Ultimate WordPress Security Checklist: Protect Your Site in 2025

WordPress powers over 43% of all websites, making it a prime target for hackers. However, with proper security measures, you can protect your site from most threats. This comprehensive checklist will help you secure your WordPress installation.

Understanding WordPress Security

WordPress itself is secure, but vulnerabilities often come from:

Outdated themes and plugins
Weak passwords
Insecure hosting
Lack of backups
Poor file permissions

Essential Security Measures

Keep Everything Updated

The #1 security rule: Always update WordPress, themes, and plugins.

# Use WP-CLI to update everything from command line
wp core update
wp plugin update --all
wp theme update --all

Use Strong Passwords and 2FA

Weak passwords are the easiest way for hackers to gain access.

Password Requirements:

Minimum 16 characters
Mix of uppercase, lowercase, numbers, symbols
No dictionary words
Unique to each site

Two-Factor Authentication Plugins:

Wordfence Login Security (Free)
Two Factor Authentication (Free)
Google Authenticator (Free)

// Force strong passwords for all users
function enforce_strong_passwords($user, $username, $password) {
    if (strlen($password) < 16) {
        return new WP_Error('weak_password',
            'Password must be at least 16 characters long.');
    }
    return $user;
}
add_filter('wp_authenticate_user', 'enforce_strong_passwords', 10, 3);

Install a Security Plugin

A good security plugin provides comprehensive protection.

Recommended Security Plugins

Wordfence Security (Free + Premium)
- Firewall
- Malware scanner
- Login security
- Real-time traffic monitoring
Sucuri Security (Free + Premium)
- Security hardening
- Malware scanning
- Blacklist monitoring
- Post-hack cleanup
iThemes Security (Free + Premium)
- 30+ security measures
- Database backups
- File integrity checking
- Two-factor authentication

Basic Security Plugin Configuration

// Example: Wordfence configuration
define('WFWAF_ENABLED', true);
define('WFWAF_LOG_PATH', '/path/to/logs/');
define('WFWAF_STORAGE_ENGINE', 'mysqli');

The login page is the most common attack vector.

// Limit login attempts manually in functions.php
function check_attempted_login($user, $username, $password) {
    $attempts = (int) get_transient('login_attempts_' . $username);

    if ($attempts >= 5) {
        return new WP_Error('too_many_attempts',
            'Too many failed login attempts. Please try again in 15 minutes.');
    }

    return $user;
}
add_filter('authenticate', 'check_attempted_login', 30, 3);

function track_failed_login($username) {
    $attempts = (int) get_transient('login_attempts_' . $username);
    $attempts++;
    set_transient('login_attempts_' . $username, $attempts, 900); // 15 minutes
}
add_action('wp_login_failed', 'track_failed_login');

By default, WordPress login is at /wp-admin and /wp-login.php. Change this:

WPS Hide Login plugin (Free)
Cerber Security plugin (Free)

Add CAPTCHA

Protect against bots with CAPTCHA:

<!-- Google reCAPTCHA v3 integration -->
<script src="https://www.google.com/recaptcha/api.js?render=YOUR_SITE_KEY"></script>
<script>
grecaptcha.ready(function() {
    grecaptcha.execute('YOUR_SITE_KEY', {action: 'login'});
});
</script>

Implement a Web Application Firewall

A WAF filters malicious traffic before it reaches your site.

Cloud-Based WAF

Cloudflare (Free tier available)
Sucuri CloudProxy (Premium)
AWS WAF (Pay per use)

WordPress WAF Plugins

Wordfence (Built-in firewall)
All In One WP Security
NinjaFirewall

Regular Backups

Backups are your safety net if something goes wrong.

Backup Strategy (3-2-1 Rule)

3 copies of your data
2 different storage types
1 offsite backup

Recommended Backup Plugins

// Automated backup schedule
// Using UpdraftPlus API
if (class_exists('UpdraftPlus_Options')) {
    $updraftplus_options = get_option('updraft_interval');
    // Set to backup daily
    update_option('updraft_interval', 'daily');
}

Best Backup Solutions:

UpdraftPlus (Free + Premium)
BackupBuddy (Premium)
BlogVault (Premium)
Duplicator (Free + Premium)

Secure Your wp-config.php

The wp-config.php file contains sensitive information.

