WordPress powers over 40% of the web, which makes it the single largest target for automated attacks. The bots scanning for vulnerable WordPress installations run 24 hours a day, every day. If you run a WordPress site, security is not optional — it is maintenance.
The good news is that the vast majority of WordPress hacks are preventable. They succeed because of outdated software, weak credentials, or misconfigured servers. None of these are complicated to address.
This checklist covers what actually matters. We skip the security theater and focus on the changes with the highest impact.
Authentication & Access
Use strong, unique passwords for every account. This sounds obvious, but it is still the cause of a significant percentage of WordPress compromises. Use a password manager. Do not reuse passwords.
Enable two-factor authentication (2FA) on all admin accounts. Plugins like WP 2FA or the built-in 2FA in managed hosting control panels make this straightforward. With 2FA enabled, a leaked password alone is not enough to gain access.
Limit login attempts. Brute-force attacks hammer the wp-login.php endpoint with thousands of password guesses per minute. Rate-limit login attempts at either the plugin level (Limit Login Attempts Reloaded) or, better, at the server/WAF level.
Change the default admin username. If your admin account is named "admin," you have already given attackers half of what they need. Create a new admin account with a non-obvious username, then delete the "admin" account.
Use application passwords for API integrations. WordPress core supports application-specific passwords for REST API access. Use these instead of your main admin credentials for any third-party integrations.
Updates
Keep WordPress core up to date. Security releases come out regularly and patch known vulnerabilities. On managed hosting, these should happen automatically. On self-managed installs, check your update cadence.
Update plugins promptly. The majority of WordPress exploits in the wild target known vulnerabilities in plugins — vulnerabilities that have already been patched in newer versions. Running outdated plugins is the most common cause of WordPress hacks.
Remove plugins and themes you are not using. Inactive plugins still represent an attack surface. If you are not using it, delete it — do not just deactivate it.
Audit your plugins annually. Review every plugin in your install. Is it still maintained? Does it have recent security issues? Is there a better alternative? Plugin audits catch problems before attackers do.
File Permissions & Server Configuration
Set correct file permissions. WordPress files should be 644 and directories should be 755. The wp-config.php file should be 600. Overly permissive file permissions allow attackers who have gained limited access to escalate their privileges.
Protect wp-config.php. This file contains your database credentials and secret keys. Move it one directory above your web root if your server configuration allows it, or restrict access via server rules.
Disable file editing in the admin. Add define('DISALLOW_FILE_EDIT', true) to wp-config.php. This removes the built-in theme and plugin editor from the WordPress admin, preventing an attacker who gains admin access from editing PHP files directly through the UI.
Disable XML-RPC if you do not use it. XML-RPC is a legacy WordPress API that is frequently exploited for brute-force attacks and DDoS amplification. Unless you specifically need it (older mobile apps, some backup plugins), block it at the server level.
Monitoring
Install a security scanner. Wordfence, Sucuri, or server-level malware scanning (available on all good managed hosts) will alert you if malware is detected. Early detection limits damage significantly.
Monitor file changes. Unexpected changes to core WordPress files, theme files, or plugin files are a sign of compromise. File integrity monitoring alerts you when changes occur outside of your normal update workflow.
Check your access logs. Periodic review of your server's access logs catches reconnaissance activity, scanning, and unusual traffic patterns before they escalate.
Set up uptime monitoring. Downtime is sometimes the first visible sign of an attack. Uptime monitoring (we use tools like Uptime Robot or better, server-level monitoring from your managed host) alerts you within minutes of an outage.
Backups
Maintain automated, offsite backups. Backups stored on the same server as your website are not backups — they will be lost or encrypted in the same attack that compromises your site. Use a managed host with automatic offsite backups, or replicate to a separate provider like Backblaze B2.
Test your restore process. A backup you have never tested is not a backup. Periodically restore your site to a staging environment and verify it comes back cleanly.
Keep multiple restore points. Daily backups for at least 30 days, plus weekly backups going back 3 months. If you discover a compromise that started weeks ago, you need old restore points.
The Managed Hosting Advantage
The single most effective thing most WordPress site owners can do for security is move to managed WordPress hosting. Most of what is on this checklist — server-level WAF, automatic updates with staging verification, continuous malware scanning, DDoS mitigation, offsite backups — is either included by default or dramatically easier to implement on a managed platform.
If managing your own security feels like too much overhead, talk to us about our managed WordPress hosting plans. Security is our job so you can focus on yours.