Knowledgebase Article
WordPress Security Hardening Checklist
Why WordPress Needs Deliberate Security Attention
WordPress's popularity makes it a frequent target for automated attacks, not because it is inherently less secure than other platforms, but simply because attackers find it worthwhile to target software running on so many sites. A handful of deliberate steps significantly reduce your risk.
If you have not yet read WordPress Hosting Setup Guide and Speeding Up Your WordPress Site, those cover the fundamentals this checklist builds on.
Strengthen Your Login
Change your administrator username away from anything predictable like admin. Use a genuinely strong, unique password for every administrator account, not one reused from another service. Set up two factor authentication on every administrator account, which meaningfully reduces the risk even if a password is somehow compromised. See Two Factor Authentication (2FA) Setup Guide for a full walkthrough.
Keep Everything Updated
Outdated WordPress core software, themes, and plugins are one of the most common entry points for attacks. Enable automatic updates where practical, and if you prefer manual updates, check regularly rather than letting updates accumulate for months at a time.
Limit Login Attempts
Automated attacks frequently attempt to guess passwords through repeated login attempts. Installing a plugin that limits failed login attempts, or locks out an IP address after several failures, closes off this common attack method.
Choose Plugins Carefully
Only install plugins from reputable sources with active maintenance and a track record of timely security updates. Remove any plugin you are not actively using, since an inactive plugin can still carry vulnerabilities even if you are not using its features.
Set Correct File Permissions
WordPress files and folders should have permissions set correctly so that only necessary processes can write to them. Overly permissive file permissions make it easier for malicious code to modify your site's files if any vulnerability is exploited.
Back Up Regularly
Even with strong preventive measures in place, having a recent, tested backup is your final safety net. If your site is ever compromised despite precautions, a clean backup allows you to restore quickly rather than attempting to manually remove malicious code.
If You Suspect a Compromise
If your site is showing unusual behavior, unexpected content, or has been flagged by a browser security warning, act quickly rather than waiting. See Malware Scanning and Removal: What to Do If You Are Infected for immediate next steps.
Ongoing Vigilance
Security is not a single setup task but an ongoing practice. Revisit this checklist periodically, particularly after major WordPress updates or when adding new plugins, to confirm your site remains protected as it evolves. You can review your current WordPress hosting plan's included security features as a starting point.