The Ultimate WordPress Security Checklist

Every website is open to potential attacks, but some sites are more at risk than others. If you run an enterprise-level project, you have a giant target painted on your back. This is because most hackers are drawn in by the volume of sensitive customer data you may have on hand.

Fortunately, there are several things you can do to keep your WordPress website safe. Plus, most of these security measures are very straightforward and only take a few minutes to implement. 

In this article, we’ll provide you with a comprehensive WordPress security checklist you can use to keep your website safe. And while this advice is geared toward enterprise-level organizations, anyone can benefit from the ideas we’ll discuss. So let’s get to it!

The importance of having a WordPress security checklist

The idea of a WordPress security checklist might sound outdated for enterprise websites. After all, there are a lot of systems and tools you can use to automate critical tasks. But it can be easy to overlook some things, especially when you have a large site to look after. 

For example, if you have a blog with a small audience, failing to update WordPress for a while will probably not cause any problems. But if you’re running an online business that relies on a lot of WordPress plugins and third-party integrations, this oversight can break your site and cost you thousands in lost time and troubleshooting.

The goal of a security checklist is to make sure that nothing slips through the cracks, no matter how small. In addition to keeping your site in top shape, a comprehensive WordPress security checklist can have several other benefits:

Protection from online threats

The popularity of WordPress makes it a target for hackers. A WordPress security checklist helps you take proactive measures to defend against cyber threats like brute force attacks, SQL injection, and cross-site scripting.

Safeguarded sensitive user data

If your website collects and stores sensitive information like email addresses and login credentials, implementing a WordPress security checklist reduces the risk of unauthorized access to this data.

Compliance with regulations

Several regulations mandate that you adhere to strict security measures to protect user data. A security checklist helps you stay compliant with these regulations and avoid potential legal penalties.

Preservation of your reputation

If your website is compromised, it can damage your brand’s reputation and erode customer trust. A security checklist helps you maintain credibility by minimizing the risk of security incidents.

A WordPress security expert will know exactly what needs to be done to keep your site safe. But even veteran cybersecurity employees can benefit from having a resource at hand to help make sure they’re not missing anything. 

A checklist is easy to reference. Plus, you won’t need to pay hundreds of dollars for a security tool that will advise you to do the exact same tasks in this list.

Who created this checklist, and why should I trust it?

WPScan is an open-source WordPress security scanner. You can access it with multiple plugins, via our own API, or through our CLI scanner. We maintain a database of over 39,000 WordPress vulnerabilities and regularly add new entries to our database that’s maintained by leading WordPress security experts.

Our goal is to provide a definitive resource of WordPress vulnerabilities that anyone can access to keep their websites safe. Our experience working with developers and security professionals means that we’ve encountered and defended against almost every kind of threat imaginable. 

With that in mind, this checklist provides a comprehensive overview of tasks (both one-offs and recurring) that you can execute to prevent vulnerabilities on your website and keep it safe. 

29-point checklist for WordPress security leaders

Before we dive into the security measures on our list, you may want to have a quick glance at the security basics for all WordPress sites. Plus, you could also save a copy of the list below for easy reference:

  1. Keep WordPress core, themes, and plugins up to date
  2. Apply strict username and password policies
  3. Implement role-based access and permissions control
  4. Enable 2FA for all user accounts
  5. Limit login attempts
  6. Enable user logging and monitoring
  7. Install a reputable security plugin
  8. Set up a Web Application Firewall (WAF)
  9. Install an SSL certificate
  10. Use a Content Delivery Network (CDN)
  11. Use SFTP instead of FTP
  12. Monitor and update your PHP version
  13. Regularly back up your site
  14. Keep backups on a separate server
  15. Leverage WPScan’s vulnerability database
  16. Regularly assess third-party plugins and themes
  17. Change the default WordPress database prefix
  18. Use custom /wp-admin and /wp-login.php URLs
  19. Restrict wp-admin access by IP address
  20. Use Multi-Factor Authentication (MFA) for critical users
  21. Secure your /wp-config.php file
  22. Disable file editing
  23. Disable directory browsing/listing
  24. Disable PHP error reporting
  25. Disable WordPress version disclosure
  26. Implement a Content Security Policy (CSP)
  27. Enable security headers
  28. Implement a code review & QA process (for developers)
  29. Conduct regular employee training

In the following sections, we’ll break down each item in our security checklist. 

