An Ultimate Wordpress Security Checklist [2021]

Table of Contents
Technical SEO
wordpress security checklist 2020
Facebook Twitter Youtube

Back in 2019, I had a Wordpress website that was seriously attacked. Luckily, I was able to recover my login credential, but I lost my entire site data. That was pretty awful. Securing the site was the least of my concerns. As a result, I got a nice slap from hackers. So from the day onwards, when it comes to site management, Wordpress security comes first into play. 

Everyone should be concerned about security, whether you are at home, office, or any working environment. WordPress security is similar to home security. An analogy could be when you leave your home, you will lock all your doors and windows. Locking will reduce the vulnerability of being stolen. Wordpress security is similar to home security that helps to reduce being vulnerable to hackers.

1. What if your site security is similar to ?

According to statistics from 40,000+ WordPress Websites in Alexa Top 1 Million, more than 70% of WordPress installations are vulnerable to hacker attacks.

Still, the security of the WordPress site is not taken seriously in 2020. WordPress can be hacked anytime, so you must take preventive actions by implementing our Updated WordPress Security Checklists to Secure Your WordPress Site.

Hackers only attack a vulnerable website that is easy to hack. Dear people, don’t let your website be feed by hungry hackers. If your WordPress site is secured correctly, no hacker will have fun spending days and days to find the security loophole that would give access to them.

2. Do I really need to care about securing my website?

While WordPress core system is very secure. It’s audited regularly, and updates go time to time, minor bug fix, security patches by hundreds of developers. A bitter truth, there is no 100% security guarantee in the internet world. A minor loophole on your website can welcome hackers anytime. Security is not just about risk elimination; it’s all about taking an action that will help you to secure your website in the future. It’s all about risk reduction.

On the other hand, security flaws on your website can directly affect your SEO rankings. If you are optimizing a website’s technical aspects of SEO, you should be more aware of hardening a website.

During my college life, there was a presentation on Cyber Security. In the introduction, the presenter said something that was a memorable quote, still hitting on my mind. It was “There are two systems: One is hacked, and one will be hacked.” This makes sense to me after a while. 

Let me show you staggering hacking statistics summed up by WebARX.

  • A study was made that stated that there is an attack every 39 seconds on average on the web, and the non-secure usernames and passwords that are being used give attackers more chance of success. (Source: Security Magazine)
  • Hackers steal 75 records every second. (Source: Breach Level Index)
  • 73% of black hat hackers said traditional firewall and antivirus security is irrelevant or obsolete. (Source: Thycotic.com)
  • Hackers create 300,000 new pieces of malware daily. (Source: McAfee)
  • On average, 30,000 new websites are hacked every day. (Source: Forbes)
Do I still need to say something evaluating above statistics? Do I still need to explain why securing a website is crucial? Well, its time to dive into security procedures and dealing with basic to advanced security stuff that will help to strengthen your website

3. How can I secure my WordPress website?

With all of the above scary statistics in mind, I want to make sure that you will be familiar with all the essential tactics securing website after reading the entire post. Go through every checklist and implement it one by one. 

Here’s my checklist of ALL the things you should do.

This checklist is broken into two parts: The first part includes basic measures like maintaining a strong password, updating WordPress website, and so on.

The second part includes advanced measures for those who really care about sites more than a wife. No more kidding . A second checklist is basically for admins. For kind of a person who wants to lock the bicycle and even put a chain around the bicycle with something attached. Here we go: 

# Basic Security Configuration Checklists

  • Backup & Scheduling
  • WordPress Update
  • Plugins Update
  • Themes Update
  • Update Password
  • Delete any plugins or themes that are not in use

# Advance Security Configuration Checklists

  • Change Login Path
  • Hiding username from the author archive URL
  • Limit login attempts
  • Change file permissions (Server Side)
  • Disable file editing via the dashboard
  • Create Custom Secret Keys for wp-config.php file
  • Change the Database Prefix
  • Hide Your WordPress Version
  • Protect Critical Files wp-config.php, .htaccess, etc
  • Install and Configure WordPress Security Plugin
  • Installing Wordpress Security /Configuring 2FA Authentication
  • Automatic Email notification for Security and Updates

# Basic Security Configuration Checklists

Backup & Scheduling

Backup means simply making a copy of your entire site for further use. This must be everyone’s topmost priority while making any changes in a website. There are two types of WordPress backup: Manual Backup and Scheduled or Automated Backup. Whatever you are adopting, creating a backup in time to time is a must.  

