WordPress Security Checklist for Website Owners

Using This Security Checklist

This checklist covers essential security measures every WordPress website owner should implement. Work through each section systematically, checking off items as you complete them. Regular reviews ensure your security remains current.

WordPress Core Security

Version and Updates

• Running latest WordPress version
• Automatic minor updates enabled
• Regular major update schedule
• Update notifications monitored

Core File Integrity

• Core files verified against checksums
• No modified core files
• File integrity monitoring active

Admin and User Security

Admin Accounts

• No accounts using "admin" username
• Strong passwords for all admins
• Two-factor authentication enabled
• Minimal number of admin accounts
• Regular account review and cleanup

User Permissions

• Proper roles assigned (least privilege)
• No unnecessary admin access
• Inactive accounts disabled
• Password policies enforced

Login Security

Login Protection

• Brute force protection enabled
• Login attempt limiting configured
• Account lockout after failed attempts
• CAPTCHA on login form

Login Configuration

• Custom login URL considered
• XML-RPC disabled or protected
• wp-admin properly secured

Plugin and Theme Security

Plugin Management

• All plugins updated to latest versions
• Unused plugins deleted (not just deactivated)
• No nulled or pirated plugins
• Plugins from reputable sources only
• Regular vulnerability checks

Theme Management

• Active theme updated
• Unused themes deleted
• Theme from official source
• No nulled themes

File and Directory Security

File Permissions

• Directories set to 755
• Files set to 644
• wp-config.php set to 400 or 440
• No 777 permissions anywhere

Sensitive Files

• wp-config.php protected from web access
• .htaccess properly configured
• readme.html removed or blocked
• license.txt removed or blocked

Uploads Directory

• PHP execution disabled in uploads
• Directory browsing disabled
• Regular scans for suspicious files

Database Security

Database Configuration

• Non-default table prefix
• Strong database password
• Dedicated database user
• Limited database privileges

Database Maintenance

• Regular backups scheduled
• Backups tested for restoration
• Old revisions cleaned up
• Spam comments deleted

SSL/HTTPS

Certificate Configuration

• Valid SSL certificate installed
• Auto-renewal configured
• All pages served over HTTPS
• HTTP redirects to HTTPS

SSL Settings

• FORCE_SSL_ADMIN enabled
• No mixed content warnings
• HSTS header configured

Firewall and Monitoring

Web Application Firewall

• WAF active and configured
• Common attack patterns blocked
• IP blacklisting enabled
• Rate limiting configured

Security Monitoring

• File change detection enabled
• Login monitoring active
• Security alerts configured
• Regular security log review

Backup and Recovery

Backup Configuration

• Automated backups scheduled
• Full site and database backed up
• Backups stored off-server
• Multiple backup locations

Recovery Preparation

• Restoration process documented
• Regular restoration tests
• Recovery time acceptable

Hosting Security

Hosting Configuration

• Current PHP version
• Server software updated
• SFTP used instead of FTP
• Hosting panel password strong

Server Settings

• Error display disabled
• Debug mode off in production
• Directory listing disabled

Additional Hardening

WordPress Configuration

• File editing disabled
• Security keys/salts unique and strong
• WP_DEBUG false in production

Security Headers

• X-Frame-Options set
• X-Content-Type-Options set
• X-XSS-Protection set
• Content-Security-Policy considered

Conclusion

Regular security reviews using this checklist help maintain strong WordPress security. Schedule quarterly reviews and check items after any significant changes. Security is an ongoing process, not a one-time setup.