Part 1: The basics

In terms of WordPress security, “the basics” are the core tasks you need to undertake to keep your website safe. Implementing these essential strategies will help protect your website against most forms of attacks.

1. Keep WordPress core, themes, and plugins up to date

Updating WordPress ensures that you’re running the latest version, which includes security patches and bug fixes. This is critical because hackers often target outdated versions with known vulnerabilities. 

To update WordPress, go to Dashboard Updates in the admin dashboard. This page will list all available updates for WordPress Core, as well as any plugins and themes you use.

updates available in the WordPress dashboard

For increased security, we recommend using a staging website to test all WordPress updates. Sometimes these updates can cause compatibility issues, so it’s safer to run them in a private environment before making your changes live. 

2. Apply strict username & password policies

Your organization might be using the most advanced WordPress security tools on the market. But your site is only as strong as its weakest link — and that tends to be passwords.

WordPress highly suggests that users create strong passwords and provides some nudges to encourage this. For additional safety, your organization could use a secure WordPress plugin to force users to renew passwords on a regular basis.

notification of a weak password in WordPress

If attackers gain access to a WordPress admin account, they can wreak a lot of havoc. To secure your website even further, you could ask employees to avoid usernames that are easy to guess (like combinations of their first and last names).

3. Implement role-based access and permissions control

By default, WordPress uses a basic role system that enables you to segment users based on the things they’re allowed to do on your site. Administrators are the only users with full access to all dashboard functionality.

dropdown of user roles in WordPress

By limiting the access and capabilities of users, you can reduce the risk of unauthorized changes to your website and minimize the potential damage from compromised accounts. In other words, no user should have a role that gives them access to more permissions than they need.

Regularly auditing users and permissions will help keep your website safe. If you need to edit a user role in WordPress, you can do so from the Users tab.

4. Enable two-factor authentication (2FA) for all user accounts

Two-factor authentication (2FA) is already the norm for a significant part of the web. Adding a second layer of verification to your WordPress login page makes it harder for attackers to gain access to your website, even if they manage to get their hands on working credentials.

If you haven’t implemented 2FA in WordPress, you can do so with Jetpack’s Secure Authentication functionality. This feature enables users to log into self-hosted WordPress sites with their accounts, and you can configure it to require 2FA.

Jetpack secure authentication settings

A lot of public-facing websites make 2FA optional to avoid inconveniencing users. For enterprise-level websites, we recommend enforcing the use of 2FA to help minimize WordPress security issues.

5. Limit login attempts

Brute force login attacks are incredibly common. Hackers and bots scan sites for weak credentials. They also look for sites where they won’t get blocked after multiple login attempts.

By limiting the number of times users can attempt to log in within a specific period, you can minimize the risk of successful brute force attacks. A regular user might forget their password once in a while, but they won’t make dozens or hundreds of login attempts per minute, which is precisely what bots do.

The easiest way to limit login attempts in WordPress is to use a plugin like Jetpack. The brute force attack protection feature is free for all Jetpack users and can automatically block malicious IPs before they even make it to your site. 

6. Enable user logging and monitoring

A key part of a secure network or website security is being able to spot any irregularities. User and security logs give security professionals access to all important events that occur on the website.

You can use website security logs to review information like login attempts, changes to core files, page updates, and more. If something looks a little suspicious, you can see when it happened and which user was involved.

list of activitoes that occur on a site

A comprehensive security policy will involve someone on your team periodically reviewing logs for any irregular events. Moreover, most WordPress website activity logs will enable you to configure notifications for specific events, so you don’t need to check the logs entry by entry every day.

