WordPress Security Checklist

This checklist helps you

  • – Understand your website security situation better and 
  • – Protect your site from common and destructive cyber attacks. 

A bonus benefit? 
Your site will be more sustainable!

That’s because whenever a website is secure and well-maintained, it blocks off those unwanted, malicious activities to form on your site. That means your server doesn’t need to work more than it should. As a result, your website uses less electricity to run and thus emits fewer carbon emissions. Bonus point if your web host’s data centers run on renewable energy!


  • – Many security settings on this checklist can be done once and you don’t have to worry about them again unless you want to change them. 
  • – You will find the how-to instructions attached to each step right there in the checklist. But for lengthy/more complex instructions, you’ll find links to external guides.
  • – Despite these one-off security settings, routine security monitoring is recommended as a part of routine WordPress maintenance. 

How to use this checklist?

  • – I recommend setting 1-2 fully concentrated hours to complete this checklist. 
  • – It’s not required to follow the steps in order. But I recommend doing Step #9: Disable file editing from the WordPress dashboard after you finish editing the files from your dashboard. Otherwise, you’ll also disable yourself from doing it.
  • – When editing WordPress files, you can do it through your dashboard using the WP File Manager plugin or using the File Manager in your web host’s cPanel. 

⚠️ Before you start:

  1. Prep your browsers by logging into your WordPress site and web host. Make this checklist handy.
  2. Back up your website files and database and keep them somewhere safe (your local computer or cloud storage or both). This step ensures you always have a backup to restore from. Try a plugin like UpdraftPlus.
  3. Pay extra attention when editing code in WordPress files especially the wp_config.php file. It’s the backbone file of your WordPress site. And phpMyadmin where your data is stored.

➡️ Checklist starts here

Learn about your web host security

How to check? Try one or more of these methods:
  • – Locate the security section on your web host dashboard > See what they offer.
  • – Go to cPanel from the web host > Locate the security section > See what they offer.
  • – Open a support ticket to ask your web host team directly. I used this method. Try my script below.
My script to ask your web host. (Yes, simply copy and paste this!)



I'd love to know how secure my website is. So here's my question: Is there anything on the following list you don't offer?

  1. Regular Backups

    Daily Backups: Automatic daily backups to recover your site in case of data loss.
    On-Demand Backups: The ability to create manual backups at any time.

  2. Secure Server Environment

    Firewalls: Network firewalls and web application firewalls (WAF) to block malicious traffic.
    DDoS Protection: Protection against Distributed Denial of Service (DDoS) attacks.
    Malware Scanning: Regular scanning for malware and vulnerabilities.

  3. SSL Certificates

    Free SSL: Free SSL certificates to encrypt data transferred between the server and users.
    Automatic Renewal: Automatic renewal of SSL certificates to ensure continuous encryption.

  4. Access Controls

    Secure SSH and SFTP: Secure Shell (SSH) and Secure File Transfer Protocol (SFTP) for secure access to the server.
    Two-Factor Authentication (2FA): Additional layer of security for accessing the hosting control panel.

  5. Isolated Server Environment

    Account Isolation: Isolation of individual hosting accounts to prevent cross-account contamination.
    Containerization: Use of containerization to isolate websites and their resources.

  6. Regular Software Updates

    Automatic Updates: Automatic updates for WordPress core, themes, and plugins to patch security vulnerabilities.
    Managed Updates: Managed updates by the hosting provider to ensure compatibility and security.

  7. Monitoring and Alerts

    24/7 Monitoring: Continuous monitoring of server and website performance.
    Security Alerts: Alerts and notifications for suspicious activities and potential threats.

  8. Brute Force Protection

    Login Protection: Measures to protect against brute force attacks on the WordPress login page.
    CAPTCHA: Integration of CAPTCHA to prevent automated login attempts.

  9. Data Encryption

    Encryption at Rest: Encryption of stored data to protect it from unauthorized access.
    Encryption in Transit: Encryption of data being transmitted to and from the server.

  10. Support for Security Plugins

    Compatibility: Compatibility with popular WordPress security plugins like Wordfence, Sucuri, and iThemes Security.
    Security Recommendations: Recommendations for additional security plugins and configurations.

  11. Access Logs

    Comprehensive Logging: Detailed logs of all access and actions performed on the server.
    Log Analysis: Tools for analyzing logs to detect and investigate security incidents.

  12. Compliance and Certifications

    GDPR Compliance: Ensuring the hosting provider complies with the General Data Protection Regulation (GDPR).
    Other Certifications: Certifications such as ISO 27001 for information security management.

Thank you in advance!!"

How to do?
  • On your web host dashboard > Locate an account or privacy setting > Look for the two-factor authentication setting. (They should make it obvious to you. Sometimes they might even show a notice on your dashboard.)

Monitor your site

How to?
  • – Recommended plugins: Sucuri, WP Umbrella, Patchstack. [Read my full article]
  • – How I use them:
    • – I use Sucuri to monitor file integrity on each site. It tells me whenever WordPress core files are edited.
    • – I use WP Umbrella* to manage multiple sites in one place (it also scans and monitors sites’ security and speed). 
    • – I use Patchstack* to monitor and patch vulnerabilities in website tools before they compromise the site. It also allows multisite management in one place.
    • – *These plugins are especially useful for those who run multiple sites and want to manage them in bulk.

Secure your WordPress files and database

How to?
  • Go to the File Manager > Select plublic_html > Locate wp_config.php > Click on it and select Edit > Locate the setting: define( ‘WP_DEBUG’, true ); > Replace with the code below > Save changes.
define( 'WP_DEBUG', false );

How to?
  • Go to the File Manager > Select plublic_html > Locate the  .htaccess file > Edit > Add the code below to the file > Save changes.
# Block WordPress xmlrpc.php 
<Files xmlrpc.php>
order deny,allow
deny from all

How to?

How to?
  • Go to the File Manager > Select plublic_html > Locate the .htaccess file > Edit > Add the code below to the file > Save changes.
Options -Indexes

How to?
  • Go to the cPanel > Locate Directory Privacy > Select plublic_html > Select wp-admin folder > edit > check the “Password protect this directory.” > Set up a password and username.

How to?
  • Go to the File Manager > Select plublic_html > Locate wp_config.php > Click on it and select Edit > Add the code below to the line above the “Happy blogging” comment > Save changes.
// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );

Limiting numbers of users and users’ permissions

How to?
  • – Go to cPanel > Locate phpMyadmin > Locate the “_users” table > Edit > Locate “user_login” > Edit your username. > Click “Go”
  • – Recommended tools: Password Generator and LastPass for generating and managing passwords. 

How to?

How to?

How to?

Block Spam off your entry doors

How to?

How to?

Got them all checked?

Congrats! Okay, let’s chill a bit. You have done a great job getting through these steps. Your website is much more secure now. What a relief!

What’s next?

WordPress optimization! Now that you learned to make your site secure. Next, you will learn how to optimize it. Both processes are the ingredients of WordPress maintenance; something you should do routinely.

And you’ll be the first to know when I re-launch the WordPress maintenance routine checklist. I made one a while ago and needed to update it.

Scroll to top ↑

⚠️ Disclaimer: While these security settings can boost your website’s protection, no method can guarantee 100% security. Each website is unique in its complexity and purpose, and hackers are constantly evolving their techniques. This checklist helps you build a solid security foundation, making your site much harder to hack. When combined with routine web maintenance, it’s your best bet for securing your site.