The answer is yes, the WordPress security checklist is relevant to anyone using a content management system (CMS) or making a website. The Director of Global Security at Gates Foundation, Dick Lake, says, “There are two types of organizations: the ones that have been hacked and those that don’t know they’ve been hacked.” Another shocking statistic reveals that 50,000 websites are hacked every day through WordPress plug-in vulnerabilities. Additionally, you know it’s quite possible you’ve already been hacked and just don’t know. Both WordPress vulnerabilities and the webmaster’s negligence can give hackers a discrete path. WPScan is a well-known security company. Their research suggests that WordPress plugins are behind 90% of vulnerabilities; 4% belong to WordPress core files, and the remaining 6% to WordPress themes. We have brought you this comprehensive and complete WordPress website security checklist to help you secure your WordPress website. After reading this article, you will be more informed on critical security issues:

Why Do You Need Web Security?

A hacked website can cause irreparable loss. It damages your reputation and decreases your revenue. Here are the three most common scenarios:

No one can access your website. Customers cannot place orders (imagine the financial loss). Google marks your website as unsafe. This hurts your SEO rankings, and you will need a long time to recover. In case of a breach, hackers can misuse your users’ data (passwords or credit card numbers). In the worst-case scenario, you may have to pay ransom to the hackers just to access your website.

Basic WordPress Security

For basic WordPress security, focus first on these two elements:


The providers of WordPress maintain and update the platform on a regular basis. The system automatically makes minor updates. Web admin has to make major releases. Also, WordPress comes with themes and plugins. Third parties maintain these updates. The WordPress webmaster must update the latest version, as well as the plugins and themes. This update is necessary to deal with the vulnerabilities we have talked about earlier. All WordPress updates are necessary. They have the cures for new viruses and malware. Not updating will make your websites vulnerable to those attacks.


Your host plays a big role in website security. Professional WordPress hosts take your security to the next level. Good web hosting takes the following steps to keep your website safe:

They keep an eye on the entire network. Their systems instantly detect any suspicious activity. They take proper measures to prevent DDoS attacks. They make sure everything is up to date. That includes server software, PHP versions, and hardware. Otherwise, hackers can easily exploit old security vulnerabilities. They have disaster recovery and accident plans. Your data will be safe even in a major accident.

Common WordPress Security Issues

The most common types of cyberattacks on WordPress websites are:

Brute-Force Login Attempts

Attackers use automated tools to try hundreds of username-password combinations. Then, they keep on trying until they get the right credentials. If successful, they can access any password-protected information.

Cross-Site Scripting (XSS)

In cross-site scripting, hackers can mess up the functionality of your website. They manage to access the information from your website. Their method is to inject the malicious code into the backend. Hackers may use any complex means or any user response.

Database Injections

Database injection is a widespread cyberattack that resembles cross-site scripting. Hackers use the user-input like contact form to submit a harmful code. The website stores this code in the database. When it runs on the website, it will steal confidential information.


A backdoor is a file used to hack WordPress websites. It allows the hacker to bypass the standard login. Hence your website becomes accessible to them. Hackers try to put backdoors in places that beginners cannot find. For example, they may place backdoors among the source WordPress files. To control its users, WordPress restricts what file types users can upload.

Denial-of-Service (DoS) Attacks

Hackers overload the server with traffic in a denial of service attack. Constantly asking for resources leads to server crashes. When this happens, even authorized users cannot access the website. Things are worse when there is a distributed denial-of-service attack (DDoS). More than one machine is involved in this type of attack.


We call it phishing when an attacker pretends to be a representative of a legitimate service or a company. They will ask the user to take some action. It could be revealing any personal information or visiting a dangerous website. Sometimes hackers use some other method to break into your WordPress account. Once they are in, they try phishing at your customers. They pretend to be you and customers reveal their information.

Hot Linking

Sometimes, other websites show embedded content that your website is hosting. So when someone accesses their websites, that specific content loads through your websites. It influences your website’s performance: Loading time becomes slow and users who visit think that content belongs to your website. Hotlinking is more about content theft and less about complete cyber-attack. It is illegal since it transfers the burden of one website to another.

Complete WordPress Website Security List

Web Application Firewall

Web application firewalls can give you full confidence in security. It blocks all malicious traffic. DNS level website firewall uses cloud proxy servers to route your website traffic. Hence, your website receives filtered traffic that is genuine. Application-level firewall checks the traffic when it reaches your server. But, it starts working before WordPress scripts load. As a result, its efficiency is less in reducing traffic loads than the DNS firewall.

Secure Your Login Procedures

The first safeguarding shield of your website is your login procedures. You must take the following measures to keep your login safe:

  1. Change Your Default Admin Username If you know the username of a WordPress website, you know 50% of login credentials. Brute-force attacks will become easier. In the early days, WordPress allowed only one username. But luckily, now you can change the username and you can select any username you like during the installation. For your information, WordPress will not allow you to change the username after that. You can use one of three methods if the change is necessary:

Make a new username and delete the previous one. Download the username changer plugin for it. Use phpMyAdmin to update the username.

