Your Ultimate 2024 WordPress Security Checklist

WordPress Security Checklist
Share the Post:
Share the Post:

Did you know that more than 400 million websites run on WordPress? WordPress is one of the most popular open-source content management systems (CMS), with over 43% of all websites using WordPress as their CMS. However, its overwhelming popularity has made it vulnerable to hackers and malware, particularly e-commerce and enterprise websites that run on WordPress. 

Fortunately, there are ways to secure your website from malicious attacks from hackers or security breaches, such as sensitive information leaks or lose of content. Most of these security measures are simple and can be implemented in just a few minutes.

In this post, we have developed the ultimate WordPress security checklist to safeguard your website against bots and attackers.

So, let’s get to it.

Does WordPress offer built‑in security?

Does WordPress offer built‑in security?

Before we discuss the essential steps to secure your WordPress website, some of you may be wondering why we need to go through this security checklist if WordPress already offers something similar.

Good question—does WordPress have any built-in security? The answer is yes.

WordPress offers some security measures. In fact. WordPress is a secure content management system (CMS), but the security of your website largely depends on its setup and how you have configured it. If there happens to be some shortcomings in the installation and configuration and no proper protective measures, your website may be susceptible to data breaches or lose of content.

That said, let’s shed some light on the built-in security WordPress offers.

The admin dashboard is safeguarded by a login page that requires a valid username and password. WordPress releases regular updates to fix bugs, patches, and updates that address common security issues and vulnerabilities, as well as improve overall performance. It is crucial you keep your WordPress core, plugins, and themes updated at all times, as it protects your website from known malware and vulnerabilities used by hackers.

However, the human element must also be considered. Often, WordPress sites are hacked due to human error, such as sharing usernames and passwords or reusing the same login credentials for multiple websites. This needs to be avoided at all costs, or else hackers can cause irreparable damage to your website.

Use a WordPress security plugin

You can also consider using WordPress security plugins to enhance the security of your site. These plugins are easy to install and add an extra layer of security on top of your existing security features WordPress offers. Some of the popular WordPress security plugins are Jetpack, Wordfence Security,  SecuPress, and Security Ninja.

WordPress security checklist?

Why is it important to have a WordPress security checklist?

Many assume that enterprise websites have excellent security features and that various tasks are automated. There isn’t an actual need for a WordPress security checklist, as the tools and systems used in enterprise websites are extremely robust and can’t be hacked. That may be true, but only if the websites are regularly monitored and maintained with strict security protocols in place and updates are applied promptly.

However, it’s not uncommon to overlook some things, especially if you have a WordPress website that has a lot of plugins and third-party integrations. This is where a WordPress security checklist comes in handy. A WordPress security checklist will help developers and cybersecurity employees ensure that all necessary security measures are taken care of and nothing slips through the cracks.

Rectifying any security breach of an enterprise website can be time-consuming and a costly affair, so having a comprehensive WordPress security checklist will keep your site in tip-top shape.

There are other benefits of having a WordPress security checklist, which are as follows:

  • It provides protection from online threats by helping you take proactive measures against cyber attacks like brute force attacks, cross-site scripting, and SQL injection.
  • It helps preserve your brand’s reputation by minimizing the risk of security incidents, maintaining your brand’s credibility, and maintaining customer trust.
  • It safeguards sensitive user data, reducing the risk of unauthorized access to information like email addresses and login credentials.
  • It ensures compliance with regulations and helps you avoid legal penalties by adhering to strict security measures required for user data protection.
WordPress security checklist for 2024

The ultimate 30-step WordPress security checklist for 2024

Now, without further ado, let’s dive into our ultimate WordPress security checklist for 2024. If you’re just starting out, this may look overwhelming, and we won’t blame you if you get confused midway. We aren’t asking you to start implementing all of these security measures in one sitting.

There are a lot of items on the checklist, and completing each measure may take some time. But the good thing is that most of them are fixes that you only need to implement once.

1. Keep your WordPress core updated to the latest version

Hackers are always looking for security loopholes in WordPress, and outdated WordPress installations are the most vulnerable. Therefore, always keep your WordPress updated to the latest version, as it comes with security patches and bug fixes.

2. Regularly update all themes and plugins installed on your website

Keep all your plugins and themes updated at all times to ensure that you are running the most secure versions. Older versions of WordPress themes and plugins like outdated WordPress versions may have security flaws that can endanger your site.

3. Delete any unused or inactive plugins and themes

Similar to WordPress installations, old or poorly coded plugins may contain vulnerabilities hackers can exploit to damage your website. Therefore, check for old, outdated, or inactive plugins on your website and remove them.

