Best WordPress Security Checklist [Ultimate Guide]

You need a WordPress security checklist for your website.

Take it from us: there’s no such thing as being too paranoid about your website’s security. In our humble experience, 90,000+ hack attempts are made on WordPress websites every 60 seconds.

Yikes! Paranoid yet?

We know what you’re thinking. You probably think that your website is too small to be of any interest to any hacker.

The reality is that big websites have highly secure assets. To hack into these websites, hackers need a LOT of processing power. That’s why they hack into a huge network of small sites and use their processing power to hack a bigger site. In the process, they destroy your business as well.

The harsh truth is that you need to take security measures whether or not your site is “big enough” according to you.

Now, there are hundreds of security practices that you can implement on your website but the effort really isn’t worth it. As long as you cover your bases, most hackers will leave your site alone and move on to less secure sites.

We realize that it’s a stupid idea for you to test and try every security measure under the sun so that you can stumble onto the effective ones. So, we went ahead and did the stupid things ourselves so that you won’t have to!

That’s right! We built a WordPress security checklist of the most effective security practices to help protect your website from hackers and malware.

Sounds good? Let’s dive in.

How Hackers Exploit A WordPress Website?

Hackers are constantly looking for a website that they can exploit. They tend to target WordPress websites because there are more websites built on WordPress than any other platform.

Case in point, at present, WordPress is used by more than 60 million websites which include blogs, online stores, membership sites, forums, etc.

We mentioned earlier that small website owners think that their websites can never be a target of a hack attack. This is untrue because studies have found that hackers prefer targeting small websites because they are easy to hack.

Contrary to what many may believe, it’s not the size of your site or the traffic it draws – it’s the website’s resources that the hackers are after.

Once a hacker gains access to your website, they could be using it to execute activities like storing illegal files, sending spam emails, redirecting your visitors to their own malicious websites, launching attacks on other websites, or even stealing your data among other things.

But how do hackers gain access to a website?

There are 3 vulnerabilities that are commonly found on WordPress websites. Those are:

  • Outdated plugins & themes
  • Weak credentials
  • Untrustworthy Admin users

Hackers exploit each of these vulnerabilities (which we have discussed in the next section) to gain access to your site and carry out malicious activities.

Malicious activities will have a huge impact on your site. For instance, the usage of resources will make your website slow. Since visitors are being redirected to the hacker’s website, they are spending less time on your site which will have an impact on search engine ranking. If your rankings dip so will your revenue.

Things can snowball further and Google may blacklist your site and your hosting provider may suspend it.

Recovering a hacked website is a costly and time-consuming affair. Hence, it’s better to be safe than sorry.

You can take effective website security measures to protect it from hack attacks.

Keeping your website safe is a continuous effort. This means even if you have a few security measures in place, you will still need to take steps to secure your site on a regular basis.

In the checklist below, we’ll show you the exact steps you need to take to protect your site.

The Ultimate WordPress Security Checklist

When it comes to the security of your WordPress website, there is no silver bullet that’ll solve all your security issues.

Security issues will arise on different fronts and you will have to tackle them but not at the same time. Not all security measures have to be taken on a daily basis.

Therefore, we have divided our checklist on a daily, weekly, monthly and annual basis to help you take security measures in an organized manner.

The following are the security measures that you need to take on your WordPress website:

  1. Daily Checklist for Website Security
  2. Weekly Checklist for Website Security
  3. Monthly Checklist for Website Security
  4. Annual Checklist for Website Security

1. Daily Checklist for Website Security

On a daily basis, you need to take the following measures –

i. Run Website Security Scan

ii. Take Complete Website Backup

i. Run Website Security Scan

Earlier we discussed how getting hacked impacts a website. How it affects the speed of the website, it’s SEO ranking, traffic, and revenue collection.

This is why scanning your website for malware on a daily basis is important. The faster you learn about a malware-infection, the faster you can act, get your site cleaned and prevent the situation from escalating.

You need to scan your website every day without fail to ensure that it’s not infected with malware.

We suggest using MalCare’s Malware Scanner. Once installed, it scans your website automatically on a daily basis.

malcare security

ii. Take Complete Website Backup

Some WordPress websites are very dynamic. Such websites have content added every day and they draw a large number of customers regularly. Imagine if your website went down due to a hack or a mistake that you may have made while tweaking the website.

