WordPress Security Hardening: A 2026 Checklist

Why WordPress Security Matters

WordPress powers 43% of all websites. That ubiquity makes it the most targeted CMS on the planet. Every day, automated bots scan millions of WordPress sites looking for vulnerabilities to exploit.

The good news: WordPress core is secure and actively maintained. The bad news: most WordPress sites aren't. They run outdated software, use weak passwords, and rely on vulnerable plugins. These sites get hacked—frequently.

We didn't think we were important enough to hack. Then our site started sending spam to our entire customer list. The reputation damage took months to repair.

Owner, E-commerce Business

Attackers don't discriminate by site size. They use automated tools that exploit any vulnerable site they find. Your site doesn't need to be valuable—it just needs to be vulnerable.

This checklist covers the security measures that actually matter, organized from essential basics to advanced hardening. Start at the top and work your way down.

Level 1: Essential Security Basics

These measures are non-negotiable. If you're not doing these, stop reading and do them now.

☐ Keep Everything Updated

80% of hacked WordPress sites were running outdated software. Updates fix known vulnerabilities that attackers actively exploit.

• WordPress core: Enable automatic updates for minor versions; update major versions within a week
• Themes: Update immediately when available; delete unused themes
• Plugins: Update immediately; delete unused plugins entirely (deactivated isn't enough)
• PHP version: Run a supported PHP version (8.1+ in 2026)

☐ Use Strong Passwords

Weak passwords are the easiest attack vector. Enforce password policies:

• Minimum 16 characters with mixed case, numbers, and symbols
• Unique passwords for every account (use a password manager)
• Never reuse passwords across sites
• Change passwords when team members leave

☐ Enable Two-Factor Authentication (2FA)

2FA blocks 99.9% of automated account compromises. Require it for all admin and editor accounts.

• Use authenticator apps (Google Authenticator, Authy) over SMS
• Provide backup codes for account recovery
• Consider hardware keys (YubiKey) for high-security sites

☐ Implement Reliable Backups

Backups are your last line of defense. When everything else fails, backups let you recover.

• Automate daily backups (database and files)
• Store backups off-site (not on the same server)
• Retain multiple backup versions (30 days minimum)
• Test restoration quarterly—untested backups aren't backups

☐ Use HTTPS Everywhere

SSL/TLS is mandatory, not optional. It encrypts data in transit and is required for modern browser features.

• Install a valid SSL certificate (Let's Encrypt is free)
• Force HTTPS redirects for all traffic
• Update internal links to use HTTPS
• Set up automatic certificate renewal

Level 2: Access Control

Limit who and what can access your WordPress installation.

☐ Secure the Login Page

• Change the login URL: Move /wp-admin and /wp-login.php to a custom URL
• Limit login attempts: Block IPs after 3-5 failed attempts
• Add CAPTCHA: Stops automated login bots
• Disable login hints: Don't reveal whether username or password was wrong

☐ Manage User Accounts Properly

• Never use "admin" as a username
• Give users the minimum role they need (principle of least privilege)
• Audit user accounts quarterly; remove inactive accounts
• Use email addresses, not generic usernames

☐ Protect wp-config.php

This file contains your database credentials and security keys. Protect it:

• Move wp-config.php above the web root (if hosting allows)
• Set file permissions to 400 or 440
• Block access via .htaccess or nginx config
• Use unique authentication keys and salts

☐ Disable File Editing

WordPress allows editing theme and plugin files from the admin panel. Disable this—if an attacker gains admin access, they shouldn't be able to modify code.

Add to wp-config.php:

define( 'DISALLOW_FILE_EDIT', true );

Level 3: Server-Level Security

Some security measures require server access or quality hosting.

☐ Choose Secure Hosting

Your host is your first line of defense. Quality WordPress hosting includes:

• Server-level firewalls and malware scanning
• Automatic WordPress updates
• Regular server software updates
• DDoS protection
• Isolated environments (not shared with hundreds of other sites)
• 24/7 security monitoring

☐ Configure Security Headers

HTTP security headers protect against common attacks. Add these to your server configuration:

• Content-Security-Policy: Prevents XSS attacks
• X-Frame-Options: Prevents clickjacking
• X-Content-Type-Options: Prevents MIME sniffing
• Strict-Transport-Security: Enforces HTTPS
• Referrer-Policy: Controls referrer information
• Permissions-Policy: Controls browser features

☐ Protect Sensitive Directories

Block direct access to directories that shouldn't be publicly accessible:

• /wp-includes/
• /wp-content/uploads/ (block PHP execution)
• .htaccess, .git, and other dotfiles
• readme.html and license.txt (reveal version info)

☐ Implement a Web Application Firewall (WAF)

A WAF filters malicious traffic before it reaches WordPress:

• Cloudflare (free tier available)
• Sucuri Firewall
• Host-provided WAF (many managed hosts include this)

Level 4: Monitoring and Response

Security isn't set-and-forget. Active monitoring catches issues before they become disasters.

☐ Implement Security Monitoring

• File integrity monitoring (alerts on unexpected file changes)
• Login attempt monitoring
• Uptime monitoring
• Malware scanning (daily automated scans)

☐ Review Logs Regularly

• Check security plugin logs weekly
• Review access logs for suspicious patterns
• Monitor for new admin users or role changes
• Watch for unusual traffic spikes

☐ Have an Incident Response Plan

Know what to do if you're hacked:

1. Identify and contain the breach
2. Preserve evidence (don't immediately delete everything)
3. Restore from clean backup
4. Identify and fix the vulnerability
5. Change all passwords and keys
6. Notify affected parties if required
7. Document lessons learned

Plugin Security

Plugins are the most common source of WordPress vulnerabilities. Choose wisely.

Before Installing a Plugin, Check:

• Last updated: Avoid plugins not updated in 6+ months
• Active installations: More users means more scrutiny
• Reviews and ratings: Read recent reviews for security mentions
• Support responsiveness: Do developers address security reports?
• Compatibility: Tested with current WordPress and PHP versions
• Developer reputation: Known developers or companies

Plugin Security Best Practices:

• Use the minimum number of plugins necessary
• Remove (don't just deactivate) unused plugins
• Prefer plugins from the official repository or trusted commercial vendors
• Never use nulled (pirated) premium plugins—they often contain malware
• Subscribe to vulnerability databases (WPScan, Wordfence) for alerts

The Security Checklist

Here's the complete checklist in one place. Print it, share it, use it.

Essential (Do Now)

• ☐ WordPress core updated to latest version
• ☐ All themes updated; unused themes deleted
• ☐ All plugins updated; unused plugins deleted
• ☐ PHP version 8.1 or higher
• ☐ Strong passwords for all accounts
• ☐ Two-factor authentication enabled
• ☐ Automated daily backups configured
• ☐ Backup restoration tested
• ☐ HTTPS enforced site-wide

Important (Do Soon)

• ☐ Login URL changed from default
• ☐ Login attempts limited
• ☐ "admin" username eliminated
• ☐ User roles audited (least privilege)
• ☐ File editing disabled
• ☐ wp-config.php protected
• ☐ Security plugin configured

Advanced (Do When Possible)

• ☐ Security headers configured
• ☐ Sensitive directories protected
• ☐ WAF implemented
• ☐ File integrity monitoring enabled
• ☐ Incident response plan documented