WordPress security hardening: a practical checklist

WordPress security is not complicated, but it does require deliberate attention. Most compromised sites were not targeted specifically. They were found by automated scanners looking for known vulnerabilities in outdated software. Running through a hardening checklist removes most of that exposure.

This checklist covers the areas that matter most: login protection, user access, plugins, file and server configuration, backups and monitoring.

Login protection is the first line of defence

The WordPress login page is the most commonly attacked surface. Brute-force scripts run continuously across the internet, attempting common username and password combinations on any WordPress site they find.

• Limit login attempts. After a set number of failed attempts, the IP address is blocked temporarily. Most security plugins include this.

• Do not use "admin" as a username. It is the first combination any automated script tries.

• Use strong passwords for all accounts, not just the administrator account.

• Consider two-factor authentication for admin-level accounts. Several plugins handle this without complex configuration.

• Disable XML-RPC if you are not using it. It is a remote access interface that has historically been exploited for brute-force attacks. If you do not use it, there is no reason to leave it enabled.

User access should be tighter than you think

Unused admin accounts are a risk. Anyone who has ever had access to your WordPress dashboard and no longer needs it should have their account removed, not just left inactive.

• Remove inactive admin accounts. Former developers, old agency contacts and test accounts all fall into this category.

• Assign the lowest role that allows the person to do their job. An editor does not need administrator access. A contributor does not need editor access.

• Review user accounts at least once a year. This takes ten minutes and removes accounts that have accumulated over time without anyone noticing.

Plugin security is where most attacks succeed

Most successful WordPress hacks exploit vulnerabilities in plugins rather than WordPress core. WordPress core is updated quickly when vulnerabilities are found. Plugins vary considerably in how actively they are maintained.

• Keep all plugins updated. An outdated plugin with a known vulnerability is an open door.

• Remove plugins that are not actively maintained. A plugin that has not been updated in two or more years is unlikely to receive security patches if a vulnerability is found.

• Delete inactive plugins entirely. A deactivated plugin still sits on your server. It is better to remove it.

• Check the source of any new plugin before installing it. Plugins from the official WordPress repository are subject to review. Plugins from random sites are not.

File and server configuration affects your attack surface

Some file and server settings are set once and rarely revisited, but they have a meaningful impact on security.

• File permissions should be 644 for files and 755 for directories. Permissions set more permissively than this allow files to be executed or modified when they should not be.

• wp-config.php should not be publicly accessible. Move it one level above the web root if your hosting setup allows it.

• Disable directory listing. If a directory has no index file, a web server with directory listing enabled will show the contents of that directory to anyone who requests it. This should be off by default, but it is worth checking.

• Keep PHP up to date. Running PHP 7.4 in 2025 means running a version that no longer receives security patches. PHP 8.2 or higher is the current recommendation.

Backups are your recovery plan, not a security measure

Backups do not prevent an incident. They determine how quickly you can recover from one. A site without working backups that gets compromised faces a much more difficult situation than a site with current backups stored offsite.

• Set up automated daily backups. UpdraftPlus is a reliable and widely used option for this.

• Store backups offsite. A backup stored on the same server as the site is not a real backup. Use Google Drive, Amazon S3, Dropbox or a similar remote destination.

• Test your backups periodically. A backup that cannot be restored is not useful. Restoring to a staging environment at least once a year confirms the backup is working.

Monitoring tells you when something changes

A security plugin that monitors file integrity will alert you when files on your server change unexpectedly. This is useful because malware often modifies core files. Detecting the change quickly limits the damage.

Wordfence and iThemes Security are two commonly used options. Both offer file integrity scanning alongside other security features. Either is a reasonable choice for most sites.

Hardening a site significantly reduces its attack surface. It does not eliminate risk. Ongoing maintenance, keeping software updated, reviewing user accounts and monitoring for changes, is what keeps it effective over time.

A site health report includes a security audit covering all of the areas above, with a written list of what needs addressing.