I already mentioned earlier that one of my sites hit so hardly by intruders, I was not able to recover my site data. I recovered login credential but entire site content was long gone. It could have easily restored to the previous version if I had backup my site. Dear readers, I don’t want you to make the same blunder I did years ago. So be mindful, schedule your backup time to time. Before making changes to your site, make sure to backup first and head towards your update. Thankfully there are tons of ways you backup a WordPress site. You can either do a manual backup or using plugins. Here are my favourite plugins for quick and easy backup: 

  • UdraftPlus
  • All-in-One WP Migration
  • ValultPress
  • BackupBuddy
  • Duplicator   

Keep Your WordPress Up to Date

You might have heard of people who disable WordPress core updates, assuming that update will break your entire site and plugin. This is seriously flawed. Are you compromising on a hacked site rather than updating your core Wordpress? I have been using Wordpress for a decade, and this doesn’t make sense. Updating your WordPress core is mandatory for maintaining site health. Interestingly you don’t need to be a tech ninja to update your core WordPress site. It’s just a few clicks away. 

WordPress is an open-source software which is regularly maintained and updated. Update means an improved version that can further incorporate into an existing system. By default, WordPress automatically installs minor updates. For major releases, you need to initiate the update manually.

WordPress also comes with thousands of plugins and themes that you can install on your website. These plugins and themes are maintained by expert developers, which regularly release updates as well. Fixing minor bugs, security patching can happen from time to time. 

Thus, WordPress updates are crucial for the security and stability of your WordPress site. Make sure that your WordPress core is up to date.

Keep Plugin Up to Date

One of the mistakes I notice on WordPress users is ignoring to update a plugin. Updating a plugin is just a few clicks away. You don’t need to be tech-savvy to do that. Updates are crucial for the security and stability of your entire site. The outdated plugin will make your site vulnerable to hackers and significantly impact your site’s health and performance. Make sure that your Wordpress plugin is up to date.

Keep Theme Up to Date

The same things apply to themes like updating WordPress core and keeping plugin up to date. Securing WordPress means that all themes need to be kept updated to their latest versions. Otherwise, any security loophole that exists in your theme will remain an issue on your site.

Now you may probably be thinking about all of the changes you’ve done to the theme and how these will break if you perform a theme update. In reality, changes to themes can be done via child themes, rather than directly to the actual theme. This will allow you to get the latest fixes and security updates without breaking your changes.

Make Your Password Super Strong

The most common WordPress hacking attempts use stolen passwords. You can make that difficult by using stronger passwords. Not just for the WordPress admin area, but also for FTP accounts, database, WordPress hosting account, and your custom email addresses.

Many users don’t like picking up strong passwords because they’re hard to remember. The good thing is that you don’t need to remember every password anymore. You can use a password manager. Find more on the top available password manager; you can try to store multiple login credentials. Even more, you can use a password generator to make all passwords super hard.

Another way to reduce the risk is not to give anyone access to your WordPress admin account unless you have to. If you have a large team or guest authors, then make sure that you understand user roles and capabilities in WordPress before you add new user accounts and authors to your WordPress site.

Delete plugins, themes that are not in use

Does it make sense to keep those plugins and themes that don’t give any value to your website? Absolutely not. Keeping outdated plugins, themes that are not in use makes your site more vulnerable and does more harm than good. Even more, it will unnecessarily occupy your hosting storage. Make sure to delete unused plugins and themes completely. It will help to improvise overall site health and performance. 

