Skip to content
Security
11 min readBy Kshitiz Saxena

How to Secure a WordPress Site: A Practical Checklist

A practical, step-by-step checklist to secure your WordPress site, even if you’re not technical. Stop the most common attacks before they happen.

Your WordPress site is a target. That is not alarmist — it is just the reality of running the world's most widely used website platform. Automated bots scan for vulnerable sites around the clock, and a single unpatched plugin or weak password is all it takes. The good news: most successful attacks are preventable with a handful of consistent habits. This checklist walks you through every meaningful step to secure your WordPress site, in plain language, without requiring a developer. Work through it once, then keep it as your ongoing reference.

Why WordPress Sites Get Hacked (And What You Can Actually Control)

The vast majority of WordPress compromises come from three sources: outdated software, weak credentials, and low-quality hosting. Sophisticated zero-day exploits (previously unknown vulnerabilities) are rare. What is common is a site running a plugin that had a known fix available for six months, or an admin account with the password "admin123". You can control all three root causes.

The WordPress Security Checklist

1. Keep Everything Updated

Updates are your first and most effective line of defence. WordPress core, every plugin, and every theme should be running the latest stable version at all times.

  • Go to Dashboard > Updates in your WordPress admin and apply any pending updates.
  • Enable automatic background updates for WordPress core minor releases — these are on by default and should stay that way.
  • Review plugins and themes monthly. Delete anything you are not actively using; inactive plugins still carry risk.
  • Only install plugins and themes from WordPress.org or reputable commercial marketplaces. Nulled (pirated) themes and plugins are a leading source of malware.

2. Use Strong, Unique Credentials

  • Change the default admin username immediately if you are still using it. Go to Users > Add New, create a new Administrator account with a different username, log in as that new user, then delete the original admin account.
  • Use a password of at least 16 characters. WordPress generates a strong password for you when you create or edit a user, use it.
  • Store passwords in a password manager such as Bitwarden or 1Password. Never reuse passwords across sites.
  • Audit Users > All Users and remove any accounts you do not recognise or that are no longer needed.

3. Enable Two-Factor Authentication (2FA)

Two-factor authentication (2FA) means that even if someone steals your password, they still cannot log in without a second verification step (usually a code from an app on your phone). This single step blocks the overwhelming majority of credential-based attacks.

  • Install a reputable wordpress security plugin that includes 2FA, such as Wordfence Security or WP 2FA.
  • Enable 2FA for every Administrator and Editor account on the site.
  • Use an authenticator app (Google Authenticator, Authy) rather than SMS codes where possible.

4. Limit Login Attempts

By default, WordPress allows unlimited login attempts. Attackers exploit this with brute-force attacks, automated scripts that try thousands of password combinations. Limiting attempts stops this cold.

  • Most security plugins (Wordfence, Solid Security) include login attempt limiting, enable it in the plugin settings.
  • Set a lockout after 3 to 5 failed attempts within a short window.
  • Consider changing your login URL from the default /wp-login.php to a custom path using a plugin. This reduces automated bot traffic hitting your login page.

5. Install a WordPress Security Plugin

A good wordpress security plugin acts as a firewall (blocking malicious traffic before it reaches WordPress), a malware scanner, and an activity monitor all in one.

  • Wordfence Security and Solid Security are two well-established, actively maintained options available on WordPress.org.
  • Run a full malware scan after installation. Review and act on any flagged issues.
  • Enable the Web Application Firewall (WAF), a filter that blocks known attack patterns, in your chosen plugin.
  • Set up email alerts for critical events such as new administrator accounts being created or core file changes.

6. Set Up Reliable Backups

Backups are not a security measure in the traditional sense, but they are your recovery plan when everything else fails. A recent, clean backup is the difference between a bad afternoon and a catastrophic loss.

  • Back up both your database (all your content and settings) and your files (themes, plugins, uploads).
  • Store backups in a separate location from your hosting, a cloud service like Google Drive, Dropbox, or Amazon S3.
  • Automate daily backups using a plugin such as UpdraftPlus or rely on your host's backup system.
  • Test your backups periodically by restoring to a staging environment. A backup you have never tested is a backup you cannot trust.

7. Use HTTPS and Keep Your SSL Certificate Active

HTTPS (the padlock in your browser bar) encrypts data passing between your site and your visitors. It is now a baseline expectation, not a bonus. Most reputable hosts provide free SSL certificates via Let's Encrypt.

  • Check that your site loads on https:// and that the padlock is visible. If it shows a warning, your certificate may be expired or misconfigured.
  • In WordPress, go to Settings > General and confirm both the WordPress Address and Site Address begin with https://.
  • Force all traffic to HTTPS either through your host's control panel or a plugin like Really Simple SSL.

8. Choose Secure WordPress Hosting

Your hosting environment is the foundation everything else sits on. Secure wordpress hosting means a host that keeps server software patched, isolates accounts from one another, offers a server-level firewall, and provides malware scanning.

  • Avoid shared hosting plans where thousands of sites share a single server with no isolation, a compromise on one site can spread to others.
  • Look for hosts that offer PHP version control (so you can run a current, supported PHP version), automatic backups, and server-level firewalls.
  • Managed WordPress hosting is purpose-built for WordPress security and performance. TheAppSense Managed WordPress Hosting handles server-level hardening for you.

