The Only WordPress Security Checklist You’ll Ever Need

WordPress security is about spotting weak areas in websites; and then fortifying them. 

Hackers often aim at smaller sites to eventually reach bigger ones, like banks. The key is that WordPress websites get hacked because they miss simple security measures. 

What you need is a comprehensive WordPress security checklist. You will learn how to protect your website and keep your visitors safe.

TL;DR: The best security for your site is setting up a WordPress security plugin, like MalCare. MalCare takes care of many of the items on our WordPress security checklist.

Hackers want access to sites for many reasons. They might use a site to send spam or redirect users to harmful sites. Regardless of their end goal, hackers pose a risk to your site, your data, and your visitors. 

A strong WordPress security plan protects your site and data. By taking a few simple measures, you are building a better shield around your website.

One checklist item; much WordPress security

To implement our WordPress website security checklist quickly, install a security plugin. 

Good WordPress security plugins combine protection, with a firewall and bot protection, and monitoring with malware scanning. 

But not all plugins offer the same features. We recommend MalCare because it combines the most important security with absolute ease of use. Once you install the plugin, your site is immediately more secure.

1. Install a WordPress firewall

A key part of your security checklist is using a WordPress firewall. A WordPress firewall stops attacks before they reach your site. It is a critical step in your WordPress security plan.

Firewalls filter incoming traffic. They check each request against rules and allow only safe requests to pass to your site. Anything unsafe gets blocked. Good firewalls also learn on their own. If an IP has been used in an attack before, it gets marked and blocked.

Getting the right firewall for your site

Finding the right firewall for your site is important. Look for a WordPress-specific firewall. These are built to protect WordPress sites by covering vulnerable areas.

A good firewall shouldn’t need frequent rule updates, but should protect your site even if it has vulnerabilities. MalCare’s Atomic Security is a custom-built firewall for WordPress, shielding it from attacks from the second of installation.

2. Regular malware scans

Even with strong security, malware can sometimes still find a way in. Leaked passwords, bad plugins, and so on. We’ll cover those later on in the list. 

For those situations, you need a watchful eye on your site. That watchful eye is a WordPress malware scanner.

A good malware scanner detects instantly hacks on your site. Whether it is in the files, the database, or even in the cronjobs of a site, instant detection is key. 

A scanner is more than vulnerability detection, a blacklist warning, or even a file change monitor. It is all of those things, and much much more. Its purpose is to pinpoint malware on a site with bullseye accuracy.

3. Malware cleaner

If the site scanner detected malware on your site, what’s your next move? 

Removing the malware, of course. 

Not just removal, but swift, decisive, surgical removal. Malware needs to go and your site needs to be untouched. 

That is easier said than done, and malware removal services are often exorbitant for that very reason.

What you need is a malware removal plugin. 

Delays in handling malware can harm your site and put visitors at risk. Over time, malware causes more damage, so quick removal is crucial. It’s a race to limit the harm it can do. 

For quick removal, MalCare is your best choice. It offers unlimited manual removal support from WordPress experts and features a one-click removal tool in the dashboard. 

You won’t need to wait or worry about malware damage. Just one click and you can remove it, keeping your site clean and safe.

What to do after removing the malware

After a site is hacked, you must assume that all the credentials are also compromised. 

To that end, you need to refresh the security keys and salts. These are variables that WordPress uses to encrypt login credentials. 

Also, you need to force reset user passwords. 

And finally, clear out all caches.

4. Scan for vulnerabilities

In the context of WordPress sites, plugins and themes, vulnerabilities are gaps in code that hackers may use to attack sites. These are things like SQL injection vulnerabilities and cross-site scripting vulnerabilities, leaving sites susceptible to attacks of those types. 

To be clear, we are not talking about weak passwords or not renaming the wp-login page. The former is a vulnerability of a completely different kind, and the latter is not a vulnerability at all. 

A WordPress vulnerability scanner helps find these known issues in WordPress core, plugins, and themes. It uses a database of plugins, themes, and their versions with security problems.

However, a scanner can’t discover vulnerabilities. That’s a job for penetration testing, which is an entirely different process.

Therefore, a vulnerability scanner is just one part of your website security checklist. It alone won’t protect your site fully.

5. Choose plugins and themes wisely

Always select trusted plugins and themes for your WordPress site.