  1. Change Default WordPress Login URL It is effortless for hackers to find the backend login page of any WordPress website. By default, it is the main URL of a website with “/wp-admin” or “/wp-login.php” added to the end. However, you can easily find WordPress plugins that help you change.
  2. Limit the Login Attempts It is another easy way to prevent brute-force attacks. We have talked about hackers trying different username-password combinations. You can impose a specific limit on the login attempts. Then no one would be able to try logging in for more than a particular number of times in a given timeframe. Some hosting services will help you do that, but you can also find a plugin.
  3. Use Strong Passwords Passwords like ‘12345’ are a big no, as they are easy to guess. They do not even need hackers to use brute-force attacks. All your users should be using the strongest passwords possible. Also, it is natural to forget passwords when you use more than one. Many password manager tools are available to simplify things for you.
  4. Add Security Questions to WordPress Login Another good way to prevent unauthorized access is using security questions. WP Security Questions plugin can help you with that.
  5. Add Two Factor Authentication After implementing this, users need a two-step authentication method to access the website. In the first step, they enter the username and the password. The second step requires authenticating with a separate device or app. All major social media websites like Facebook, Twitter, and Google use it.

Disable Certain Features

To be on the safe side, you must disable the following things on your WordPress website:

  1. File Editing The built-in code editor of WordPress makes it easy for you to edit your files. You can make changes from your WordPress admin area. But, hackers can also use the same advantages if the website is hacked. The best would be to turn it off and disable the file editing. Go to your wp-config.php file, and add the following code. 1 // Disallow file edit 2 define( ‘DISALLOW_FILE_EDIT’, true ); There is one other way to do it as well. Use the hardening feature of the free Sucuri plugin.
  2. PHP File Execution You should disable the execution of PHP files in the directories where it is not needed. You can easily do it yourself. Open any text editor, let’s say Notepad. Paste the following code: 1 <Files *.php> 2 deny from all 3 Save the file as .htaccess. Now go to the FTP client. Use it to upload this file to /wp-content/uploads/folders on your website.
  3. XML-RPC in WordPress XML-PRC is a communication protocol. It helps WordPress interact with the web and mobile applications. In short, XML-RPC lets you connect your WordPress website with mobile apps and web apps. The problem is its immense power is also helpful for brute-force attackers. It allows submitting hundreds of requests. Even limiting the login attempts cannot help. So if you are not using XML-PRC, you must disable it.
  4. Directory Indexing and Browsing Your WordPress website may have files with known vulnerabilities. Hackers can use directory browsing to find them out. Also, it allows other people to look at your files, copy your images, and know your directory structure. So experts recommend turning off directory indexing and browsing. The first step towards this is using FTP or cPanel’s file manager to connect to your website. Secondly, you find the .htaccess file in your website’s root directory. Add this line at the end of the .htaccess file: Options -Indexes Save and upload .htaccess back to your website.

Use The Best Plugins For Security and Backup

Your WordPress website needs a proper auditing and monitoring system. Install a plugin that keeps track of whatever happens on the website and protects it from threats. Try to install more than one plugin for this purpose. The plugins you install should be legitimate and reputed. They will do all the manual security work for you. That may include the following:

Scan for infiltration attempts. Protect you from content theft. Change the files that may add to the vulnerability of your website. Scan websites for malware.

Similarly, you should also have backup-related plugins. The backup serves as the first line of defence in the case of a cyber-attack. Do it before you lose all your data. The plugin that backs up data automatically on a daily, weekly, or monthly basis would be the best. You can choose monthly or weekly options depending on how frequently you update the website. Besides, you must have full-site backups at any remote location. Remote location means that it does not belong to your hosting account.

Conduct Regular WordPress Security Scans

Checking up on everything regularly is the best security practice. Every web admin should do this at least once a month. Several well-regarded plugins can help you with that.

Use WordPress Monitoring Plugin

You should have a sound monitoring plugin to detect suspicious activities. For this, you can also create a log of all activities. Keep checking this periodically. It will let you know if any user’s behaviour is mysterious. For example, any user may try to change the passwords or change something with plugins. Logs show what happened at what time.

Install SSL Encryption

The job of SSL is to encrypt the data transfer between user and browser. So do not forget to install and enable SSL on your website. Authorities issue the certificates normally. But you can also find non-profit organizations offering free SSL certificates. One of them is Let’s Encrypt.

Use a Secure WordPress Theme

Do not use any theme just because it has attractive graphics. Yes, beauty is an essential parameter for themes. But also the theme should follow the WordPress standards. That may make you wonder if your current theme is eligible. Put your website’s URL into W3C’s validator to find out.

Change the Prefix of Your Database File

Hackers can take advantage of all WordPress database file names starting with wp_. They can easily find your database and inject malicious codes. So changing the prefix to something different would be a good idea. You can do this during the installation of WordPress. If your site is live now, you better use some plugins for it. The database is sensitive, and a tiny mistake can mess up things.

This content is accurate and true to the best of the author’s knowledge and is not meant to substitute for formal and individualized advice from a qualified professional. © 2022 Andrew Mathew

Security Checklist for Your WordPress Website - 69