Web Hosting

WordPress Hardening Checklist: 15 Must-Do Steps for 2021

System AdminJanuary 14, 202188 views5 min read

WordPress Powers the Web — and Attracts the Most Attacks

WordPress runs a massive share of websites on the internet. That popularity makes it the biggest target for automated attacks, vulnerability scanners, and brute-force bots. The good news is that WordPress itself is not inherently insecure. Most compromises happen because of outdated plugins, weak credentials, and misconfigured hosting environments — all of which are preventable.

This checklist gives hosting customers a practical, step-by-step hardening plan. These are not theoretical recommendations — they are the baseline practices that separate sites that get compromised from sites that do not.

1. Keep Everything Updated

The single most effective security measure is keeping WordPress core, themes, and plugins up to date. Vulnerability disclosures for WordPress plugins happen weekly. Attackers scan for known vulnerabilities within hours of public disclosure. If your plugin has a known security flaw and you have not updated, you are running a timer.

Enable automatic updates for minor WordPress releases (which include security patches). For plugins and themes, either enable auto-updates or establish a weekly manual update routine with testing. Before major updates, take a backup so you can roll back if something breaks.

2. Remove Unused Plugins and Themes

Deactivated plugins and unused themes are still on the filesystem. If they contain a vulnerability, they can be exploited even when inactive. Delete — not just deactivate — anything you are not using. Keep your installation lean. Fewer components mean fewer potential entry points.

3. Enforce Strong Credentials

Brute-force login attacks against WordPress are relentless. Bots try common usernames (admin, administrator, the site name) with common passwords, twenty-four hours a day. Defend against this on multiple fronts:

  • Strong passwords: Require passwords of at least 16 characters with a mix of letters, numbers, and symbols. Use a password manager.
  • Change the default admin username: If your admin account is still called "admin," create a new administrator account with a unique name and delete the old one.
  • Two-factor authentication: Add a second factor — a time-based one-time password app or a hardware security key — to all administrator and editor accounts. This single step stops the vast majority of credential-based attacks.

4. Limit Login Attempts

Install a plugin or configure your web server to limit failed login attempts. After five failed attempts from the same IP, lock that IP out for fifteen minutes. After repeated lockouts, extend the ban duration. This simple rate-limiting shuts down automated brute-force attacks effectively.

5. Change the Login URL

The default WordPress login page is at /wp-admin and /wp-login.php. Every bot knows this. Changing the login URL to something custom (like /my-secret-login) does not add real security in a technical sense, but it eliminates the vast majority of automated login traffic — reducing server load and log noise dramatically.

6. Disable XML-RPC (If You Do Not Need It)

XML-RPC is a legacy interface that allows remote publishing and pingbacks. It is also commonly exploited for brute-force amplification attacks and DDoS. If you do not use desktop publishing apps or the WordPress mobile app, disable XML-RPC entirely. Block it at the web server level for the most effective protection.

7. Set Correct File Permissions

File permissions determine who can read, write, and execute files on your server. Incorrect permissions — especially world-writable files — are a common exploitation vector. The standard recommendations are:

  • Directories: 755
  • Files: 644
  • wp-config.php: 600 or 640 (readable only by the owner and optionally the web server group)

Never set any file or directory to 777. If a plugin or theme requires 777 permissions to function, that is a red flag about the quality of that code.

8. Protect wp-config.php

wp-config.php contains your database credentials, authentication keys, and security salts. Beyond restrictive file permissions, add a web server rule that blocks HTTP access to this file entirely. It should never be served to a browser under any circumstances.

9. Disable File Editing in the Dashboard

WordPress includes a built-in file editor that allows administrators to modify theme and plugin files directly from the dashboard. If an attacker gains admin access, this feature lets them inject malicious code without needing server access. Disable it by adding define('DISALLOW_FILE_EDIT', true); to your wp-config.php.

10. Use a Web Application Firewall (WAF)

A WAF filters malicious traffic before it reaches WordPress. It blocks SQL injection, cross-site scripting, and known exploit patterns. Both cloud-based WAFs (which sit in front of your server as a proxy) and application-level WAFs (which run as WordPress plugins) are effective. A cloud-based WAF has the advantage of blocking malicious traffic before it even reaches your hosting infrastructure.

11. Implement Security Headers

HTTP security headers tell browsers how to handle your content. Essential headers include:

  • X-Content-Type-Options: nosniff — prevents browsers from MIME-type sniffing
  • X-Frame-Options: SAMEORIGIN — prevents your site from being embedded in iframes on other domains (clickjacking protection)
  • Content-Security-Policy — controls which resources the browser is allowed to load
  • Strict-Transport-Security — enforces HTTPS connections

12. Regular Backups with Tested Restores

Security is not just about prevention — it is about recovery. Automated daily backups stored off-server (not in your hosting account's file system) ensure that if the worst happens, you can restore to a clean state. Test your restore process at least quarterly to verify that backups are complete and functional.

13. Monitor for Malware and File Changes

Install a security plugin that monitors for file integrity changes, malware signatures, and suspicious activity. File integrity monitoring alerts you when core files, plugins, or themes are modified unexpectedly — a common indicator of compromise. Regular malware scans catch injected code that might otherwise go undetected for weeks.

14. Harden the Database

Change the default WordPress database table prefix from wp_ to something unique. While this is security through obscurity, it makes automated SQL injection scripts less effective. Use a dedicated database user for WordPress with only the permissions it needs — do not use the root database account.

15. Incident Response: Have a Plan

Despite all precautions, incidents can happen. Have a documented plan for what to do if your site is compromised: who to contact, how to take the site offline safely, how to assess the damage, how to restore from a clean backup, and how to harden against the specific attack vector that was exploited. A plan that exists before you need it is worth far more than one you create under pressure.

Making It Stick

Security is not a one-time project — it is an ongoing practice. Schedule a monthly security check: review users and permissions, update plugins and themes, verify backups, and scan for malware. Build these tasks into your maintenance routine the same way you schedule content updates and design refreshes. The sites that stay secure are the ones where someone actively maintains that security, month after month.

DevOpsWordPressMySQLBackupLinux