7. Install a reputable security plugin

There are many WordPress security plugins that you can use. Most of them combine a lot of features to help protect your website, like 2FA, firewalls, and more.

Installing a reputable security plugin can help protect your website. What tool you use will largely depend on the security features you want to implement and your budget. 

Jetpack Security homepage

Jetpack Security, for example, offers full-site backups, brute force attack protection, an activity log, secure authentication, and spam protection, among other features.

8. Set up a Web Application Firewall (WAF)

A Web Application Firewall (WAF) is designed to scan all incoming traffic and block malicious requests like SQL injections or cross-site scripting attacks. Using a WAF helps protect your WordPress site from common threats and reduces the likelihood of successful attacks.

There are multiple ways to set up a firewall for WordPress. Some hosting services offer this feature at the server level. Another option is to use a security plugin that offers a WAF, like Jetpack Protect.

9. Install an SSL certificate

An SSL certificate enables your website to load over HTTPS. The HTTPS protocol encrypts data transmitted between your server and the visitors’ browsers.

This encryption helps protect sensitive information like login credentials and personal data from being intercepted by hackers. SSL certificates also improve your website’s credibility and can positively impact search engine rankings.

Obtaining an SSL certificate is remarkably easy. A lot of WordPress web hosts will automatically set them up for you when you create a website. Alternatively, you can look into enterprise SSL certificates for added security.

10. Use a Content Delivery Network (CDN)

A Content Delivery Network (CDN) is a network of servers that cache and distribute your website’s content to reduce loading time and server load. Some of the most popular CDNs for WordPress include Cloudflare and Jetpack Boost.

Image CDN toggle in Jetpack Boost

Additionally, CDNs can enhance your site’s security by offering features like DDoS protection, traffic filtering, and secure data transmission. This helps protect your website from various threats while improving its overall performance.

This isn’t an essential step for WordPress security, but is a nice extra step once you’ve covered the security basics.

11. Use SFTP instead of FTP

Secure File Transfer Protocol (SFTP) is an encrypted version of the File Transfer Protocol (FTP). Using SFTP when transferring files to and from your server adds an extra layer of security by encrypting the data in transit, preventing unauthorized access or data interception.

SFTP/SSH hosting details

Most modern web hosts will provide you with SFTP credentials when you set up a website. You can use these credentials with any SFTP/FTP client of your choosing. In practice, both protocols work the same, but one of them is more secure (similar to HTTP/HTTPS).

12. Monitor and update your PHP version

PHP is one of the programming languages that WordPress is built on. To run WordPress on a server, you need to install PHP, ideally, the most recent version.

You can check which version of PHP your site uses by navigating to Tools Health Info Server in the dashboard.

server details, including PHP version, in WordPress

Outdated PHP can make your website vulnerable (as with any other software). Therefore, keeping it up-to-date can help maintain your website’s security and ensure compatibility with the latest WordPress features. 

Most modern web hosts will enable you to switch between PHP versions or update them for you automatically.

13. Regularly back up your site (and database)

Performing regular backups will make it easy to recover your website in the event of an attack. Plus, you’ll reduce the risk of losing critical information.

VaultPress Backup details

Having a recent backup on hand enables you to restore your website without delay, minimizing downtime. Note that a full WordPress backup involves both the site files and the database.

Ideally, this process should be automated with a reliable plugin like Jetpack VaultPress Backup (which also creates backups in real-time and stores them on separate servers). This way, you don’t need to back up the site manually every day.

Enterprise WordPress sites should also look for backup solutions that save changes in real time. Incremental, real-time backups, like those created by VaultPress Backup, are efficient for storage, but save every single change or update as soon as it takes place. In other words, you’ll never lose an update, order, or forum submission.

