Written by Editorial Team on May 10, 2020

20 WordPress Security Checklists In Hardening WordPress

Imagine with me for a moment that you’re a website owner who just had his/her website hacked. The countless hours of hard work go down into the drain and your main income source from the website just got squashed. That's a harsh reality but the facts don't lie — an average of 30,000 websites get hacked every day and yours could be next.

Keeping your WordPress site safe from hackers is a priority in today's world. The vulnerabilities in WordPress is an 'everyday thing' (such as this and this). WordPress security is more than just your web hosting responsibility. It is yours and this tutorial is going to guide you exactly how to hardening WordPress with approachable WordPress security checklist.

Why Do Bad Hacks Happen to Good Websites?

Why WordPress Is Easy To Hack
20 WordPress security checklists to keep your WP site safe

The WordPress core is very secure and typically, hackers will not go towards that route. Instead, they will look for the smallest mistakes done by website owners themselves and exploit the weaknesses.

Since hackers tend to go after the low-hanging fruit, it really isn’t that complicated to harden WordPress and keep it secure. As a matter of fact, you can keep your site at the far upper end of the security bell curve by following these 8 simple WordPress security checklist.

Step 1: Keep everything updated

Keep Plugins And Themes Updated To Improve WordPress Security
Constantly update your WordPress site to improve overall security

Every once in a while, a WordPress update will be released and accompanied by an ominous disclaimer: “This is a critical security release.” While such a disclaimer makes things crystal clear, it’s important to install every WordPress update as quickly as possible – even those that don’t tout their own importance.

Updating all your WordPress themes and plugins should be daily if not weekly security checklist. Using the latest versions will not only give you better performance, but also security patches.

Worried about compatibility?

If you are worried that something might break upon updating a theme or plugin, we recommend you to use a staging platform to test the new version. Hosting companies such as Kinsta provides a staging area for free.

Many updates to themes, plugins, and the WordPress core are released to address significant security vulnerabilities. So the number one thing you must do to keep WordPress secure is to keep everything updated.

Step 2: Use a unique username and secure password

Forget about those easy usernames and passwords. Using any of those and you are literally opening up doors for hackers to exploit.

Here's an example.

What’s worse than using “admin” as your admin username? How about pairing it with a boneheaded password like “password.”

Securing WordPress From Hackers With Strong Username And Password
Use strong login and password

The WordPress login page is a common target for automated, brute-force, login-attempting bots. They’ll just hang out at /wp-login.php trying combination after combination of common usernames and passwords hoping you’ve been lazy enough to leave the front door unlocked.

The solution is to use a unique username and password. While I personally tend to go for nonsense usernames like “s3r7as,” any unique username will be a vast improvement over “admin.” Your password, on the other hand, really should be random nonsense.

Considering that WordPress has a built-in random secure password generator, there’s really no excuse for using an easy-to-guess password. So if your password isn’t secure go to Users » Your Profile now and close this security loophole.

Step 3: Disable trackbacks and pingbacks

Pingbacks And Trackbacks Are Security Issues For WordPress
Turning off trackbacks and pingbacks can harden WordPress security

Trackbacks and pingbacks may be a good signal for SEO but both of these are significant WordPress security threats.

If you don’t use trackbacks and pingbacks on your WordPress site, disable them. You can do this with a plugin, as we’ll see in a moment, or you can go to Settings » Discussion and uncheck the boxes next to Attempt to notify any blogs linked to from the article and Allow link notifications from other blogs (pingbacks and trackbacks) on new articles.

Changing these settings will still allow trackbacks and pingbacks to be turned on for individual posts and pages. So a better option is to use a plugin that will completely lock down pingbacks and trackbacks once and for all. I’ll show you how in just a moment.

There are at least two good reasons why you should consider disabling trackbacks and pingbacks: they can lead to comment spam and they can be used in a coordinated DDoS and brute force attack.

