blocks brute-force amplification attacks
  • ✅ Limit login attempts (use Limit Login Attempts Reloaded — free)
  • ✅ Hide the WordPress version number from source code
  • ✅ Use a child theme — never edit parent themes directly

Authentication Hardening

  • ✅ Never use "admin" as a username
  • ✅ Enforce strong passwords (12+ characters, mixed case, numbers, symbols)
  • ✅ Enable two-factor authentication for all admin accounts
  • ✅ Change the login URL from /wp-admin to something custom
  • ✅ Implement account lockout after 5 failed login attempts
  • ✅ Use application-level passwords for API access instead of user credentials

Pro tip: Wordfence (free version) covers login security, malware scanning, and firewall rules in one plugin. It's the one security plugin every WordPress site should have.

Monitoring & Recovery

  • ✅ Set up daily automated backups (UpdraftPlus — free)
  • ✅ Store backups off-site (Google Drive, S3, or Dropbox)
  • ✅ Run weekly malware scans (Wordfence or Sucuri)
  • ✅ Monitor file integrity — get alerted when core files change
  • ✅ Set up uptime monitoring (UptimeRobot — free for 50 monitors)
  • ✅ Keep a security incident response plan documented

The biggest security measure? Keep everything updated. WordPress core, themes, and plugins — update them within 48 hours of a new release. Auto-updates for minor versions are your friend.

Need a professional security audit? Our WordPress security service covers all 25 points plus custom hardening specific to your setup.

// keep reading

Related Articles

April 5, 2026

Why Your WordPress Site Is Slow (And How to Fix It Today)

47 plugins, a bloated theme, and zero caching. Sound familiar? Here's how to actually fix WordPress performance, step by step.

Read More
🚫
March 8, 2026

The Hidden Costs of Cheap Web Development

That $500 website? It'll cost you $5,000 to fix. Here's why cutting corners on development always backfires and what to do instead.

Read More

Need Help With Your Project?

Our blog is full of free advice. But if you need hands-on help, we're just a message away.

Talk to an Expert →
Get a Quote