14. Keep backups on a separate server

Regular backups are an essential step in keeping your website and its data secure. But storing backups in a single location can lead to a security failure if the platform or server malfunctions. Many secure hosting services include some form of site backups as part of their plans, but that doesn’t mean you’re completely covered. You need more than what your hosting provider alone can offer.

Enterprise WordPress sites, especially, should save backups on a separate server to ensure that even if your main server is compromised, your backups remain secure and accessible. This helps you restore your website to a safe state and reduces the risk of data loss in the event of a security breach.

15. Disable unused plugins

Poorly-coded plugins add security vulnerabilities to your website that attackers can exploit. Even the best plugins and themes can become vulnerable to attack — malicious actors may eventually find loopholes in the software. 

Regular updates can minimize that risk. But if there are any plugins on your site that you don’t use anymore, you should remove them right away.

This won’t affect your site’s functionality in any way, but it will help eliminate their potential as attack vectors. To keep your site safe, we recommend doing this periodically.

Part 2: Advanced items

Now that we’ve covered the basics of WordPress security, let’s move on to more advanced tasks. These security measures will help to further protect your website.

16. Leverage WPScan’s vulnerability database

WPScan maintains a comprehensive database of known WordPress vulnerabilities. Using a tool that leverages this database will enable you to monitor your WordPress website for the latest vulnerabilities and security flaws as they’re discovered.

WPScan homepage with a list of vulnerabilities

Knowing your site is vulnerable is half the equation when it comes to security. Once your team is aware of existing vulnerabilities, they can look into ways to patch or eliminate them.

Leverage WPScan today.

17. Regularly assess third-party themes and plugins

Third-party plugins and themes can introduce vulnerabilities to your WordPress site. To keep your website safe, we recommend conducting regular assessments of all third-party tools you’ve installed. 

For WordPress themes and plugins, this involves checking for updates and looking at recent reviews and/or developer notes for security issues. In most cases, you shouldn’t run into problems with plugins or themes if you obtain them from reputable sources like the repository.

18. Change the default WordPress database prefix

By default, WordPress uses ‘wp_’ as a database prefix. This makes it easy to identify the database, both for developers and attackers.

Changing the prefix is simple, and it defends against a potential attack. While there are plugins that enable you to do this, we recommend changing the database prefix manually by editing the WordPress wp-config.php file in the root directory.

Before making any changes to core files, remember to back up the website and database fully. After changing the database prefix in wp-config.php, you’ll also need to rename all existing tables within the database.

19. Use custom /wp-admin and /wp-login.php URLs

The same default WordPress login URL and admin URL is used for every installation. These are:


This base structure makes it easy to remember the URLs, but it also means they’re easy to find by attackers. Changing the default URLs for both pages will help prevent brute force attacks on your WordPress website.

If you are running an Apache server, you can change the default /wp-admin and /wp-login.php URLs manually by editing the .htaccess file in the WordPress root directory. 

WPS Hide Login page in the repository

Alternatively, you could use a plugin like WPS Hide Login.

20. Restrict wp-admin access by IP address

Changing the default wp-admin URL is a great step in terms of security. But if you want to protect your website even further, we recommend creating an allowlist of IP addresses that can access the dashboard.

The logic of this approach is that no one without an account should be accessing the dashboard anyway. Every employee should have a unique IP address (or get one with a VPN). 

If you’re running an Apache server, you can add these addresses to an allowlist in the .htaccess file. This will look like the following:

<IfModule mod_rewrite.c>

RewriteEngine on

RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]

RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$



RewriteRule ^(.*)$ - [R=403,L]


If the address of the user isn’t in the allowlist, WordPress will return a 403 Access Denied error.

21. Use Multi-Factor Authentication (MFA) for critical users

Two-factor authentication is more than enough to keep most user accounts safe, but you may want to implement a more advanced measure on your login page. Multi-factor authentication requires users to submit one-time codes sent via at least two methods like email, SMS, and/or authentication apps.

multi-factor authentication setup

MFA is a critical security measure for accounts with high-level privileges like administrators. Adding more authentication factors diminishes the chances of attackers gaining access to these accounts, even if they manage to hijack the email.