Avoid nulled plugins or themes like the plague. Nulled software is pirated software, and often contains malware. Installing them to save on licensing costs is like rolling out the red carpet to malware. 

A good practice is to choose plugins and themes that receive regular updates. This means developers are actively maintaining their software. Frequent updates show a commitment to security and the software’s continued health. 

In fact, that’s a key reason to buy plugins. A paid plugin often receives updates and offers support for any issues. At MalCare, we use our experience with hacked websites to continually improve our WordPress security plugin.

6. Apply updates regularly

Keeping WordPress core, themes and plugins updated is key. Every day, new vulnerabilities are discovered, and plugin developers release patches to fix them.

If you aren’t using certain plugins or themes, delete them. You can always reinstall them if needed. We’ve seen many sites where people have forgotten to update deactivated plugins, and gotten hacked. 

📝 Use auto-updates smartly to enhance your website security. Let smaller updates run automatically, so you only need to handle the larger updates yourself.

7. Use strong passwords

Password security is often ignored, because it can be tiresome to set difficult passwords everywhere. 

No duplicate passwords. Avoid simple passwords. Use a blend of letters, numbers, and symbols. 

It can seem overwhelming, especially when you consider how many services you use.

We understand, which is why we recommend a password manager. Use it to create strong, automatically-generated passwords with a mix of characters, numbers, and letters. 

Even though the chances are small, brute force attacks can use dictionary methods to guess passwords. A password manager can be a vital part of your WordPress security checklist.

📝 When multiple users manage your site, each must have a strong password and change it often. This is manageable with a small team. For larger teams, using software to automate this task is wise. By default, WordPress alerts you if a weak password is chosen, helping you maintain security.

8. Use unique passwords

You’ve set up strong passwords, but now you need them for all your services. 

It’s a lot to handle. 

There’s a good reason not to reuse passwords, even strong ones. If one system gets hacked, like a social media account, the issue stays with that account. If your email-password combo is reused elsewhere, it’s only a matter of time before another system gets breached too. 

Using unique passwords helps contain the damage, much like stopping a forest fire. You might not stop a few trees from burning, but you can prevent the whole forest from catching fire.

9. Set up 2FA

WordPress login security enhances password security. While passwords guard against human error, securing the login page strengthens the system against brute force attacks.

Two-step verification requires users to enter their login details first and then a real-time generated code. This adds a second layer of security, making it harder for hackers to access your account.

Improve your login security by using two-factor verification for all users. It’s easy to set up with various plugins, including MalCare.

10. Limit failed login attempts

Brute force attacks flood a login page with many username and password combinations to gain unauthorized access. How do you prevent this? Glad you asked!

By default, WordPress allows unlimited login attempts. Limiting these attempts boosts your website security, ensuring hackers can’t try thousands of combinations. 

This is why websites, especially banks, usually allow only three tries to enter the correct username and password. After that, you’ll use ‘Forgot password’ or risk being locked out.

With MalCare, you automatically get limits on failed logins. It uses captcha-based security to block bad bots from your site. Even if a legitimate user gets locked out, they can solve the captcha to try again.

11. Use role management to limit user privileges

Not everyone needs to be an admin. 

WordPress has six user roles: Super Admin, Administrator, Editor, Author, Contributor, and Subscriber. Each role has specific permissions, known as capabilities. Roles and capabilities serve an important purpose.

Assign user roles to limit access to necessary tasks. This prevents potential devastation if an account is compromised. Also check if any user privileges have been escalated without your authorization, it could be a sign of malware. 

The general rule is to have as few administrators as possible. This minimises the risk of hackers gaining admin access.

Note: For a single site, the Administrator role is most powerful, while for a multisite, the Super Admin role holds the most authority.

12. Sign out logout inactive users automatically

Set up auto logout for any inactive users on your site. This lowers risk of unauthorized access, just in case someone forgets to log out; especially on a shared system. 

This feature is common on bank websites and apps, which log you out after inactivity to protect your account.

In fact, remove dormant users regularly. Because inactive accounts are not accessed regularly, passwords can become a liability. 

13. Remove open user registration

Consider disabling user registration if it’s not essential for your site. Fewer users mean fewer potential entry points for attackers.

14. Install an activity log

An activity log is a great addition to a WordPress security checklist, because it is essential for security.

