Guides · 6 min read

WordPress Security Checklist: 15 Steps to Lock Down Your Site

By WP Vanguard Team

WordPress Security Checklist: 15 Steps to Lock Down Your Site

Most WordPress security advice is either too vague ("keep your site secure") or too paranoid ("disable everything"). This checklist focuses on what actually prevents the majority of WordPress attacks, based on real breach data.

Work through these 15 steps in order. Each one closes a specific attack path.

The Basics (Do These First)

1. Update WordPress Core, Plugins, and Themes

This single step prevents more attacks than everything else on this list combined. Patchstack's 2026 report found that 91% of WordPress vulnerabilities come from plugins, and most exploits target known vulnerabilities in outdated versions.

2. Use Strong, Unique Passwords

Wordfence blocks 65 million brute force login attempts every day. Many succeed because site owners reuse passwords from other services.

3. Enable Two-Factor Authentication

Even strong passwords can be stolen through phishing or data breaches at other services. 2FA adds a second layer that stops credential stuffing attacks completely.

Use a plugin like WP 2FA or Wordfence Login Security. Prefer authenticator apps (Google Authenticator, Authy) over SMS-based 2FA.

4. Remove Default and Unused Admin Accounts

Delete the default "admin" username if it exists. Remove any user account that is not actively needed. Every admin account is a potential entry point.

Check for suspicious accounts you did not create. This is a common sign of a previous compromise where the attacker created a backup account for re-entry.

5. Set Up Automated Backups

Backups do not prevent attacks, but they make recovery possible. Without a backup, a compromised site may mean starting from scratch.

Server-Level Hardening

6. Set Correct File Permissions

Wrong file permissions let attackers modify files they should not be able to touch.

If your permissions are set to 777 anywhere, fix that immediately. 777 means any process on the server can read, write, and execute the file.

7. Disable File Editing in WordPress Admin

WordPress has a built-in code editor that lets admins modify plugin and theme files directly from the dashboard. If an attacker gains admin access, this editor lets them inject malware without needing FTP or SSH.

Add this line to wp-config.php:

define('DISALLOW_FILE_EDIT', true);

This disables the editor completely. You can still edit files via FTP or SSH.

8. Protect wp-config.php

Your wp-config.php contains database credentials, security salts, and other sensitive configuration. It should not be accessible via the web.

9. Disable Directory Listing

If directory listing is enabled, anyone can browse your file structure by visiting a directory URL. This reveals plugin names, versions, and file structure to attackers.

Add this to your root .htaccess file:

Options -Indexes

10. Remove Exposed Files

Debug logs, database backups, and configuration backups sitting in accessible locations are goldmines for attackers.

Delete or restrict access to:

A free WP Vanguard scan checks for 15+ exposed file patterns automatically.

Application-Level Security

11. Limit Login Attempts

Without rate limiting, attackers can try thousands of password combinations against your login page. Install a plugin that limits failed login attempts and blocks repeat offenders.

Most security plugins (Wordfence, Limit Login Attempts Reloaded) include this feature. Configure it to lock out IPs after 5 failed attempts for at least 30 minutes.

12. Change the Default Database Table Prefix

New WordPress installations use wp_ as the table prefix by default. While changing this alone is not a strong defense, it blocks lazy SQL injection attempts that assume the default prefix.

For existing sites, this requires careful database migration. For new installations, set a custom prefix (like wpx_ or site_) during setup.

13. Disable XML-RPC If Not Needed

XML-RPC (xmlrpc.php) is a legacy API that many sites do not use. It allows authentication without rate limiting and has been used in amplification attacks.

If you do not use the WordPress mobile app, Jetpack, or other services that require XML-RPC, disable it. Add this to your .htaccess or use a plugin:

You can block access to xmlrpc.php via .htaccess with an Order Deny,Allow directive, or use a security plugin that includes an XML-RPC toggle.

14. Review and Regenerate Security Salts

WordPress uses security salts (defined in wp-config.php) to secure cookies and sessions. If your site has ever been compromised, regenerate them immediately.

Get fresh salts from the WordPress salt generator API and replace all eight constants in your wp-config.php. This instantly invalidates all existing logged-in sessions, forcing every user (including any attacker with a stolen session) to log in again.

15. Scan Your Site Regularly

All the hardening in the world does not help if you do not check whether it is working. New vulnerabilities are disclosed daily. A plugin that was secure last month might have a critical flaw today.

The Priority Order

If you can only do five things, do these:

  1. Update everything (closes 91% of vulnerability paths)
  2. Use strong unique passwords + 2FA (stops credential attacks)
  3. Remove unused plugins and themes (reduces attack surface)
  4. Set up automated backups (enables recovery)
  5. Scan monthly (catches what you miss)

Everything else on this list is valuable, but these five cover the vast majority of real-world attacks. Start here, then work through the rest as time allows.

Scan your site free to see how your current security stacks up.

wordpress-security hardening checklist best-practices

Related reading

Check Your WordPress Site Security

Free scan, no login required. Find vulnerabilities before attackers do.

Scan Your Site Free

Get weekly WordPress security tips

Vulnerability alerts, plugin updates, and security guides. No spam. Unsubscribe any time.

WP Vanguard is built by Wbcom Designs, makers of Reign, Jetonomy, Listora, and more. Explore our WordPress products →
← Back to Blog