Most WordPress security plugins don’t support MFA. If you want to enforce this security policy, we recommend using MiniOrange Two Factor Authentication. The premium version of this plugin enables you to configure multiple authentication factors for specific user roles.

22. Secure your wp-config.php file

The wp-config.php file contains sensitive information about your WordPress installation, including database connection details. Ideally, no one except the administrator should have access to it.

To do this, you’ll want to limit SFTP access to the administrator and other employees that absolutely require it for development purposes. Additionally, you’ll want to configure WordPress to prevent accessing wp-config.php if an attacker finds a way to execute the file.

The simplest fix here is to edit .htaccess to block access to wp-config.php from all IP addresses. Here’s the code you’ll need to use:

<files wp-config.php>

order allow,deny

deny from all


Note that this code doesn’t prevent you from accessing the file via FTP or through the control panel from your hosting provider. It only blocks access from browsers, which is a method that attackers would use in most cases.

23. Disable file editing

WordPress allows anyone with an admin account to edit theme and plugin files directly from the dashboard. This feature can be helpful if you need to make quick changes to the site’s code. But in most cases, you’re much better off using SFTP and a regular code editor to make any changes.

Disabling file editing from the dashboard prevents attackers from messing with your site’s code if they manage to get in. You can disable both the theme and plugin editors in the admin area by editing the wp-config.php file and adding this line of code:


Once you add the code, save the changes to the file and close it. Now, the administrator role won’t be able to access either editor from the dashboard.

24. Disable directory browsing/listing

If directory browsing is enabled on your website, anyone will be able to view the contents of folders that don’t have an index file. This can expose sensitive files and information to potential attackers.

Most secure WordPress hosting providers disable directory browsing by default. You can check if yours does this by trying to access a directory through the browser, using the following URL:

If directory browsing is disabled, you’ll see a 403 error. Otherwise, a full list of the directory files and folders will appear, enabling you to navigate it from the browser.

To disable directory browsing, open the .htaccess file and add the following line of code at the end:

Options -Indexes

Save the changes to .htaccess and try to open any directory on your website using a browser. The browser should now return an Access Forbidden error.

25. Disable PHP error reporting

Sometimes, when you load a website that uses PHP, you’ll see error messages related to the language in the browser. These messages can be useful for troubleshooting, but they can also reveal sensitive information about your site.

In WordPress, you might see these error messages appear on-screen if you enable error reporting or the debug mode. You can disable these error messages by accessing the wp-config.php file in the WordPress root directory and adding the following code to it:


ini_set('error_reporting', E_ALL );

define('WP_DEBUG', false);

define('WP_DEBUG_DISPLAY', false);

This will disable PHP error reporting, as well as the WordPress debug mode. While you’re at it, make sure there isn’t a duplicate line defining the status of WP_DEBUG, which can cause further errors on your website.

26. Disable WordPress version disclosure

Some WordPress themes disclose the version of the content management system (CMS) that you use to the public. This is problematic, as some versions of the CMS include well-known security vulnerabilities.

This isn’t necessarily a big deal if you update often, but there’s no reason why visitors should know what WordPress version you’re using. 

To disable this feature, connect to your website via SFTP and navigate to your active theme’s folder (wp-content/themes/). 

Once inside, locate the functions.php file and open it. Add the following line of code at the end of the file:

remove_action('wp_head', 'wp_generator');

Save the changes to functions.php and close the file. Keep in mind that if you change themes or update your theme without using a child theme, you’ll need to repeat this step to avoid WordPress version disclosure.

27. Enable security headers

Security headers are server responses that add an extra layer of protection for your website. They can help prevent attacks like clickjacking and code injection by controlling the way the site loads and displays in the browser.