Move wp-config.php

# Move wp-config.php one directory up
mv /var/www/html/wp-config.php /var/www/

Secure wp-config.php

// wp-config.php security settings

// Disable file editing
define('DISALLOW_FILE_EDIT', true);

// Disable file modifications
define('DISALLOW_FILE_MODS', true);

// Force SSL for admin
define('FORCE_SSL_ADMIN', true);

// Set secure authentication keys
define('AUTH_KEY',         'put your unique phrase here');
define('SECURE_AUTH_KEY',  'put your unique phrase here');
define('LOGGED_IN_KEY',    'put your unique phrase here');
define('NONCE_KEY',        'put your unique phrase here');
define('AUTH_SALT',        'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT',   'put your unique phrase here');
define('NONCE_SALT',       'put your unique phrase here');

// Generate new keys at: https://api.wordpress.org/secret-key/1.1/salt/

Protect with .htaccess

# Protect wp-config.php
<files wp-config.php>
    order allow,deny
    deny from all
</files>

Set Proper File Permissions

Incorrect file permissions can allow unauthorized access.

Recommended Permissions

# Set directory permissions to 755
find /path/to/wordpress -type d -exec chmod 755 {} \;

# Set file permissions to 644
find /path/to/wordpress -type f -exec chmod 644 {} \;

# wp-config.php should be 640 or 600
chmod 600 /path/to/wordpress/wp-config.php

# .htaccess should be 644
chmod 644 /path/to/wordpress/.htaccess

Directory Permissions

Directories: 755
Files: 644
wp-config.php: 600
.htaccess: 644

Disable XML-RPC

XML-RPC can be exploited for DDoS attacks.

Disable via .htaccess

# Block XML-RPC
<Files xmlrpc.php>
    Order Deny,Allow
    Deny from all
</Files>

Disable via Plugin

// Disable XML-RPC in functions.php
add_filter('xmlrpc_enabled', '__return_false');

// Or use a plugin like:
// - Disable XML-RPC Pingback
// - Disable XML-RPC-API

Use SSL/HTTPS

SSL certificates encrypt data between server and browser.

Free SSL Certificates

Let's Encrypt (Free, automated)
Cloudflare SSL (Free tier available)
Most hosting providers include free SSL

Force HTTPS

// In wp-config.php
define('FORCE_SSL_ADMIN', true);

// Redirect all traffic to HTTPS
if (isset($_SERVER['HTTPS']) && $_SERVER['HTTPS'] != 'on') {
    wp_redirect('https://' . $_SERVER['HTTP_HOST'] . $_SERVER['REQUEST_URI'], 301);
    exit();
}

Update .htaccess

# Force HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

Monitor and Scan

Regular monitoring helps detect issues early.

Activity Logging

// Log all admin actions
function log_admin_actions() {
    if (is_admin() && current_user_can('manage_options')) {
        error_log('Admin action: ' . $_SERVER['REQUEST_URI'] .
                  ' by user: ' . wp_get_current_user()->user_login);
    }
}
add_action('admin_init', 'log_admin_actions');

Recommended Monitoring Tools

Wordfence - Real-time traffic monitoring
Sucuri SiteCheck - Free malware scanner
WP Security Audit Log - Comprehensive activity logging
Jetpack Security - Automated malware scanning

Security Checklist

Use this checklist to ensure comprehensive security:

Initial Setup

Configuration

Ongoing Maintenance

Conclusion

WordPress security requires ongoing vigilance, but following this checklist will protect your site from most common threats. Remember that security is a process, not a one-time setup.

The most important steps are:

Keep everything updated
Use strong passwords and 2FA
Install a security plugin
Maintain regular backups
Monitor your site regularly

By implementing these measures, you'll have a secure WordPress site that can resist most attacks and quickly recover from any security incidents.

Additional Resources

Questions about WordPress security? Need help securing your site? Feel free to reach out!