WordPress powers over 40% of all websites, which makes it the biggest target for hackers. That's not because WordPress is insecure — it's because the sheer volume of WordPress sites makes it worthwhile for attackers to automate exploits. The good news? Most WordPress security breaches are entirely preventable with basic precautions that any business owner or web manager can implement.

Most WordPress hacks are preventable. Outdated plugins, weak passwords, no backups — these are the things that leave businesses exposed. A proper security routine takes minutes per month and saves potentially thousands in recovery costs. This checklist covers everything you need.

Foundation Security: Do These First

SSL Certificate and HTTPS

Your entire site should run on HTTPS. An SSL certificate encrypts data between your visitors' browsers and your server, protecting login credentials, form submissions, and personal information. It's also a Google ranking factor. Most quality hosting providers include free SSL certificates (Let's Encrypt). Check yours is active by looking for the padlock icon in your browser's address bar. Force HTTPS redirection so that even if someone types http://, they're automatically redirected to the secure version.

WordPress Core, Theme, and Plugin Updates

Outdated software is the number one cause of WordPress hacks. WordPress core, your theme, and every plugin must be kept updated. Each update typically includes security patches for newly discovered vulnerabilities. Enable automatic minor updates for WordPress core (these are security releases). For major updates and plugins, test on a staging site first if possible, then update promptly. Remove any plugins or themes you're not actively using — deactivated plugins can still be exploited if they contain vulnerabilities.

Strong Passwords and User Management

Every user account on your WordPress site needs a strong, unique password — minimum 12 characters with mixed case, numbers, and symbols. Never use "admin" as a username. Use a password manager (Bitwarden, 1Password, LastPass) so your team doesn't need to remember complex passwords. Audit your user accounts regularly: remove former employees and contractors, and ensure every account has only the minimum permission level needed. There's no reason a content editor needs administrator access.

Two-Factor Authentication (2FA)

Two-factor authentication adds a second layer of security beyond passwords. Even if a password is compromised, the attacker still needs the second factor (usually a time-based code from an app like Google Authenticator or Authy). Plugins like WP 2FA, Wordfence, or iThemes Security make 2FA setup straightforward. At minimum, enable it for all administrator and editor accounts. This single step blocks the vast majority of brute-force login attacks.

Reliable Backups

Backups are your insurance policy. If everything else fails, a clean backup means you can restore your site quickly. Use a dedicated backup plugin (UpdraftPlus, BlogVault, or BackupBuddy) configured for automated daily or weekly backups. Store backups in a separate location from your hosting — cloud storage (Google Drive, Dropbox, Amazon S3) is ideal. Test your backups periodically by restoring to a staging environment. A backup you've never tested isn't a backup — it's hope.

Intermediate Security: Hardening Your WordPress Site

Web Application Firewall (WAF)

A WAF filters malicious traffic before it reaches your WordPress installation. Cloudflare (free tier available), Sucuri, and Wordfence all offer firewall protection that blocks common attack patterns: SQL injection, cross-site scripting (XSS), brute-force login attempts, and known exploit signatures. A WAF is one of the most effective single security measures you can implement — it stops attacks before they touch your site.

Login Protection

Limit login attempts to prevent brute-force attacks — 3–5 failed attempts should trigger a temporary lockout. Change the default login URL from /wp-admin to something custom (plugins like WPS Hide Login handle this). Disable XML-RPC if you don't use it (it's a common attack vector). Consider IP whitelisting for admin access if your team works from fixed locations. CAPTCHA on the login form adds another layer against automated attacks.

File and Directory Permissions

Correct file permissions prevent unauthorised modification of your WordPress files. Standard permissions should be 644 for files and 755 for directories. The wp-config.php file should be set to 440 or 400 for maximum security. Disable file editing through the WordPress dashboard by adding define('DISALLOW_FILE_EDIT', true); to wp-config.php — this prevents anyone who compromises an admin account from editing theme or plugin files directly.

Database Security

Change the default WordPress database table prefix from 'wp_' to something unique during installation (or retroactively with a security plugin). This makes automated SQL injection attacks less effective. Ensure your database user has only the permissions WordPress actually needs (SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, ALTER) and no broader database access. Regular database backups should be part of your backup routine.

Security Headers

HTTP security headers tell browsers how to handle your content securely. Key headers include Content-Security-Policy (prevents XSS attacks), X-Frame-Options (prevents clickjacking), X-Content-Type-Options (prevents MIME type sniffing), Strict-Transport-Security (forces HTTPS), and Referrer-Policy (controls information sent in referrer headers). These can be set in your .htaccess file or through security plugins. Check your headers at securityheaders.com.