Activity logs record all actions on your website. This means you always know what users are doing and when. You can monitor site activity and hold users accountable.

Hacks and installation of malware, adware, or other kinds of malicious programs usually occur secretly. Often, the only visible trace can be found in your site’s activity log. 

As a result, it’s a good idea to perform a regular check of your site’s activity log to look for any inconsistencies or suspicious activity. It can help you trace a number of important details in case your site gets hacked, like what IP addresses were involved, and how it may have happened.  

Logs track everything: logins, logouts, changes, creations, modifications, deletions, additions, and updates. If a hack occurs, the activity log can show early warning signs by highlighting any suspicious activities or changes.

WordPress doesn’t offer an activity log by default so you will have to rely on a plugin for it. Alternatively, MalCare gives you a detailed and easy-to-understand activity log along with complete WordPress security.

15. Use SSL

Installing an SSL certificate used to be complex, but that’s no longer the case. 

SSL ensures data is securely transmitted between the user and server through an encrypted connection.

Beyond being a solid security practice, Google mandates websites use SSL. Without it, browsers display a “Not secure” warning.

Also, ensure all your pages use HTTPS.

16. Opt for SFTP instead of FTP

If you’re using FTP to transfer files, switch to SFTP. SFTP uses SSH, which encrypts your data so it stays safe during transfer. It also checks both the user and server.

SFTP is now the standard and is replacing FTP. The setup is similar, so there’s no reason to keep using the old method. 

17. Secure WordPress file permissions

File permissions on WordPress decide who can read, write, or run files and folders. Correct permissions stop unauthorized access.

If anyone can change or read files, it’s a security risk, especially on systems with many users, like servers. Setting the right permissions is very important for security.

For your WordPress site, use these recommended permissions:

• Root directory: 755
• wp-admin: 755
• wp-includes: 755
• wp-content: 755
• wp-content/themes: 755
• wp-content/plugins: 755
• wp-content/uploads: 755
• .htaccess: 644
• index.php: 644
• wp-config.php: 640

As a rule of thumb, set folders and directories to 755 and most files to 644. These settings follow WordPress guidelines. 

They also will not impede updates. Stricter settings could cause update failures. With the right file permissions, you protect your site from unauthorized changes.

18. Use security headers

Security headers play an important role in WordPress security. They quietly protect your site by stopping threats, preventing data theft, and blocking break-in attempts.

How you set up security headers depends on your site. It is best to tailor them to your site.

19. Disable file editing

If an attacker hacks an admin account, your site is as good as lost. 

From the dashboard, they can modify the theme and plugin code via the “Editor”. They can also upload their own scripts to alter your content, vandalise your site, send spam to your users, and more.

You can disable file editing in key files through MalCare’s WordPress hardening features or by manually disabling it via cPanel, FTP, or a file manager plugin.

Note: If you use a file manager plugin, always uninstall it after use. It’s not needed for regular use and can pose a security risk.

20. Block plugin installations

A user or client might sometimes install a plugin without checking its compatibility or credibility as carefully as you would. This can cause several issues on your website, so it’s best to remove the ability for them to do this. 

The simplest way to control this is by using a plugin. With MalCare, you just click a button to enable or disable this feature. 

While this is a strict step, it’s necessary when multiple users manage your site or when you want to prevent clients from installing unnecessary plugins.

21. Disable directory browsing

When your server doesn’t find an index file for a website, it shows an index of the contents of the directory. If a hacker can access this information, they can check if you have any files that are vulnerable on your website. This opens your website to major security risks. 

In order to avoid this, you can disable directory browsing.

22. Block XML-RPC

Similar to WP REST API, XML-RPC is a WordPress feature that allows you to publish content remotely. It is useful if you use the WordPress app or need to enable trackbacks and pingbacks but otherwise, it can be exploited by hackers to gain access to your site through brute force attacks. The easiest solution here is to disable XML-RPC with a plugin or manually.

23. Disabling PHP execution in specific folders

Hackers can upload PHP files on your site disguised as core WordPress files and gain access to your site. Some folders like wp-uploads shouldn’t have PHP files at all. So what do you do in this case?

You can disable PHP execution in these folders so that even if hackers manage to get in these files through any backdoors, they cannot gain access to your site.

24. Backup your website

There are several reasons why you should backup your WordPress website, but the most important of them is security. 

