guides 6 min read

WordPress Security Checklist: 15 Steps to Secure Your Site in 2025

A complete WordPress security checklist covering 15 essential steps. From SSL certificates to login protection, secure your WordPress site against common threats.

GetHost.One Team

WordPress powers over 40% of the web, making it a prime target for attackers. The good news? Most WordPress security breaches are preventable with basic precautions.

This checklist covers 15 security measures every WordPress site owner should implement.

1. Use HTTPS with a Valid SSL Certificate

SSL encrypts data between your server and visitors. Without it, login credentials, form submissions, and customer data are transmitted in plain text.

  • Install a free SSL certificate (Let's Encrypt, Cloudflare)
  • Force HTTPS via .htaccess or your hosting control panel
  • Set "Site Address" in WordPress to https://

GetHost.One includes auto-renewing SSL certificates on all lifetime plans.

2. Keep WordPress Core, Themes, and Plugins Updated

Outdated software is the #1 cause of WordPress hacks. Each update includes security patches for known vulnerabilities.

  • Enable automatic updates for minor WordPress core releases
  • Check for plugin/theme updates weekly
  • Remove unused themes and plugins entirely
  • Subscribe to WordPress security advisories

3. Use Strong Authentication

Weak passwords are the easiest attack vector for bots and brute-force scripts.

  • Use unique, complex passwords (15+ characters with mixed case, numbers, symbols)
  • Enable Two-Factor Authentication (2FA) via plugins like WP 2FA or Google Authenticator
  • Change the default "admin" username
  • Limit login attempts with plugins like Limit Login Attempts Reloaded

4. Implement a Web Application Firewall (WAF)

A firewall blocks malicious traffic before it reaches your WordPress site.

  • Use Cloudflare's WAF (free tier available)
  • Implement a WordPress security plugin with firewall rules (Wordfence, Sucuri)
  • Block known malicious IP ranges

5. Secure Your wp-config.php File

The wp-config.php file contains your database credentials and security keys. Protect it:

# Block access to wp-config.php
<Files wp-config.php>
order allow,deny
deny from all
</Files>

Move it one directory above your WordPress root when possible.

6. Change the Database Table Prefix

The default wp_ prefix makes SQL injection attacks easier. Change it during installation:

-- Before
wp_options, wp_posts, wp_users

-- After
x7k9_options, x7k9_posts, x7k9_users

If your site is already installed, use a plugin like "Change wp-content prefix" or manually rename tables via phpMyAdmin.

7. Disable File Editing in WordPress Dashboard

WordPress allows admins to edit theme and plugin files directly from the dashboard. This is a security risk if an attacker gains admin access:

// Add to wp-config.php
define('DISALLOW_FILE_EDIT', true);

8. Set Correct File Permissions

Improper file permissions can allow attackers to modify your WordPress files:

Directories: 755 (rwxr-xr-x)
Files: 644 (rw-r--r--)
wp-config.php: 600 (rw-------)

9. Regular Automated Backups

A good backup strategy ensures you can recover quickly from a breach:

  • Perform daily automated backups
  • Store backups off-site (cloud storage, separate server)
  • Test restoration at least once per quarter
  • Keep 30-day retention for daily backups

GetHost.One includes daily automated backups with 30-day retention on all plans.

10. Monitor User Activity

Track changes made by users and administrators:

  • Install an activity log plugin (WP Activity Log, Simple History)
  • Monitor for suspicious patterns (mass user creation, plugin changes)
  • Set up email alerts for critical events (admin login, new admin user)

11. Secure Your Login Page

Login pages are the most targeted WordPress URLs:

  • Rename your login URL (plugins like WPS Hide Login)
  • Add reCAPTCHA to login and registration forms
  • Implement IP-based login restrictions
  • Use a unique login URL for admin access

12. Disable XML-RPC and REST API If Not Needed

XML-RPC (used by the WordPress mobile app) and the REST API can be exploited for brute-force attacks:

// Disable XML-RPC
add_filter('xmlrpc_enabled', '__return_false');

// Restrict REST API to authenticated users
add_filter('rest_authentication_errors', function($result) {
    if (!is_user_logged_in()) {
        return new WP_Error('rest_not_logged_in', 'You must be logged in.', array('status' => 401));
    }
    return $result;
});

13. Use Security Headers

HTTP security headers add extra protection against common attacks:

Strict-Transport-Security: max-age=31536000
X-XSS-Protection: 1; mode=block
X-Content-Type-Options: nosniff
Referrer-Policy: strict-origin-when-cross-origin
Content-Security-Policy: upgrade-insecure-requests

You can add these via .htaccess or your hosting control panel.

14. Conduct Regular Security Scans

Automated scanning catches vulnerabilities before attackers exploit them:

  • Weekly malware scans (Wordfence, Sucuri, or Jetpack Scan)
  • Monthly vulnerability checks for plugins and themes
  • Regular review of user accounts (remove inactive ones)
  • Monitor Google Search Console for security notifications

15. Implement a Security Plugin

A comprehensive security plugin ties everything together:

Feature Wordfence Sucuri iThemes Security
Firewall
Malware Scan
Login Security
Activity Logs
File Integrity
Free Tier Limited

Quick Security Audit Checklist

  • SSL certificate active and HTTPS enforced
  • WordPress, themes, and plugins up to date
  • 2FA enabled for all admin accounts
  • Login attempt limiting active
  • File permissions set to 755/644
  • wp-config.php protected
  • File editing disabled in dashboard
  • Daily backups configured and tested
  • Security plugin active and configured
  • User activity logging enabled

FAQ

How often should I run a security scan?

Weekly automated scans are recommended. Manual audits should be performed quarterly.

Can a security plugin slow down my site?

Some can, but LiteSpeed Cache + Redis caching at GetHost.One minimizes the performance impact of security plugins.

What's the first thing to do after a security breach?

  1. Take the site offline (maintenance mode)
  2. Change all passwords immediately
  3. Restore from your most recent clean backup
  4. Identify and patch the vulnerability
  5. Scan all local devices for malware

Conclusion

Security isn't a one-time setup — it's an ongoing practice. Start with the basics (SSL, updates, strong passwords) and work through this checklist to build a comprehensive security posture.

Need fast, secure WordPress hosting? GetHost.One includes auto-renewing SSL, daily backups, and LiteSpeed Enterprise security features with every lifetime plan.

Share: 𝕏
← Back to all articles