WordPress Security Checklist (Protect Your Website in 2026)

1. Keep WordPress Core Updated
WordPress regularly releases updates that patch security vulnerabilities. Running an outdated version is one of the most common reasons sites get hacked. Enable automatic updates for minor releases, and update major versions promptly after confirming compatibility with your theme and plugins.

2. Update All Plugins and Themes
Outdated plugins are the number one entry point for attackers. Audit your plugin list every month. Delete any plugin or theme you're not actively using even deactivated plugins can pose a risk if they have vulnerabilities. Only install plugins from the official WordPress repository or from reputable premium marketplaces with active support.

3. Use Strong, Unique Passwords for Every Account
Every WordPress user account especially administrators should have a strong, unique password that isn't reused anywhere else. Use a password manager like Bitwarden or 1Password to generate and store them. A strong password is at least 16 characters and includes a mix of uppercase, lowercase, numbers, and symbols.

4. Change the Default Admin Username
The default "admin" username is the first thing attackers try. If you set up WordPress with "admin" as your username, create a new administrator account with a different username, transfer all content to it, and delete the old "admin" account entirely.

5. Limit Login Attempts
By default, WordPress allows unlimited login attempts. Brute-force attacks exploit this to try thousands of password combinations. Install a plugin like Limit Login Attempts Reloaded or configure your security plugin to lock out users after a defined number of failed attempts typically three to five.

6. Enable Two-Factor Authentication (2FA)
Two-factor authentication adds an extra layer of security beyond your password. Even if an attacker gets your password, they can't log in without the second factor. Plugins like WP 2FA or Google Authenticator make this straightforward to implement for all administrator accounts.

7. Keep Regular Backups
Backups don't prevent attacks, but they make recovery possible. Use a reliable backup solution like UpdraftPlus, BlogVault, or your hosting provider's backup service. Store backups in a separate location not just on your server. Test your backups periodically to confirm they actually restore correctly.

8. Use a Reputable Hosting Provider
Your hosting environment is your foundation. A good host offers server-level firewalls, malware scanning, PHP version control, and isolated hosting environments so that if one site on the server is compromised, yours isn't affected. Cheap shared hosting often cuts corners on these protections.

9. Install an SSL Certificate
HTTPS is no longer optional. An SSL certificate encrypts data between your server and your visitors. Most reputable hosts include free SSL via Let's Encrypt. Make sure your site redirects all HTTP traffic to HTTPS and that your SSL certificate is always renewed before expiry.

10. Remove Unused Themes and Plugins
Every inactive plugin and theme is potential attack surface. If you installed something to test and never used it, delete it completely not just deactivate it. Go to Appearance → Themes and Plugins → Installed Plugins, and clean house.

11. Install a WordPress Security Plugin
A dedicated security plugin provides a firewall, malware scanning, login protection, and security hardening in one place. Well-regarded options include Wordfence Security, Sucuri Security, and iThemes Security (now Solid Security). Configure it properly don't just install and forget.

12. Implement a Web Application Firewall (WAF)
A WAF sits in front of your website and filters malicious traffic before it reaches your server. Cloudflare's free plan offers basic WAF protection. For more robust protection, Sucuri's cloud-based WAF or Wordfence's endpoint firewall are strong options. A WAF blocks SQL injection attempts, XSS attacks, and other common exploits automatically.

13. Change the Default WordPress Login URL
The default login page at /wp-login.php or /wp-admin/ is where attackers focus their brute-force attempts. Plugins like WPS Hide Login let you change this URL to something custom, dramatically reducing automated attacks. Don't rely on this alone, but it's a useful layer.

14. Disable XML-RPC If You Don't Need It
XML-RPC is a WordPress feature that allows remote connections, but it's frequently exploited for brute-force attacks and DDoS amplification. Unless you specifically need it (for Jetpack, mobile apps, or certain integrations), disable it. You can do this via a security plugin or by adding a rule to your .htaccess file.

15. Protect the wp-config.php File
wp-config.php contains your database credentials and security keys arguably the most sensitive file in your WordPress installation. Move it one directory above your WordPress root (WordPress will still find it), and add server-level rules to deny direct HTTP access to it.

16. Set Correct File Permissions
Incorrect file permissions are a common vulnerability. The recommended permissions are 644 for files, 755 for directories, and 600 for wp-config.php. Your hosting provider or a developer can audit and correct these. Never set file permissions to 777. This gives full access to everyone.

17. Disable File Editing from the Dashboard
WordPress includes a built-in theme and plugin file editor accessible from the dashboard. If an attacker gains admin access, they can use it to inject malicious code directly. Disable it by adding define('DISALLOW_FILE_EDIT', true); to your wp-config.php file.

18. Use Database Table Prefix That Isn't wp_
The default WordPress database table prefix is wp_. Attackers use automated tools that target tables with this exact prefix in SQL injection attacks. If you're setting up a new site, change this during installation. For existing sites, it requires a more careful migration but is worth doing.

19. Implement Content Security Policy (CSP) Headers
HTTP security headers tell browsers how to behave when handling your site's content. A Content Security Policy header helps prevent cross-site scripting (XSS) attacks. Other important headers include X-Frame-Options, X-Content-Type-Options, and Strict-Transport-Security. These can be configured via your server or through a plugin like HTTP Headers.

20. Scan for Malware Regularly
Even with protections in place, regular malware scans are essential. Use your security plugin's scan feature or a dedicated service like Sucuri SiteCheck. Set automated scans to run at least weekly. If a scan reveals suspicious files or code injections, act immediately.

21. Set Up Real-Time Security Alerts
You need to know immediately when something suspicious happens like failed login spikes, file changes, new admin users created, or plugin modifications. Configure your security plugin to send email alerts for critical events. Wordfence and Sucuri both offer granular alert configurations.

22. Monitor User Activity Logs
Keep a log of what users are doing on your WordPress site especially administrators and editors. Plugins like WP Activity Log record actions like login attempts, settings changes, content edits, and plugin installs. If something goes wrong, these logs help you understand exactly what happened and when.

23. Enable Google Search Console and Monitor for Security Issues
Google Search Console alerts you when your site has been flagged for malware or hacked content. Set it up if you haven't already. It's free, and it also shows if Google has detected any security issues that might cause your site to be flagged in search results.

24. Check for Rogue Admin Accounts
Periodically review the list of users with administrator access. Remove any accounts that don't belong, shouldn't have admin access, or belong to people who no longer work with your site. Attackers sometimes create hidden admin accounts as a backdoor — catch this early.

25. Keep PHP Updated to the Latest Supported Version
Running an outdated PHP version leaves you exposed to known security vulnerabilities. WordPress requires a minimum PHP version, but you should always run the latest stable version your plugins and themes support. Check your current PHP version under Tools → Site Health in your WordPress dashboard.

26. Implement Rate Limiting and Bot Protection
Beyond login pages, bots probe comment forms, contact forms, and checkout pages. Implement CAPTCHA on public-facing forms using plugins like hCaptcha for WordPress or Cloudflare Turnstile. Rate limiting at the server or CDN level also helps reduce bot traffic that strains your server and creates attack vectors.

27. Conduct a Periodic Security Audit
At least once or twice a year, do a thorough security review or have a professional do it. This includes reviewing user accounts and permissions, checking for outdated software, testing backup restoration, reviewing server logs for anomalies, and verifying that all security configurations are still in place. Security isn't a one-time task; it's ongoing.