WordPress Security Checklist 2025: 50 Steps to a Bulletproof Website
A comprehensive, step-by-step security checklist covering every aspect of WordPress hardening — from login protection to server configuration. Follow these 50 steps and dramatically reduce your attack surface.
WordPress Security Checklist 2025: 50 Steps to a Bulletproof Website
This WordPress security checklist 2025 covers everything you need to secure a WordPress site against modern threats. Work through these 50 steps systematically to achieve a strong security posture. Each item is actionable and prioritized.
Category 1: Login Security (Steps 1-10)
1. Change the default /wp-admin URL — Use WPS Hide Login to move your login page from the predictable /wp-login.php to a custom URL, eliminating automated attacks.
2. Enable Two-Factor Authentication (2FA) — Use an authenticator app for all admin and editor accounts. This single step is your most impactful security improvement.
3. Limit login attempts — Configure lockout after 5 failed attempts:
# fail2ban jail configuration
[wordpress]
enabled = true
maxretry = 5
bantime = 36004. Enforce strong password policy — Minimum 16 characters with uppercase, lowercase, numbers, and symbols required.
5. Disable login hints — Prevent WordPress from revealing "wrong username" vs "wrong password":
add_filter('login_errors', function() { return 'Invalid credentials.'; });6. Restrict admin login by IP — If you access from consistent IP addresses, whitelist them in .htaccess.
7. Remove the admin username — Create a new admin with a non-obvious username, then delete the original. Every brute force attack targets "admin."
8. Disable user enumeration — Block REST API user listing and redirect author archive pages.
9. Use application passwords for API access — For REST API integrations, use WordPress Application Passwords instead of your main admin password.
10. Log all login activity — Record all attempts with IP addresses and timestamps.
Category 2: Updates and Patches (Steps 11-16)
11. Enable automatic core security updates:
define('WP_AUTO_UPDATE_CORE', 'minor');12-13. Update all plugins and themes immediately — Apply all pending updates at minimum weekly.
14-15. Remove unused plugins and themes — Delete (don't just deactivate) anything not actively used.
16. Subscribe to CVE alerts — SecureCheap automatically monitors for new vulnerabilities affecting your installed plugins.
Category 3: File System Security (Steps 17-24)
17. Set correct file permissions:
find /var/www/html -type d -exec chmod 755 {} ;
find /var/www/html -type f -exec chmod 644 {} ;
chmod 600 /var/www/html/wp-config.php18-19. Protect wp-config.php and disable directory browsing: Options -Indexes
20. Block sensitive file access via FilesMatch in .htaccess.
21. Disable PHP execution in uploads:
<Directory /var/www/html/wp-content/uploads>
php_flag engine off
</Directory>22. Disable file editing from admin:
define('DISALLOW_FILE_EDIT', true);
define('DISALLOW_FILE_MODS', true);23. Move wp-config.php one directory above the web root.
24. Implement file integrity monitoring — alert on core file modifications.
Category 4: Database Security (Steps 25-29)
25. Change the database prefix from default wp_ to a random string.
26. Limit database user privileges — only SELECT, INSERT, UPDATE, DELETE. No DROP, ALTER, or FILE privileges.
27-28. Regular automated backups + sanitize all database inputs using wpdb prepared statements.
29. Enable query logging in staging to catch slow/suspicious queries.
Category 5: Server Security (Steps 30-35)
30. Use a reputable managed WordPress host.
31. Use PHP 8.2+ — older versions have no security patches.
32. Enable a Web Application Firewall.
33. Configure SSL/TLS correctly — force HTTPS, TLS 1.2+, HSTS.
34. Disable XML-RPC:
<Files xmlrpc.php>
Order deny,allow
Deny from all
</Files>35. Limit REST API access for unauthenticated users.
Category 6: Security Headers (Steps 36-40)
36. Add Content Security Policy (CSP).
37. Enable HSTS: Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
38. Set X-Frame-Options: X-Frame-Options: SAMEORIGIN
39. Add X-Content-Type-Options: X-Content-Type-Options: nosniff
40. Configure Referrer-Policy: Referrer-Policy: strict-origin-when-cross-origin
Category 7: Monitoring and Incident Response (Steps 41-50)
41. Set up uptime monitoring — SecureCheap provides 60-second interval monitoring. Free plan includes 3 monitors.
42. Schedule weekly malware scans.
43. Keep WP_DEBUG false in production.
44. Implement error tracking — SecureCheap includes error tracking to catch application anomalies.
45. Run regular security scans with the SecureCheap Scanner.
46. Configure automated daily backups with off-site storage.
47. Document your incident response plan before an incident happens.
48. Test backup restoration quarterly — an untested backup may not work.
49. Conduct a quarterly security review using this checklist to catch configuration drift.
50. Stay informed — subscribe to WPScan Vulnerability Database, WordPress Security Blog, and the SecureCheap Blog.
Automate with SecureCheap
SecureCheap's WordPress management automates many of these checks: hardening settings application, plugin vulnerability monitoring, uptime monitoring, security header scanning, and instant alerts — all in one platform at $29/month for up to 50 sites. Start free — no credit card required.
Tags