Likewise, if you have any unused WordPress themes, delete them. Removing old, outdated, or inactive plugins and themes will keep your website organized and secure.

4. Use strong usernames and passwords for all user accounts

Your enterprise website may be using the most advanced WordPress security plugins and tools in the market. Still, if your admin login username and password aren’t strong or easily predictable, you may be in trouble. This is more common than you think.

Most people don’t want to put in the extra effort to create a unique username or strong password, thinking that no matter what, nobody can guess their credentials. That’s why it’s not uncommon to find people with usernames like “admin” or using passwords such as “password123.” Therefore, we recommend using strong usernames and passwords that combine letters, numbers, and symbols for maximum security.

5. Limit login attempts with a plugin

One of the best ways to secure your WordPress website from brute force login attacks is by limiting the number of login attempts. If you aren’t familiar with brute force login attacks, well, it is a method website hackers deploy that uses trial and error to crack passwords and login credentials.

As such, hackers and password-guessing bots are always on the search for websites with weak credentials and websites that don’t block users, even after multiple login attempts. By limiting the number of login attempts to your website, you can prevent brute force attacks. For instance, you can temporarily block a user after three failed login attempts.

One of the simplest ways to limit login attempts is by using WordPress plugins such as Jetpack or Limit Login Attempts Reloaded.

6. Change the default admin username

When installing WordPress, you will be prompted to enter a username. Do not overlook this step—ensure that you select a custom username. If your username is “admin,” change it. Using the default username increases your risks of brute force login attacks.

7. Use two-factor authentication for added security

This is a must-have item for any WordPress security checklist. No matter how complicated your login credentials are, there is a chance your logins may be compromised. Your password isn’t the only way to protect your site.

Using two‑factor authentication (2FA) will make it harder for hackers to get access to your website, even if they manage to guess your login credentials. If you didn’t implement 2FA in WordPress, there are several WordPress plugins such as Jetpack or Wordfence Security.

8. Regularly backup your website's files and database

Regardless of how secure your website is, it’s always better to regularly back up your website and databases. There may be situations where there might be a security breach, and you lose all the data. In those cases, if you’ve safely backed up your website, you can easily restore your website. You can back up your WordPress website using various free or premium WordPress backup plugins.

9. Keep track of user activity and monitor changes made to your website

You must monitor your website’s user activity so that you’ll be able to see if someone is doing something suspicious to your site, like trying to log in multiple times and failing, making unauthorized changes to the core files, or attempting to install a plugin. However, you need to have access to your site’s activity logs to do that.

10. Disable file editing to stop unauthorized changes

WordPress allows administrators to access and make changes to WordPress core files. So, if you are an admin, you can login from the wp-admin dashboard and edit files, plugins, and themes.

However, if you need to have many admins to manage your website, which is common with company websites, there might be some with bad intentions, you can make unauthorized changes to the core files, leaving your website in danger. To prevent this, turn off file editing. This is easy and can be done by entering the following code into your wp-config.php file:

define(‘DISALLOW_FILE_EDIT’,true);

11. Enable HTTPS on your website by installing an SSL certificate

Installing an SSL (Secure Sockets Layer) certificate should be a priority in your WordPress security checklist if you want to ensure the integrity of your website. SSL certificates also help your website to rank higher in search engines. So, what does an SSL certificate do?

An SSL certificate enables your site to load over HTTPS, a protocol that encrypts the data that is transferred between your hosting server and the user’s browser. This encryption safeguards sensitive information, such as login credentials and personal data, from being intercepted by hackers.

12. Regularly review user permissions and revoke access for any suspicious or inactive accounts

One effective way to secure your WordPress website is to limit the number of users who have access to it. WordPress has a role feature where you can allocate specific tasks to users depending on their assigned roles. For instance, administrators have full access to all WordPress features and settings.

In contrast, other users, such as authors, can only publish their own content, but they can modify anything on the website, such as its settings. By limiting and changing the roles of your website users regularly, you can keep your site safe.

13. Use SFTP instead of FTP for file transfers

SFTP or Secure File Transfer Protocol is a version of the FTP (File Transfer Protocol). The main difference is that the former is an encrypted version of FTP, so it is more secure. Other than that, both protocols work the same, think of it like HTTP and HTTPS.

If you use SFTP for transferring files to and from your server, the protocol encrypts the data, so hackers can’t access or intercept it. Web hosting services provide both FTP and SFTP credentials, but we recommend you opt for the latter.

14. Update your PHP version

WordPress is built on PHP, so it is important to keep your PHP version updated. This will not only fix any security bugs but will make your website secure and faster. Besides, using the latest version of PHP will allow you to integrate the latest features of WordPress. Most web hosts allow users to switch between PHP versions and even automatically update it for them. If your host doesn’t offer this service, switch to a new WordPress host.

