WordPress Security Checklist

In a nutshell, this checklist helps you

  • Understand your website security situation better and 
  • Protect your site from common and destructive cyber attacks. 
A bonus benefit?

Your site will be more sustainable!

That’s because whenever a website is secure and well-maintained, it blocks off those unwanted, malicious activities to form on your site. That means your server doesn’t need to work more than it should. As a result, your website uses less electricity to run and thus emits fewer carbon emissions. Bonus point if your web host’s data centers run on renewable energy!

Notes

  • Many security settings on this checklist can be done once and you don’t have to worry about them again unless you want to change them. 
  • You will find the how-to instructions attached to each step right there in the checklist. But for lengthy/more complex instructions, you’ll find links to external guides.
  • Despite these one-off security settings, routine security monitoring is recommended as a part of routine WordPress maintenance.

How to use this checklist?

  • I recommend setting 1-2 fully concentrated hours to complete this checklist. 
  • It’s not required to follow the steps in order. But I recommend doing Step #10: Disable file editing from the WordPress dashboard after you finish editing the files from your dashboard. Otherwise, you’ll also disable yourself from doing it.
  • When editing WordPress files, you can do it through your dashboard using the WP File Manager plugin or using the File Manager in your web host’s cPanel. 

⚠️ Before you start:

  1. Prep your browsers by logging into your WordPress site and web host. Make this checklist handy whether you use an online or printed version.
  2. Back up your website files and database and keep them somewhere safe (your local computer or cloud storage or both). This step ensures you always have a backup to restore from. Try a plugin like UpdraftPlus.
  3. Pay extra attention when editing code in WordPress files especially the wp_config.php file. It’s the backbone file of your WordPress site. And phpMyadmin where your data is stored.

👇 Start here

Learn about your web host security

  • – Open a support ticket to ask your web host team directly. I used this method. Try my script.
  • – Locate the security section on your web host dashboard > See what they offer.
  • – Go to cPanel from the web host > Locate the security section > See what they offer.

On your web host dashboard > Locate an account or privacy setting > Look for the two-factor authentication setting. (They should make it obvious to you. Sometimes they might even show a notice on your dashboard.)

Monitor your site


  • – Recommended plugins: Sucuri, WP Umbrella, Patchstack.
  • – How I use them: 
    • 1) I use Sucuri to monitor file integrity on each site. It tells me whenever WordPress core files are edited.
    • 2) I use WP Umbrella* to manage multiple sites in one place (it also scans and monitors sites’ security and speed). 
    • 3) I use Patchstack* to monitor and patch vulnerabilities in website tools before they compromise the site. It also allows multisite management in one place.
    • *These plugins are especially useful for those who run multiple sites and want to manage them in bulk.
  • – Get more details about them here.

Secure your WordPress files and database


  • – Recommended plugins: Sucuri, WP Umbrella, Patchstack.
  • – How I use them: 
    • 1) I use Sucuri to monitor file integrity on each site. It tells me whenever WordPress core files are edited.
    • 2) I use WP Umbrella* to manage multiple sites in one place (it also scans and monitors sites’ security and speed). 
    • 3) I use Patchstack* to monitor and patch vulnerabilities in website tools before they compromise the site. It also allows multisite management in one place.
    • *These plugins are especially useful for those who run multiple sites and want to manage them in bulk.
  • – Get more details about them here.
define( 'WP_DEBUG', false );