# Advance Security Configuration Checklists

Change Login Path

The majority of the site’s login path seems like yoursite.com/wp-admin/ or yoursite.com/wp-login/. Don’t you think it could be vulnerable for hackers to gain access to your website? Keeping up the default WordPress login path is not recommended for security purposes. For instance, if someone steals your login credential for one of your sites. Next, what he/she will do is just go to your login path and access to your entire site. If you would have updated your login path to something very unique, there is a high probability hackers won’t be able to gain access.

Pro Tips: By using a Plugin called WPS Hide Login, you can simply protect your website by changing the login URL and preventing access to the wp-login.php page and the wp-admin directory to non-connected people.

Limit login attempts

By default, WordPress allows users to try to login as many times as they want even if someone entered the wrong password. This leaves your WordPress site vulnerable to brute force attacks. Hackers try to crack passwords by trying to login with different password combinations, which is called a dictionary attack. 

This can be easily fixed by limiting the failed login attempts a user can make. If you’re using the Wordpress Security Plugin like Wordfence, then you just need a few steps for configuring correctly. Wordfence is the most popular WordPress security plugin. It includes an endpoint firewall and malware scanner, as well as a suite of additional features. For basic security setup, a free plan is enough unless your site is not well established. Wordfence offers a range of premium plans, as well as its renowned free service.

However, if you don’t have the firewall setup, then you can easily configure it using an excellent plugin called Limit Login Attempts Reloaded. First, you need to install and activate the Limit Login Attempts Reloaded.

Change file permissions (Server Side)

PHP and WordPress, in general, use a set of permissions associated with files and folders. Without going into depth, there are different types of permissions
  • Publicly writable files and directories
  • Files writable by the webserver only
  • Read-only files
The correct set of file and folder permissions allows WordPress to create folders and files. The following settings are recommended for most users.
  • 755 for all folders and sub-folders.
  • 644 for all files. For instance, wp-config.php should be 660.
Warning: This is kind of a techie thing. It should only be handled by an expert having sound knowledge on WordPress security. Incorrect file and folder permissions can cause errors on your WordPress site

Disable file editing via the dashboard

Wordpress comes with a built-in editor where you can edit Wordpress Theme and Plugin directly from the admin area. It looks easy while editing without Cpanel, but it is not recommended to update via the admin dashboard for security reasons. If an attacker gets access to an “Administrator” account on your WordPress site, and if a file editor is available, then it’s super easy for intruders to change a plugin or theme with malicious code.

Disabling theme and plugin editors in WordPress is quite easy. Simply edit your wp-config.php file and paste the following code just before the line that says, ‘That’s all, stop editing!

define( 'DISALLOW_FILE_EDIT', true );

You can now save your changes and upload the file back to your website. That’s all, plugin and theme editors will now disappear from themes and plugins menus in the WordPress admin area.

Create Custom Secret Keys for wp-config.php file

WordPress custom secret keys or SALT keys are the encrypted code that secures your login information. One way to enhance your WordPress security is by automatically changing your SALT keys, either manually or using a plugin.

How to do it manually?

One way to stay ahead of this risk is to change your security keys manually from your wp-config.php file that is available in the root folder of your WordPress site. The security and SALT keys will look like this:

Pro Tips: We recommend changing these codes in a timely manner to improve your website security (every 3 – 6 months). You can manually generate the Salt keys from WordPress.org secret-key generator.

How to do it using a plugin?

The first thing you need to do is install and activate the Salt Shaker plugin. Once the plugin is activated, you need to go to Tools » Salt Shaker page in your WordPress admin to set a schedule for changing the SALT keys.

Change the Database Prefix

WordPress Database is like a storehouse for your entire WordPress site because every single information is stored in. Spammers and hackers run automated codes for SQL injections.

Well, unfortunately, many people forget to change the database prefix while they install WordPress. By default, all Wordpress database prefix starts with wp_ that makes hackers gain access. The smartest way you can protect your database is by changing the database prefix, which is easy to do on a site that you are setting up.