Advanced Security: For High-Value Sites

Malware Scanning

Regular malware scans detect infections early, before they cause visible damage or get your site blacklisted by Google. Wordfence, Sucuri, and MalCare all offer automated scanning that checks WordPress core files, themes, and plugins against known-good versions and scans for malicious code patterns. Set scans to run daily and review reports promptly. If you find malware, address it immediately — see our guide on what to do if your website is hacked.

Activity Logging

Activity logging records every significant action on your site: logins, content changes, plugin installations, settings modifications, and failed login attempts. Plugins like WP Activity Log create a detailed audit trail that helps you spot suspicious activity and investigate incidents. This is particularly important for sites with multiple users — you need to know who changed what and when.

Hosting Security

Your hosting environment is your first line of defence. Quality managed WordPress hosts provide server-level firewalls, automatic WordPress updates, malware scanning, DDoS protection, and isolated environments that prevent cross-site contamination. Cheap shared hosting often lacks these protections. The investment in quality hosting is one of the most cost-effective security decisions you can make.

Your Complete WordPress Security Checklist

• SSL certificate installed and HTTPS forced across entire site
• WordPress core updated to latest version
• All themes and plugins updated to latest versions
• Unused themes and plugins deleted (not just deactivated)
• Strong, unique passwords for all user accounts (12+ characters)
• "admin" username changed to something unique
• Two-factor authentication enabled for all admin/editor accounts
• User accounts audited — former staff removed, permissions minimised
• Automated backups configured (daily or weekly) to off-site storage
• Backup restore tested within the last 3 months
• Web application firewall active (Cloudflare, Sucuri, or Wordfence)
• Login attempts limited (3–5 before lockout)
• Default login URL changed from /wp-admin
• XML-RPC disabled (unless actively used)
• File permissions set correctly (644 files, 755 directories)
• File editing disabled via wp-config.php
• Database table prefix changed from default 'wp_'
• Security headers configured (CSP, X-Frame-Options, HSTS)
• Automated malware scanning scheduled (daily)
• Activity logging plugin installed and monitored
• PHP version current (8.1+ recommended)
• wp-config.php protected with restricted file permissions
• Directory listing disabled
• Debug mode disabled on production site
• GDPR-compliant cookie consent and privacy policy in place

Frequently Asked Questions

Is WordPress actually secure?

Yes, WordPress core is well-maintained and regularly patched. Most security issues come from outdated plugins, weak passwords, and poor hosting — not from WordPress itself. Following this checklist addresses the vast majority of vulnerabilities.

How often should I update WordPress?

Security updates should be applied as soon as possible — within 24–48 hours of release. Feature updates can be tested on staging first, but don't delay beyond a week. Plugins and themes should be updated at least weekly. Enable automatic minor updates for WordPress core.

What's the best WordPress security plugin?

Wordfence is the most popular and offers excellent free-tier protection including firewall, malware scanning, and login security. Sucuri is excellent for its WAF capabilities. iThemes Security Pro is solid for hardening. You don't need multiple security plugins — one comprehensive plugin is sufficient.

How do I know if my WordPress site has been hacked?

Common signs include unexpected redirects, new admin users you didn't create, modified files, spam content appearing on your pages, Google Search Console security warnings, and sudden drops in search rankings. Regular malware scanning catches most infections before visible symptoms appear. See our complete guide on what to do if your site is hacked.

Do I need a security plugin if my host provides security?

Good managed WordPress hosting provides server-level security, but a WordPress-specific security plugin adds application-level protection that hosting can't provide — login security, file integrity monitoring, and malware scanning within WordPress itself. Use both for comprehensive protection.

How much does WordPress security cost?

Basic security is free: strong passwords, updates, free Wordfence, and Cloudflare's free tier. Premium security plugins cost €80–€200/year. Quality managed hosting adds €150–€500/year. Professional security audits start from €300–€500. Ongoing website maintenance plans that include security monitoring typically cost €100–€300/month.

How does security affect my search rankings?

Directly and significantly. Google uses HTTPS as a ranking signal, flags compromised sites with warnings that destroy click-through rates, and may deindex pages serving malware. A security breach can undo months of SEO work overnight. Security is not separate from your SEO strategy — it's a foundation of it.

Related Resources

• SEO Audit Checklist — Security feeds into SEO health
• Ecommerce-specific security — Security beyond standard WordPress hardening
• Website Accessibility Checklist — Comprehensive site health
• Content Audit Checklist — Review and protect your content
• Local SEO Checklist — Secure your local presence
• Google Business Profile — Protect your online listings
• AI Readiness Checklist — Security considerations for AI tools