Step 4: Set up a website lockdown feature and ban users

A lockdown feature for failed login attempts can solve the huge problem of continuous brute force attempts. Whenever there is a hacking attempt with repetitive wrong passwords, the site gets locked, and you get notified of this unauthorized activity.

iThemes Security Plugin

I found out that the iThemes Security plugin is one of the best such plugins out there, and I’ve been using it for quite some time. The plugin has a lot to offer in this respect. Along with over 30 other awesome WordPress security measures, you can specify a certain number of failed login attempts before the plugin bans the attacker’s IP address.

All In One WP Security & Firewall is another great WordPress security plugin that provides an easy interface and decent customer support without any premium plans. This is a highly visual security plugin with graphs and meters to explain to the beginner's metrics like security strength and what needs to be done to make your site stronger.

All In One WP Security And Firewall plugin
All In One WP Security And Firewall plugin

The features are broken down into three categories: Basic, Intermediate, and Advanced. Therefore, you can still take advantage of the plugin if you’re a more advanced developer. The main ways this plugin works is by protecting your user accounts, blocking forceful attempts on your login, and enhancing the user registration security. Database and file security is also packaged into the plugin.

You can learn more about All In One WP Security And Firewall plugin here.

Step 5: Rename your login URL to secure your WordPress website

How To Change WP Admin URL
Changing WP-Admin URL will improve WordPress security

Changing the login URL is an easy thing to do. By default, the WordPress login page can be accessed easily via wp-login.php or wp-admin added to the site’s main URL.

When hackers know the direct URL of your login page, they can try to brute force their way in. They attempt to log in with their GWDb (Guess Work Database, i.e. a database of guessed usernames and passwords; e.g. username: admin and password: p@ssword … with millions of such combinations).

At this point, we have already restricted the user login attempts and swapped usernames for email IDs. Now we can replace the login URL and get rid of 99% of direct brute force attacks.

This little trick restricts an unauthorized entity from accessing the login page. Only someone with the exact URL can do it. Again, the iThemes Security plugin can help you change your login URLs. Like so:

  • Change wp-login.php to something unique; e.g. my_new_login
  • Change /wp-admin/ to something unique; e.g. my_new_admin
  • Change /wp-login.php?action=register to something unique; e.g. my_new_registeration

Step 6: Automatically log idle users out of your site

Users leaving wp-admin panel of your site open on their screens can pose a serious WordPress security threat. Any passerby can change information on your website, alter a person’s user account, or even break your site altogether. You can avoid this by ensuring that your site logs people out after they have been idle for a certain period of time.

BulletProof Security Pro Plugin For WordPress Security
BulletProof Security Pro Plugin For WordPress Security

You can set this up by using a plugin like BulletProof Security. This plugin allows you to set a customized time limit for idle users, after which they will automatically be logged out.

Step 7: Disable file editing

WordPress comes with a built-in code editor which allows you to edit your theme and plugin files right from your WordPress admin area. In the wrong hands, this feature can be a security risk which is why we recommend turning it off.

Disable file editing in WordPress
How to disable file editing in WordPress

You can easily do this by adding the following code in your wp-config.php file.

1// Disallow file editdefine( 'DISALLOW_FILE_EDIT', true );

Step 8: Add two factor authentication

Two-factor authentication technique requires users to log in by using a two-step authentication method. The first one is the username and password, and the second step requires you to authenticate using a separate device or app.

Most top online websites like Google, Facebook, Twitter, allow you to enable it for your accounts. You can also add the same functionality to your WordPress site.

First, you need to install and activate the Two Factor Authentication plugin. Upon activation, you need to click on the ‘Two Factor Auth’ link in WordPress admin sidebar.

Two Factor Authenticator settings
2FA is great way to secure your WP login

Next, you need to install and open an authenticator app on your phone. There are several of them available for free (and paid) such as:

Step 9: Automatically log out idle users in WordPress

Logged in users can sometimes wander away from screen, and this poses a security risk. Someone can hijack their session, change passwords, or make changes to their account.

This is why many banking and financial sites automatically log out an inactive user. You can implement similar functionality on your WordPress site as well.

You will need to install and activate the Inactive Logout plugin. Upon activation, visit Settings » Inactive Logout page to configure plugin settings.

Logout idle users
How to log out inactive users (and hardening WordPress)?

Simply set the time duration and add a logout message. Don’t forget to click on the save changes button to store your settings.