There are several types of security headers you can use on your website. These include:

  • Content-Security-Policy (CSP). A CSP sets rules for where resources (like scripts, stylesheets, and images) can be loaded from, helping to prevent attacks like Cross-Site Scripting (XSS).
  • X-Frame-Options. This header can prevent your site from being used in clickjacking attacks by controlling whether your site can be loaded in a frame or iframe.
  • Strict-Transport-Security (HSTS). The HSTS header forces the browser to only use secure (HTTPS) connections, which helps prevent man-in-the-middle attacks.
  • X-Content-Type-Option. This header prevents “mime” based attacks by disabling the browser’s MIME-sniffing.

Here’s an example of what a security header might look like in a site’s HTML code. As the name implies, the headers go in the head section of the code:


    <title>Your Website Title</title>

    <meta http-equiv="Content-Security-Policy" content="default-src 'self';">

    <!-- Other meta tags, stylesheets, scripts etc. -->


Implementing security headers in WordPress requires you to edit the .htaccess file. Some security plugins automatically insert specific types of headers into your site, so you might want to check your head tags before adding more.

28. Implement a code review & QA process (for developers)

As with code reviews, a comprehensive quality assurance process is essential to any development project.

With an enterprise-grade WordPress website, any change you make to the code should have to go through multiple steps of reviews and approval before it goes live. Plus, the code should go through a staging site before being launched into production.

If there isn’t a set code review and QA process in your organization, it needs to be implemented right away. This process can slow down updates, but it makes sure that, when they do happen, your website doesn’t break.

29. Conduct regular employee training

Human error is one of the most common causes of security breaches. Regularly training employees on security best practices, how to recognize threats, and how to respond to potential incidents can significantly reduce the risk of a security breach.

For a secure WordPress site, you should train your workforce on the fundamentals of the CMS and why security measures like updates, 2FA, and code reviews are essential. If employees understand the logic behind each security measure, they’re more likely to adhere to it.

Frequently asked questions

Even after going through a comprehensive WordPress security checklist, you may still have some questions about keeping your site safe. Let’s answer some of them.

What is WPScan, and who can benefit from using its vulnerability database?

WPScan is an open-source WordPress vulnerability database and scanning tool. Anyone with a WordPress website can benefit from using it, as it can help reveal vulnerabilities on your website.

There are several ways to scan your website using the WPScan database. The easiest way is to use Jetpack Protect, which can help you set up daily scanning for your site and recommend solutions based on the results you get.

Represent an enterprise-level organization? Get a quote here.

How often should I revisit the WordPress security checklist?

We designed this checklist as a source that you can reference at any time. If you have internal security processes for WordPress, we recommend comparing them against the checklist to make sure that you’re not overlooking any key items.

Some items within the checklist are one-off tasks, whereas others require you to perform them periodically. Every task in the checklist provides instructions on how to carry it out, so we encourage you to bookmark and revisit it often.

How does WPScan collect its WordPress vulnerability data?

WPScan works with WordPress security experts to collect data from sources that include official WordPress releases, public security advisories, community submissions, and independent research. All of that data comes together in the most comprehensive WordPress vulnerability database available online.

WordPress vulnerability statistics

Are there any automated tools or services that can help with WordPress security?

If you want to automate part of your WordPress security checklist, you could use a plugin like Jetpack Security. With this tool, you can automate key tasks like malware scanning, full-site backups, and a web application firewall.

Protect your business website

Every website is open to vulnerabilities, including enterprise sites. WordPress is an incredibly powerful and flexible platform, but its popularity also makes it a target for attackers.

If you want to protect your business, you’ll need to make security a cornerstone of your operation. That means having comprehensive WordPress security processes in place. For instance, you’ll want to keep a close eye on your WordPress plugins and themes, enforce strong passwords, and create regular backups.

It’s also important to arm yourself with the right tools. WPScan will help you stay on top of WordPress vulnerabilities, so you can keep your site safe. 

Leave a Reply