15. Store backups on a separate server

We already mentioned that it is essential to regularly back up your website and its data. What most people don’t know is that it is not a good practice to backup all your website data in a single location as there is a risk of a security failure when the backup server or platform malfunctions or, even worse, gets attacked.

Many secure hosting services offer some form of website backups as part of their plans, but that isn’t enough for most users, especially for enterprise WordPress sites. For enterprise WordPress sites, it’s crucial to store backups on a separate server. This ensures that whenever the primary server is compromised, your backups remain secure and accessible.

16. Assess new plugins and themes for security issues before installation

Installing new plugins and themes is great for improving the performance, functionality, and look of your website. However, there are plenty of blacklisted plugins and themes that might compromise the security of your website. Therefore, before installing any plugin or theme, ensure that it is from reputable developers or repositories with a good track record.

You can easily do this by checking its ratings and customer feedback. Always make sure the plugins and themes you will be installing receive regular updates. Avoid plugins and themes that don’t receive updates anymore.

17. Invest in a secure hosting provider

This is another important step on the WordPress security list. Hosting providers play a significant role in protecting your site from attacks, malware, and other security threats. Selecting a secure WordPress hosting provider is critical since you’ll likely be committed to them for an extended period.

Therefore, it is important you do your due diligence, research, read customer reviews, or whatever you can find before choosing a hosting service for your WordPress website. Not all hosting providers offer good service, performance, and features. Just because they are expensive doesn’t necessarily mean a hosting provider offers better service than others.

18. Use a web application firewall (WAF)

A website firewall is designed to stop any kind of malicious traffic before it reaches your website. A web application firewall (WAF) should protect your WordPress website and applications by filtering all incoming traffic to your website and blocking malicious requests like SQL injections.

Depending on your firewall software, you can detect malicious traffic using preset rules or databases of known attackers. There are hosting service providers that offer WAF at the server levels. If your hosting provider doesn’t offer this service, you can always install a security plugin that offers a WAF.

19. Use custom /wp-admin and /wp-login.php URLs

By default, the WordPress login page and admin page have predictable URLs—yourwebsite.com/wp-login.php and yourwebsite.com/wp-admin.php. As these URLs are standard and easily guessable, hackers can brute force their way into your website.

To prevent this, you customize your login page URL using plugins like WPS Hide Login. This makes it much harder for attackers to find and access your website’s login page, which is why we think this is a must-have security measure in our WordPress security checklist.

20. Conceal your WordPress version number

WordPress version number

This is another WordPress security checklist most don’t realize can secure their website. Hiding your WordPress version number will conceal it from hackers, so they won’t know what security issues your website has. Most paid WordPress security plugins come with a feature that allows you to do this.

If you don’t have a WordPress security plugin installed, add this code to your functions.php file:

function remove_version_info() {

return ”;

}

add_filter(‘the_generator’, ‘remove_version_info’);

21. Change the default WordPress database prefix

By default, WordPress assigns ‘wp_’ as the database prefix, which can be easily identified by both developers and attackers. Changing this prefix will add an extra layer of security against potential threats. Although there are plugins that allow you to do this, we prefer you to manually edit the database prefix by editing the WordPress wp-config.php file located in the root directory.

22. Scan your WordPress website for malware

We always recommend users scan their WordPress websites regularly to find malware and vulnerabilities as part of our WordPress security checklist. This involves reviewing WordPress code files to pinpoint malicious code or any unauthorized modifications. There is no need to do this manually, as there are various WordPress plugins for it. These plugins scan WordPress, and if it find any malware or security breaches, it instantly notifies the site owners. The plugins even repairs the affected files.

23. Change the default admin username

WordPress assigns a default admin user after every installation. Though this may seem like WordPress is doing you a favor by saving you the hassle of setting up your username and other details yourself, it also makes it easier for attackers to guess your credentials. As we mentioned earlier, if hackers break into your administrator account, they can make changes to your website, steal sensitive information, or even delete your entire website. To prevent this, change your default administrator username to something unique and difficult to guess.

There are two ways to do this:

  • Create a new administrator account with any desired username and switch to it. Once you transitioned, delete the old account and continue using the new one.
  • Change your username using phpMyAdmin through the database. Unlike the previous method, you don’t have to create or delete your existing one. You can keep the existing account intact.

24. Secure your wp‑config.php file

The wp-config.php file, located in the WordPress root directory, in case you didn’t already know it, contains sensitive information about your website, such as database details. To prevent any security breaches, only the administrator should have access to it. One way to secure the file is to move it outside the root directory.

