WordPress Security Checklist: 15 Steps to Lock Down Your Site
By WP Vanguard Team
Most WordPress security advice is either too vague ("keep your site secure") or too paranoid ("disable everything"). This checklist focuses on what actually prevents the majority of WordPress attacks, based on real breach data.
Work through these 15 steps in order. Each one closes a specific attack path.
The Basics (Do These First)
1. Update WordPress Core, Plugins, and Themes
This single step prevents more attacks than everything else on this list combined. Patchstack's 2026 report found that 91% of WordPress vulnerabilities come from plugins, and most exploits target known vulnerabilities in outdated versions.
- Enable automatic minor updates for WordPress core (enabled by default)
- Update plugins within one week of new releases
- Update themes the same way
- Remove any plugin or theme you are not actively using. Inactive plugins are still attackable.
2. Use Strong, Unique Passwords
Wordfence blocks 65 million brute force login attempts every day. Many succeed because site owners reuse passwords from other services.
- Every admin account needs a unique password of at least 16 characters
- Use a password manager (1Password, Bitwarden, or similar)
- Never share admin accounts. Create separate accounts for each person who needs access.
3. Enable Two-Factor Authentication
Even strong passwords can be stolen through phishing or data breaches at other services. 2FA adds a second layer that stops credential stuffing attacks completely.
Use a plugin like WP 2FA or Wordfence Login Security. Prefer authenticator apps (Google Authenticator, Authy) over SMS-based 2FA.
4. Remove Default and Unused Admin Accounts
Delete the default "admin" username if it exists. Remove any user account that is not actively needed. Every admin account is a potential entry point.
Check for suspicious accounts you did not create. This is a common sign of a previous compromise where the attacker created a backup account for re-entry.
5. Set Up Automated Backups
Backups do not prevent attacks, but they make recovery possible. Without a backup, a compromised site may mean starting from scratch.
- Daily database backups (your content changes daily)
- Weekly full-site backups (files change less often)
- Store backups off-server (if your server is compromised, on-server backups are too)
- Test restoration at least once. A backup you have never tested is not a backup.
Server-Level Hardening
6. Set Correct File Permissions
Wrong file permissions let attackers modify files they should not be able to touch.
- Directories: 755 (owner can read/write/execute, others can read/execute)
- Files: 644 (owner can read/write, others can read only)
- wp-config.php: 600 (only owner can read/write, nobody else)
If your permissions are set to 777 anywhere, fix that immediately. 777 means any process on the server can read, write, and execute the file.
7. Disable File Editing in WordPress Admin
WordPress has a built-in code editor that lets admins modify plugin and theme files directly from the dashboard. If an attacker gains admin access, this editor lets them inject malware without needing FTP or SSH.
Add this line to wp-config.php:
define('DISALLOW_FILE_EDIT', true);
This disables the editor completely. You can still edit files via FTP or SSH.
8. Protect wp-config.php
Your wp-config.php contains database credentials, security salts, and other sensitive configuration. It should not be accessible via the web.
- Ensure it has 600 file permissions
- Delete any backup copies (wp-config.php.bak, wp-config.old, wp-config.txt)
- Some hosts support moving wp-config.php one directory above the web root for additional protection
9. Disable Directory Listing
If directory listing is enabled, anyone can browse your file structure by visiting a directory URL. This reveals plugin names, versions, and file structure to attackers.
Add this to your root .htaccess file:
Options -Indexes
10. Remove Exposed Files
Debug logs, database backups, and configuration backups sitting in accessible locations are goldmines for attackers.
Delete or restrict access to:
wp-content/debug.log(contains error traces with file paths and query details)- Any
.sqlfiles in the web root (database dumps) wp-config.php.bak,wp-config.old,wp-config.txtphpinfo.phpor any PHP info files.gitdirectory if present (exposes your entire version history)
A free WP Vanguard scan checks for 15+ exposed file patterns automatically.
Application-Level Security
11. Limit Login Attempts
Without rate limiting, attackers can try thousands of password combinations against your login page. Install a plugin that limits failed login attempts and blocks repeat offenders.
Most security plugins (Wordfence, Limit Login Attempts Reloaded) include this feature. Configure it to lock out IPs after 5 failed attempts for at least 30 minutes.
12. Change the Default Database Table Prefix
New WordPress installations use wp_ as the table prefix by default. While changing this alone is not a strong defense, it blocks lazy SQL injection attempts that assume the default prefix.
For existing sites, this requires careful database migration. For new installations, set a custom prefix (like wpx_ or site_) during setup.
13. Disable XML-RPC If Not Needed
XML-RPC (xmlrpc.php) is a legacy API that many sites do not use. It allows authentication without rate limiting and has been used in amplification attacks.
If you do not use the WordPress mobile app, Jetpack, or other services that require XML-RPC, disable it. Add this to your .htaccess or use a plugin:
You can block access to xmlrpc.php via .htaccess with an Order Deny,Allow directive, or use a security plugin that includes an XML-RPC toggle.
14. Review and Regenerate Security Salts
WordPress uses security salts (defined in wp-config.php) to secure cookies and sessions. If your site has ever been compromised, regenerate them immediately.
Get fresh salts from the WordPress salt generator API and replace all eight constants in your wp-config.php. This instantly invalidates all existing logged-in sessions, forcing every user (including any attacker with a stolen session) to log in again.
15. Scan Your Site Regularly
All the hardening in the world does not help if you do not check whether it is working. New vulnerabilities are disclosed daily. A plugin that was secure last month might have a critical flaw today.
- Monthly minimum: Run a free surface scan to check for known vulnerabilities, exposed files, and blacklist status
- After any incident: Run a $1 deep scan to verify no malware or backdoors remain
- Monitor Google Search Console for security alerts
The Priority Order
If you can only do five things, do these:
- Update everything (closes 91% of vulnerability paths)
- Use strong unique passwords + 2FA (stops credential attacks)
- Remove unused plugins and themes (reduces attack surface)
- Set up automated backups (enables recovery)
- Scan monthly (catches what you miss)
Everything else on this list is valuable, but these five cover the vast majority of real-world attacks. Start here, then work through the rest as time allows.
Scan your site free to see how your current security stacks up.
Related reading
Check Your WordPress Site Security
Free scan, no login required. Find vulnerabilities before attackers do.
Scan Your Site FreeGet weekly WordPress security tips
Vulnerability alerts, plugin updates, and security guides. No spam. Unsubscribe any time.