Step 10: Update all your WordPress passwords

Yes, no matter how difficult you believe your password is, hackers work around the clock to find ways to crack even the hardest passwords.

Our malware researcher Luke Leal shows how quick it is for a hacker to crack a password in this short video:

We offer some quick tips for you:

  • Never use predictable passwords, such as your birthday or the name of your spouse.
  • Add as many characters as possible.
  • Use a password manager, such as LastPass, to generate and keep your passwords in a safe vault.
  • Never reuse a password.

Having said that, the best practice is for you to change all of your passwords right now with the help of a password manager. This way, you only need to remember one password — the master LastPass password, for example — and still follow all password best practices.

Step 11: Using the right WordPress hosting solution

Choose The Right WordPress Hosting For Security
Good WordPress host offers more security optimization on server level

The web hosting that you use plays an important role in keeping your WordPress safe. They are your first line of defence and there are many hardening WordPress steps they can take on their end (server-level).

There are some great web hosts that take matters of their own hands — such as SiteGround and Kinsta hosting that perform server-level WordPress hardening to ensure that nothing slips through the cracks.

For example, we have seen both of these web hosting companies performing server-level patching upon detecting any anomalies or vulnerabilities within WordPress cores. And when vulnerabilities are detected on plugins or themes, they will send an urgent email to notify end users (yes, that's us) about the vulnerabilities and steps to resolve them.

Step 12: Only install trusted WordPress plugins and themes

To detect if a theme or plugin can be trusted or not, first, read its ratings. There you can find clues to whether there have been security breaches or issues in the past, like buggy updates.

You’ll also want to check to see when a plugin/theme was last updated. If a plugin or theme hasn’t received an update in some time (say years), then the inactiveness in that plugin/theme is a sign you should look somewhere else.

WordPress Security Tips Install Popular Plugins
Install reliable plugins to harden WordPress site

In addition, analyzing a plugin or theme’s popularity is another way to better ensure you aren’t installing malicious code into your WordPress site.

A plugin/theme that’s widely popular isn’t necessarily less likely to be targeted by hackers but is more likely to be updated with security patches regularly due to its wide use.

Step 13: Remove unused plugins and themes

Removed Unused WordPress Themes To Harden WordPress Site
Removing unused WordPress themes will improve overall WordPress security

Over time, your WordPress site will require some housekeeping.

As you start to accumulate themes and plugins, you should go through and dispose of the ones you no longer use. Getting rid of unnecessary clutter is likely to make your site run faster, as well as remove security vulnerabilities from stagnant or outdated add-ons.

If using WordPress multisite, try using a plugin like Plugin Activation Status to perform a plugin audit and detect unused plugins across all sites in the multisite network.

See the codex on WordPress housekeeping for more information on how to remove unused plugins and themes.

Step 14: Regularly backup your WordPress site

Backup WordPress Site Daily And Keep Backup Copy Safe
Managed WordPress hosting such as Kinsta offers automatic nightly backup

Even if you take the above security precautions (and the ones listed after) you should always backup your WordPress site.

Backing up your WordPress site is fairly easy to do, as given these instructions by WordPress. Or you can try a plugin like BackupBuddy.

If it’s something you’d rather not have to worry about, WP Engine conducts automatic backups for you every day. That way you can roll back to your original site *should* you ever lose your site due to an outside invasion.

Step 15: Get brute force protection

How To Avoid Brute Force Attack WordPress
Brute force protection for WordPress

If one had unlimited time and wanted to try an unlimited number of password combinations to get into your site they eventually would, right? This method of attack, known as a brute force attack, is something that WordPress is susceptible to by default, as the system doesn’t care how many attempts a user makes to login.

Using WordPress brute force protection to limit logins will ban the host user from attempting to login again after the specified bad login threshold has been reached.

Step 16: Monitor what’s happening on your website

Audit and track security progress in WordPress

Keeping an eye on what’s happening with your website can provide important clues that something might not be right. There are a few different places you should check on a regular basis.