Another way to secure this file is to restrict SFTP access only to the administrator and other employees involved in the development process. You also need to configure WordPress to block access to wp-config.php in case an attacker manages to execute the file.

This can be done by modifying .htaccess to restrict access to wp-config.php from all IP addresses. The code snippet below does this:

<files wp-config.php>

order allow,deny

deny from all

</files>

25. Disable directory browsing

Directory browsing allows users to access URLs like yourwebsite.com/wp-content and view the content of that directory. When directory browsing is enabled, visitors can see the file structure and internal folders, depending on their permissions. This isn’t ideal, and we think directory browsing should be disabled except for administrators.

The reason is that if multiple users have access to the website’s directory, they may potentially look for potential security loopholes. That’s why most web hosting services disable directory browsing by default. If yours doesn’t, you need to do this yourself by adding this line of the following code to your .htaccess file:

Options -Indexes

Disabling directory browsing, you can significantly reduce the risk of your WordPress website being hacked.

26. Avoid CAPTCHA for spam protection

There is a reason why people dislike CAPTCHAs. They are annoying and often difficult to read, but they are effective to some degree in protecting websites and forms from spam. It may sound good to add CAPTCHA to your WordPress website as a security measure, but there are now advanced bots that can easily bypass CAPTCHA tests, so they aren’t as effective as before. Furthermore, CAPTCHAs may also frustrate and deter legitimate visitors, particularly those with impairments.

27. Limit wp-admin access by IP address

We already discussed how changing the default wp-admin URL can secure your WordPress website and everyone should have this in their WordPress security checklist. However, if you want to take your website security up a notch, we suggest creating an allowlist of IP addresses permitted to access the dashboard. The logic is simple: only specific IP addresses will be allowed to access the admin area, while requests from other IPs will be denied.

If you are on an Apache server, you can add these addresses to an allowlist in the .htaccess file.

The code will appear as follows:

<IfModule mod_rewrite.c>

RewriteEngine on

RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]

RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$

RewriteCond %{REMOTE_ADDR} !^IP_ADDRESS$

RewriteCond %{REMOTE_ADDR} !^IP_ADDRESS$

RewriteRule ^(.*)$ – [R=403,L]

</IfModule>

28. Secure the .htaccess file

The .htaccess file is a powerful tool that allows you to control file permissions. For instance, with .htaccess, you can set specific levels of permissions to various files and file types. Therefore, the .htaccess file can be a security vulnerability if not properly secured. To protect your .htaccess file, you need to enter a code in your root directory. This code will restrict access to files starting with .hta to everybody except those with admin privileges.

The code is:

<Files ~ “^.*.([Hh][Tt][Tt][Aa])”>

order allow,deny

deny from all

satisfy all

30. Use multi‑factor authentication (MFA) for critical users

Picture1

We discussed two-factor authentication (2FA) to secure your WordPress website or applications, and it is more than enough for most users. However, if you want to take it up a notch, include multi‑factor authentication (MFA) in your WordPress security checklist. Multi‑factor authentication requires users to provide two different types of information, one‑time codes, to verify their identity.

These codes are sent via SMS, email, or both. Multi‑factor authentication may be annoying sometimes, but we don’t think anyone would complain if gives an extra layer of protection to keep their website or application secure.

MFA is essential for critical users such as administrators, developers, and high-level employees who have access to sensitive information. Furthermore, MFA significantly reduces the likelihood of attackers accessing these accounts, even if they manage to break into your email accounts.

Now that you have gone through our comprehensive WordPress security checklist, you understand all the steps you need to take to secure a WordPress site. We understand there are plenty of steps, and it may not be possible for many to implement everything in this checklist. We recommend you try to implement as many of the items on this list as possible and gradually work your way through when it is required.

That said, you should prioritize some security measures on this WordPress security checklist, such as keeping your WordPress, plugins, and themes updated, using 2FA/MFA, changing passwords frequently, limiting login attempts, and scanning your local devices for malware. 

1716335472892
Founder at Starlit Devs | Website

Founding Starlit Devs has allowed us to extend our expertise globally, serving over 500 clients, including Fortune 1000 companies, with custom web development services. Our commitment to delivering exceptional design and development is coupled with a deep understanding of SEO, which has been pivotal in empowering businesses to achieve maximum online engagement and brand growth. At Starlit Devs, we take pride in our mission to provide websites that stand out in a competitive digital landscape and drive tangible results for our clients.

Table of Contents

Book A Meeting

Ready to take the next step? Let’s connect and discuss your needs in detail. Book a meeting with us today to explore how we can help you achieve your goals. Our team of experts is eager to collaborate and find the best solutions tailored specifically to your requirements.

Scroll to Top