9. Harden Your wp-config.php and File Permissions

  • wp-config.php is the most sensitive file on your WordPress install, it contains your database credentials. Move it one directory above your public web root if your host allows it.
  • Set file permissions: directories should be 755, files should be 644, and wp-config.php should be 440 or 400.
  • Add the following to your wp-config.php to disable file editing from within the WordPress dashboard: define( 'DISALLOW_FILE_EDIT', true );, this prevents attackers who gain admin access from injecting code through the theme editor.
  • Block access to wp-config.php via your .htaccess file (on Apache servers) by denying all requests to that file.

10. Disable XML-RPC If You Don't Need It

XML-RPC is a WordPress feature that allows remote applications to communicate with your site. It is also a common attack vector for brute-force and DDoS amplification attacks. Unless you use a mobile app or service that requires it, disable it.

  • Most security plugins include an option to disable XML-RPC, check your plugin's settings panel.
  • You can also block access to /xmlrpc.php at the server level through your host's control panel or .htaccess rules.

11. Monitor for Suspicious Activity

  • Enable activity logging through your security plugin so you can see who logged in, what changed, and when.
  • Set up uptime monitoring (many free tools exist, such as UptimeRobot) so you are alerted the moment your site goes down.
  • Review your security plugin's scan results at least once a month, even if no alerts have fired.

Quick-Reference Security Checklist

Task Priority How Often
Update WordPress core, plugins, and themes Critical Weekly
Run a malware scan Critical Monthly (or after any update)
Review user accounts and permissions High Monthly
Verify backups are completing and stored offsite Critical Weekly
Check SSL certificate is valid High Monthly
Review security plugin alerts High Weekly
Audit installed plugins, remove unused ones Medium Quarterly
Test backup restoration on staging High Quarterly

Already Hacked? Here's What to Do First

If your site is already showing signs of compromise, unexpected redirects, Google warnings, content you did not add, or your host suspending the account, the checklist above is not where you start. Cleaning an infected site requires removing malware from the database and file system, identifying the entry point, and closing it so reinfection does not happen within hours.

TheAppSense offers professional WordPress Malware Removal if you need an expert to handle the clean-up, close the vulnerability, and get your site back to a verified clean state.

Ongoing Security: Make It a Habit, Not a One-Time Fix

Security is not a project you complete and forget. New vulnerabilities are discovered in plugins and themes every week. The sites that stay clean are the ones with consistent habits: regular updates, monitored backups, and someone paying attention to alerts.

If managing all of this yourself feels like too much on top of running your business, a Website Maintenance and Care Plan covers updates, backups, monitoring, and security checks on a regular schedule, so you do not have to think about it.

Securing a WordPress site does not require technical expertise. It requires consistent habits: keep software updated, use strong credentials with 2FA, install a reputable security plugin, back up regularly, and choose hosting that takes security seriously. Work through this checklist once, set up the recurring tasks, and you will have eliminated the vast majority of risk. If something has already gone wrong, or you would rather hand this off entirely, TheAppSense is here to help.

How do I know if my WordPress site has been hacked?

Common signs include: your site redirecting visitors to a different website, Google showing a 'This site may be hacked' warning in search results, your hosting provider suspending your account for malicious activity, unfamiliar admin users appearing in Users > All Users, or visitors reporting spam content. If you see any of these, treat it as a confirmed compromise and act immediately. Our WordPress Malware Removal service can identify and clean the infection.

Which is the best WordPress security plugin?

Wordfence Security and Solid Security (formerly iThemes Security) are two of the most widely used and actively maintained options. Both are available free on WordPress.org and include a firewall, malware scanner, and login protection. The best plugin is the one you actually configure and keep updated, an installed-but-ignored plugin provides little protection.

Do I need a security plugin if my host already provides security?

Yes, ideally both. Host-level security (server firewalls, malware scanning at the server layer) and a wordpress security plugin (application-layer firewall, WordPress-specific malware signatures, login protection) cover different attack surfaces. They complement each other rather than duplicate effort. Secure wordpress hosting reduces your risk significantly, but it is not a substitute for application-level hardening.

How often should I back up my WordPress site?

For most business sites, daily automated backups stored offsite (not on the same server) are the right baseline. High-traffic sites or those updated frequently, such as e-commerce stores processing orders, should back up more often, sometimes hourly for the database. The critical thing is that backups are automated, stored separately from your host, and tested periodically to confirm they actually restore.

Is it safe to use free WordPress themes and plugins?

Free plugins and themes from the official WordPress.org repository are reviewed and are generally safe, provided they are actively maintained (check the last updated date and the number of open support issues). What is not safe is nulled software, pirated copies of premium plugins or themes distributed for free on unofficial sites. These almost always contain malware or backdoors inserted by the distributor.

What is the single most impactful thing I can do to secure my WordPress site right now?

If you have to pick one action: enable two-factor authentication on your administrator account. Stolen or guessed passwords are the most common entry point for attackers, and 2FA makes a stolen password useless on its own. After that, run a full plugin and theme update. Those two steps alone eliminate the majority of real-world attack vectors.

Hand your WordPress site to people who'll keep it running

Move to fully managed hosting and we'll handle speed, security, backups, and updates for you, with free migration and no lock-in. A faster, safer site, and a real person a click away.

We reply to every enquiry within one business day.