  • Your analytics can provide key information about your website traffic. Any sudden change, especially a sudden drop might indicate a problem
  • Perform a site search using site: – Are there any sudden or negative changes in the number of pages indexed? Are all your meta descriptions appropriate?
  • What are the other logged-in users on your website up to, authorized or not? Anytime someone accesses the backend of your WordPress website you can use a plugin like WP Security Audit Log to track what’s happening.

The point here is that you should be vigilant when it comes to hardening your WordPress site. You can potentially avert untold damage by catching a security breach as early as possible.

Step 17: Limit access to vital parts of your WordPress website

How To Control User Access In WordPress
Control user access is one of the best ways to harden your WordPress site

You need to make it more difficult for a hacker to access specific pieces of the WordPress installation. Though this can be accomplished with a security plugin, you can also take the few manual actions below:

  • Manually change the default WordPress in the” wp-config.php” file.
  • Secure your “wp-config.php” file by moving it from the default location like one directory above the WordPress installation. To move the wp-config.php file copy everything to a different file. In the wp-config.php file add a PHP include statement to include the other file.
  • Secure the “.htaccess” file by adding allow and deny rules to it.
  • Turn off XML-RPC in the “.htaccess” file. Keeping the XML-RPC enabled is the cause of Brute Force attacks and Denial of Service attacks. It is recommended to turn-off XML-RPC in the settings altogether.
  • Change directories and files to have the correct permissions both on the WordPress installation and on the web server. Set the permissions on the wp-config.php file to 440 or 400 to prevent other users from reading or writing to it.
  • Add server access control: In the default mode, WordPress runs as apache/apache, which is the default web server role. Try to create a new user that will be the default and disallow the rights to the web server user.
  • Assign appropriate user roles. Don’t assign an administrator role unless a person actually requires admin functionality. Admin privileges provide a lot of added permissions. Use the different degrees of roles and permissions provided by WordPress and restrict user access to sensitive data. This would keep you protected from “sensitive data exposure”.
  • Password protect the “wp-admin” directory. Add an extra layer of authentication to protect the “wp-admin” directory apart from the login password. More details on how to do this can be found here.
  • Disable directory browsing in WordPress. Disable the File Editor in the WordPress Admin panel. Hackers also usually try to edit PHP files or themes using the Appearance Editor. Add the ‘DISALLOW_FILE_EDIT’ rule in the wp-config.php file. Hackers will not be able to access files without an FTP access.

Step 18: Change or delete the “admin” username

WordPress Admin Username
"Admin" is a weak WordPress username that will lead to hacking

Avoid using "admin" or "administrator" as your username is a great way to harden your WordPress site. While the terms certainly give some level of credibility and authority in your team, this is a risky move that will make your WordPress site vulnerable.

Changing or deleting the username is easy in WordPress. You could use the Username Changer plugin. You can't go wrong with this plugin (like seriously).

Step 19: Block all malicious queries

If you are running a WordPress blog, chances are you are going to encounter some malicious code injection attempts. Installing WordPress free plugin such as Block Bad Queries will help you deter malicious queries attempted on your server and WordPress blog.

WordPress BBQ Blocks Malicious Codes And Harden WordPress Site

The plugin works in the background, checking for excessively long request strings (i.e., greater than 255 chars), as well as the presence of either "eval(" or "base64" in the request URI.

If you are using managed WordPress hosting such as WP Engine or Kinsta, this is not required as they have inbuilt security firewall on the server level.

Step 20: Installing Jetpack

Jetpack does many things including some security features such as Monitoring which allows you to monitor whether your site is up or down, Single Sign-on which is powered by to allow users using their account, and Brute-force protection.

Jetpack is an excellent plugin when it comes to hardening WordPress sites

If you are want to go lean and save some money, installing Jetpack on your WordPress site could help you improve the overall site security.

Summary: Hardening WordPress Is Not A Joke

The cybersecurity threat to WordPress websites is higher than ever. There is no better time to improve WordPress security and you need to take action to ensure that your site is always protected.

WordPress security matter doesn't need to be tough

Instead of cracking your head with the latest security tips and tricks, subscribe to WordPress care packages or services to ensure that your WordPress site is always secured.

Article written by Editorial Team

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Related Posts