If not detected in time, malware can cause havoc with your WordPress site and consequently lead to data loss or website defacement. Often, web hosts delete sites from their servers if they are infected, and unless you have an independent backup of your site, you will have to start from scratch. 

It is important to backup high-value websites every day, so that nothing important is lost. This is especially true for WooCommerce sites which need real-time backups. 

A handy solution like BlogVault can make this process very easy. BlogVault allows you to schedule backups daily, or in real-time, depending on your requirements, and stores these backups on an external server so that even if your website server is hacked, the backups still remain secure.

25. Remove unused plugins, themes, accounts, etc

Removing old and unused themes and plugins serves two purposes. 

The first is to speed up your site, as too many files can cause bloat and server slowdowns. The second is to make sure that your site cannot be attacked through them. 

Unused themes and plugins are often ignored and not updated, leaving vulnerabilities that can be easily taken advantage of. So make sure to run a monthly check on all the themes and plugins you use and remove those that have served their purpose.

Note: Also check for any fake plugins on your site. Malware is often hidden as a plugin folder but fake plugins only have one or two files, can’t be located on the WordPress repository and have weird names like ‘azzz’ or ‘tiff’.

26. Choose secure hosting

Many believe that hosts are responsible for security, but often, malware attacks stem from site vulnerabilities. Hosts handle the infrastructure, so focus on that when picking a secure host.

Security checklists usually emphasize what you, as a site admin, can do to keep your site safe. While you can do a lot, installed applications often cause vulnerabilities. Still, the server isn’t immune to threats.

Choosing a good web host is crucial. Check reviews and look for responsive support. Consider if servers are in a secure physical location. Could a hacker get in and steal data? These are key factors, though website admins have limited control over them.

A reliable host shares their protective measures transparently. Avoid cutting costs here, as going for a cheap host might end up being a costly mistake down the road.

27. Keep your devices malware-free 

Sometimes, the simple things can catch us off guard. The computer and WiFi you use affect your WordPress security. Strengthening your site won’t help if there’s a keylogger on your computer—you’ve essentially given a hacker your login details.

Security myths: obscurity ideas should stay obscure

Some security practices focus on hiding parts of WordPress. These are nowhere as effective as people believe they are. 

• Changing the database prefix offers minimal security, as skilled attackers can bypass it.
• Changing the login page URL hides the page, but determined hackers have other ways to launch brute force attacks. Misplacing or forgetting the URL makes recovery maddeningly difficult.
• Password protecting wp-admin comes up regularly, but is just another tactic. It also has the side effect of breaking AJAX. 
• Hiding the WordPress version is another false security trick. It hides information, which attackers can still find in other ways.

For true security, prioritize strong defenses such as firewalls and regular updates, rather than just concealing elements.

Why WordPress security is important

WordPress is a secure platform, but it is very popular and attracts all sorts of attention. Some of which are nefarious. In order to make sure that hackers can’t gain access to your site, you need to ensure that your WordPress security is up to date, or else you could face dire consequences:

• Loss of customers
• Data loss
• Leaked private credentials
• Revenue loss
• Legal issues
• Hit to the brand reputation
• Loss of trust

Final thoughts

WordPress security is not a mystery. If you take a few steps to secure your site, you will be able to fend off attacks and malware, and avoid any damages. We hope that this security checklist helps you tighten your security measures.

If you want a hassle-free solution that does not compromise your security, a security plugin like MalCare is the only option. With automated scans, an advanced firewall, and one-click cleanups, MalCare is a 360-degree solution that protects your site.

FAQs

How do I secure my WordPress site?

The easiest method to secure your WordPress site is to install a security plugin like MalCare. MalCare scans your website everyday to ensure that your website is safe, and protects your website with its advanced firewall. It also offers a one-click cleanup in case there is a hack.

Does WordPress have security issues?

WordPress is a secure platform used by over half of the websites on the internet. However, it is because of this popularity that it attracts the attention of hackers. You can secure your WordPress site with a security plugin to ensure that your site is safe from these elements. 

How do I secure my WordPress site without plugins?

If you wish to secure your site without using plugins, you need to perform several security checks regularly. You will have to perform site scans, take backups, look for suspicious behavior in the site’s activity log, and manually clean up any malware that you may detect. The list of ways hackers can get into your site is endless, and the only way you can secure your site without having to constantly be on alert is to use a security plugin.