Skip to main content

WordPress Security: The Ultimate 32-Step Checklist

Back when I was starting out as a web designer and developer, my biggest problem was getting stuff to work the way I wanted it to.

I was concerned more about getting things (mostly) working as I expected them to be. Getting things to look snazzy was usually one of my primary goals when finishing a website

WordPress security was the least of my concerns. Hacking was something I read about, not something I expected to happen to me. SQL injection, cross-site scripting, elevation of privileges and critical security vulnerabilities were just buzzwords in tech news.

But one day, securing my sites suddenly got very important, very quickly when my Facebook feed told me there was a critical vulnerability in WordPress, which was actively being exploited. When I next tried to log in to my site, my credentials were not accepted.

Most of my sites had been compromised by the vulnerability.

I got lucky, though. I had taken one inadvertent precaution, which saved my sites from being fully exploited – I had renamed my admin username – and despite the fact the vulnerability had been exploited on my site, the hackers could not log in. I was using a complex administrator username rather than the default “admin” username the hackers were expecting.

Today I know different.

WordPress security is fundamental: Every WordPress website needs to be fully secured and hardened.

Why Would a Hacker Be Interested In My Site?

Before actually diving deeply into securing your website and all of the steps you need to take to stop WordPress getting hacked, it’s crucial to understand the logistics and the reasoning behind a website hack.

It’s understandable that you might wonder:

"Why would a hacker be interested in my website? It’s just the website of my local business, seen by a few hundred people at most. What are they going to get out of it?”

There are many reasons why a hacker would be interested in your “small” website.

Although some hacking is done for political reasons (defacing of websites to send particular political messages, for example), these types of hacks are typically very localized and not as popular as the mainstream media would make them out to be.

Most hacking attacks happen for more devious reasons.

These days, hacking is part of a ring of criminality whose ultimate aim is to make money through fraudulent means. Typically, after a website is hacked it becomes a middle-man for the distribution of malicious software. Most times, the website owner is oblivious of all of this.

There are frameworks which are bought and sold in the online black market, making it dead-easy to distribute malware through hacked websites.

In essence, your website could become an involved party in criminal activity!

Besides that, there are other negative implications:

  • Your site could be used as a spamming proxy

  • A website that is hacked and defaced would most likely result in tarnishing of a brand’s reputation. That’s besides serious embarrassment

  • Hacked sites typically overwhelm their hosting server, resulting in the closure of the site. This will typically result in loss of business

  • The costs of recovering a hacked website can vary from very little (if you have a website backup) to a full redevelopment if your data is deleted/lost with no chance of recovery

Do you think your site is so small nobody will attack it? Think again.

Using the following WordPress security checklist will go a long way towards making your WordPress site hacker-proof.

How Does a Hacker Find My Site?

You might falsely assume that in the millions of websites available online, the likelihood of a hacker finding and targeting your site is extremely remote. After all, your site is only a drop in an ocean of websites, right?

You’re horribly wrong.

Hackers don’t do this work manually. They employ minions to do their dirty work.

Well, not really minions – they’re actually (ro)bots, or programs whose sole purpose is to seek out vulnerable websites.

These programs or scripts are typically run on cloud servers, where they can be setup and destroyed at will leaving little to no traces. The scripts employ means to discover hundreds if not thousands of websites per hour.

The fact that the scripts are bought very cheaply and run on cheap cloud hosting servers make the “investment” worthwhile. These scripts are commonly bought and sold on dodgy marketing forums.

Once a site is found, it is probed for thousands of known vulnerabilities. If your WordPress site has not been fully secured, the likelihood of the site emerging unscathed is absolutely minimal.

Vulnerabilities are continuously being discovered in WordPress and its plugins. That’s why securing WordPress is critical to the health of your website.

Securing WordPress: A 32-Step Checklist

With all of the above scary stuff in mind, I want to make sure that you’re armed with all the knowledge you can get to fully secure your WordPress website.

Here’s a checklist of ALL the things you should be doing to secure your WordPress sites.

This checklist is split into two: The first part includes measures absolutely everybody should be doing – mostly basics stuff, like having strong passwords. The second part goes into advanced measures for WordPress security for those who are really paranoid about security. This is for admins who want to lock the door, put a chain around the door, and put a padlock on it. And then a padlock on the padlock.

Part 1: The Steps Everybody Should Take to Secure Their WordPress Website

  1. ALWAYS Keep Your Version of WordPress Up-To-Date

  2. Don’t Change WordPress Core

  3. Make Sure All Your Plugins Are Updated

  4. Remove Any Inactive or Unused Plugins

  5. Make Sure All Themes Are Kept Updated

  6. Install Themes, Plugins and Scripts ONLY From Their Official Source

  7. Choose a Secure WordPress Hosting Service

  8. Make Sure Your Site is Running the Latest Version of PHP

  9. Change the Admin Username

  10. Always Use Strong Passwords

  11. Don’t Reuse Passwords

  12. Protect Your Password(s) By Avoiding Plain-Text Password Transmission

  13. Only Update Your Site From Trusted Networks

  14. Use a Local Anti-Virus

  15. Enable Google Search Console

  16. Secure WordPress With a Bulletproof WordPress Security Plugin

  17. If All Else Fails, Restore From Backup

Part 2: Securing a WordPress Website for Security Freaks

Well, not really security freaks, per se.

Although these are slightly more advanced WordPress security tips, you typically only need to know how to install a plugin, tweak a few files here and there and in general be ready for the possibility to break stuff. Be ready to revert with backups if that happens.

  1. Limit Login Attempts

  2. Enable Two-Factor Authentication

  3. Ensure File Permissions Are Correct

  4. Change the Default Table Prefix

  5. Ensure You’ve Set WordPress Secret Authentication Keys

  6. Disable PHP Execution

  7. Segregate Your WordPress Databases

  8.  Restrict Database User Privileges

  9. Disable File Editing

  10. Secure Your wp-config.php File

  11. Disable XML-RPC (If You Aren’t Using It)

  12. Disable PHP Error Reporting

  13. Install a Firewall

  14. Use a Content Delivery Network Firewall

  15. Monitor Your WordPress Security With Security Logging