Back when I was starting out as a web designer and developer, my biggest problem was getting stuff to work the way I wanted it to.

I was concerned more about getting things (mostly) working as I expected them to be. Getting things to look snazzy was usually one of my primary goals when finishing a website

WordPress security was the least of my concerns. Hacking was something I read about, not something I expected to happen to me. SQL injection, cross-site scripting, elevation of privileges and critical security vulnerabilities were just buzzwords in tech news.

But one day, securing my sites suddenly got very important, very quickly when my Facebook feed told me there was a critical vulnerability in WordPress, which was actively being exploited. When I next tried to log in to my site, my credentials were not accepted.

Most of my sites had been compromised by the vulnerability.

I got lucky, though. I had taken one inadvertent precaution, which saved my sites from being fully exploited – I had renamed my admin username – and despite the fact the vulnerability had been exploited on my site, the hackers could not log in. I was using a complex administrator username rather than the default “admin” username the hackers were expecting.

Today I know different.

WordPress security is fundamental: Every WordPress website needs to be fully secured and hardened.

Why Would a Hacker Be Interested In My Site?

Before actually diving deeply into securing your website and all of the steps you need to take to stop WordPress getting hacked, it’s crucial to understand the logistics and the reasoning behind a website hack.

It’s understandable that you might wonder:

"Why would a hacker be interested in my website? It’s just the website of my local business, seen by a few hundred people at most. What are they going to get out of it?”

There are many reasons why a hacker would be interested in your “small” website.

Although some hacking is done for political reasons (defacing of websites to send particular political messages, for example), these types of hacks are typically very localized and not as popular as the mainstream media would make them out to be.

Most hacking attacks happen for more devious reasons.

These days, hacking is part of a ring of criminality whose ultimate aim is to make money through fraudulent means. Typically, after a website is hacked it becomes a middle-man for the distribution of malicious software. Most times, the website owner is oblivious of all of this.

There are frameworks which are bought and sold in the online black market, making it dead-easy to distribute malware through hacked websites.

In essence, your website could become an involved party in criminal activity!

Besides that, there are other negative implications:

Do you think your site is so small nobody will attack it? Think again.

Using the following WordPress security checklist will go a long way towards making your WordPress site hacker-proof.

How Does a Hacker Find My Site?

You might falsely assume that in the millions of websites available online, the likelihood of a hacker finding and targeting your site is extremely remote. After all, your site is only a drop in an ocean of websites, right?

You’re horribly wrong.

Hackers don’t do this work manually. They employ minions to do their dirty work.

Well, not really minions – they’re actually (ro)bots, or programs whose sole purpose is to seek out vulnerable websites.

These programs or scripts are typically run on cloud servers, where they can be setup and destroyed at will leaving little to no traces. The scripts employ means to discover hundreds if not thousands of websites per hour.

The fact that the scripts are bought very cheaply and run on cheap cloud hosting servers make the “investment” worthwhile. These scripts are commonly bought and sold on dodgy marketing forums.

Once a site is found, it is probed for thousands of known vulnerabilities. If your WordPress site has not been fully secured, the likelihood of the site emerging unscathed is absolutely minimal.

Vulnerabilities are continuously being discovered in WordPress and its plugins. That’s why securing WordPress is critical to the health of your website.

Securing WordPress: A 32-Step Checklist

With all of the above scary stuff in mind, I want to make sure that you’re armed with all the knowledge you can get to fully secure your WordPress website.

Here’s a checklist of ALL the things you should be doing to secure your WordPress sites.

This checklist is split into two: The first part includes measures absolutely everybody should be doing – mostly basics stuff, like having strong passwords. The second part goes into advanced measures for WordPress security for those who are really paranoid about security. This is for admins who want to lock the door, put a chain around the door, and put a padlock on it. And then a padlock on the padlock.

Part 1: The Steps Everybody Should Take to Secure Their WordPress Website

Part 2: Securing a WordPress Website for Security Freaks

Well, not really security freaks, per se.

Although these are slightly more advanced WordPress security tips, you typically only need to know how to install a plugin, tweak a few files here and there and in general be ready for the possibility to break stuff. Be ready to revert with backups if that happens.