Warning: During changing DB prefix make sure to handle with care. It takes a few steps to change the WordPress database prefix properly for your site. Misconfigured DB prefix can break your entire site.

If you don’t want to touch your database or any manual process, then you can do it by using Brozzme DB plugin. Using this plugin, you can modify your database prefix with just one click.

Hide Your WordPress Version

Imagine yourself as a hacker who wants to break into your site. A hacker’s life is made super easy if they know what version of WordPress you are using. For instance, if you are using an older WordPress version and intruders came to know there was a bug or loopholes that exist in a site. Just imagine yourself, what would be the consequences?

You can completely remove your WordPress version number from both your head file and RSS feeds; you will need to add the following function to your functions.php file:

function wordpress_remove_version() { return ''; } add_filter('the_generator', 'wordpress_remove_version');
By adding this version, you will remove the WordPress version number from all different areas on your site. Above is the right way to remove the WordPress version number.

Note: Updating to the latest version of WordPress is highly recommended because that is the only guaranteed way to keep your site protected.

Protect Critical Files wp-config.php, .htaccess, etc

Protecting the WordPress critical files like wp-config.php, .htaccess is another way to harden your WordPress security. Wp-config.php contains very sensitive information about your WordPress installation, such as the WordPress security keys and the WordPress database connection details. 

On the other hand, .htaccesss contains the high-level configuration of your entire website. You certainly do not want the content of this file to fall into the wrong hands, so WordPress wp-config.php and .htaccess files are something you should take seriously.

Install and Configure WordPress Security Plugin/ Adding 2FA authentication

Updating WordPress core, themes, plugins, and other basic stuff is not sufficient to protect your site from intruders. Configuring the right security plugins is essential that will help to harden your entire site. There are tons of WordPress security plugin available, and I would like to recommend only those that are super-efficient and reliable. I have been using my top 3 plugins, namely: 

  • Wordfence Security
  • Sucuri Security
  •  iThemes Security
Some of the combined features include:
  • Activity auditing
  • Malware scanning & File monitoring
  • Security notifications
  • A web application firewall (WAF)
  • A WAF that blocks malicious traffic before it attacks your site
  • Malware scanning to check files, plugins, and themes before they're uploaded
  • Two-factor authentication (2FA) and login limits to prevent brute force attacks
  • Real-time live traffic and analytics monitoring
Instead of configuring separate plugin like 2FA, limiting login attempts, it makes sense to set up a single security plugin that serves several security features in a single packaged plugin. These security plugins are widely used by top brands and have a decent level of trust in the users.

Automatic Email notification for Security and Updates

Keeping your Wordpress up to date is essential for securing a website. By default, Wordpress only shows an update notification of Wordpress core, themes, and plugins only after logging to an admin area. If you are a business owner or a developer, sometimes, you might not be able to log in to the admin dashboard. In such a case, there is an alternative; we can quickly get notified using an email.

Setting up an update notification on your email helps you to collaborate with your team if you are unreachable. For instance, if you are somewhere else and get an update notification on your email, then you can easily tell your team members to update quickly. Sounds great! You might be wondering how I can set up an email notification for the latest update. No worries, you can easily set up using a plugin called WP Updates Notifier. You simply need a checkmark on the right setting and later save it. Boom! You are done now.   

4. Final Thought 

Security is not about risk elimination; it’s more about risk reduction. Who knows what tomorrow may bring? On average, 30,000 new websites are hacked every day. I don’t want you to be on those hacked site list. Make sure to implement every checklist step by step. Adopting the right security measures that we discussed in my checklist will help you to harden your website. 

That’s all; we hope this article helped you learn an essential WordPress security best practices. If you liked this article, don’t forget to drop your feedback in our comment section below.

Happy Reading 🙂

Subscribe to our

NEWSLETTER

Join 5,000+ businesses smashing revenue goals with our weekly insights.