It’ll take a while for you to figure out what is causing your website to throw an error. Only then can you take steps to fix it.

Meanwhile, your site’s visitors are disappointed and quickly move on to a competitor site. This is especially disastrous for e-commerce websites.

But if you had a backup, you could quickly get your site up and running.

For dynamic websites where new content is constantly being added, taking backups on a daily basis is extremely important. But for e-commerce sites, daily backups are not sufficient. They need real-time backups so that they don’t lose a single order placed by customers.

For websites that are built just for online presence, or ones that don’t need too many changes, we suggest taking weekly backups.

We suggest using BlogVault Backup Services which take a complete backup of your website and enable you to restore your backups quickly. You’d be surprised at how many backup plugins don’t offer a reliable way to restore backups.

Not just that, BlogVault also offers a special kind of backup for e-commerce websites which ensures that the site does not lose a single order from your customers. Learn more about backups for WooCommerce websites.

blogvault backup

2. Weekly Checklist for Website Security

On a weekly basis, you need to take the following measures –

i. Keep Core, Plugins & Themes Updated
ii. Check Activity Log For Suspicious Activities
iii. Check for Google Blacklisting

i. Update Core, Plugins and Themes

A WordPress website has three elements that should be regularly updated. Those are the WordPress core, themes, and plugins installed on your website.

With updates, you get a new version of the software. New versions are released not just to bring in new features and improvements but they also help fix issues that have cropped up in the software.

Each year, WordPress releases two to three major updates. The rest of the updates are minor releases. WordPress has not seen any major issues in years. But it’s important to keep it updated so that plugins and themes that are built around the new core version keep running smoothly.

It’s also important to keep plugins and themes updated because outdated software is what causes 80% of hacks. Hackers exploit vulnerable outdated software to hack into a website.

If you have a large number of websites, it’s impossible to update all websites on a daily basis hence we suggest setting aside some time every week to implement updates.

If you have MalCare installed on your websites, you can view all your website updates right on the MalCare dashboard. This enables you to implement updates on all your websites from one place.

Before updating, we recommend reading our guide on How to Update WordPress Websites Safely?

ii. Check Activity Log For Suspicious Activities

Keeping an eye on activities on your website helps identify suspicious behavior. If you identify them in an early stage, you can take measures to protect your website.

For instance, say your website has been compromised. You can check your activity log to find suspicious activities. You might just find a rogue user or a hacker installing a malicious plugin so that he or she can access your website without anyone noticing.

You can check activities on your WordPress website by using the WP Security Audit Log Plugin. We suggest checking out our review on the same.

wordpress audit log

iii. Check for Google Blacklisting

It’s no secret that Google is the world’s most trusted search engine.

Naturally, Google tries to keep its users safe by preventing them from accessing websites that are selling illegal products, websites redirecting users to malicious sites or showing offensive ads, etc.

It’s best to keep a vigilant eye on whether your website is on Google’s blacklist.

There are a number of ways in which you can learn if your site is blacklisted. Those are:

  • Log into your Google Search Console account and on the menu on the left, select Security Issues. If your site is blacklisted, it’ll be mentioned in the Security Issues page.
  • Go to Google Safe Browsing, insert your site URL and Google will tell you if your site is blacklisted.
  • If you have MalCare or BlogVault installed, the tool will inform you if your site is blacklisted.

malcare blacklist alarm

To learn more about blacklisting, check out our Google Blacklist Guide.

3. Monthly Checklist for Website Security

On a monthly basis, you need to take the following measures –

i. Remove Unused & Pirated Plugins & Themes
ii. Change Weak Username & Password
iii. Evaluate & Enforce Strong Username & Passwords
iv. Re-evaluate User Roles
v. Remove Inactive Users
vi. Implement IP & Geo-blocking On Malicious Visitors
vii. Test Backups

i. Remove Unused & Pirated Plugins & Themes

Almost all WordPress websites use plugins and themes to enhance the site’s appearance and functionality.

There are many WordPress plugins and themes available. If you are anything like us, you’ll try many different plugins and themes to find the one that suits your needs.

Often the themes and plugins that we try out and don’t use sit idly on our websites. Like the active software installed on our site, inactive themes and plugins develop vulnerabilities and need regular updates. But they are not serving any purpose on our site, we tend to ignore them.

Outdated, inactive themes and plugins can get your websites hacked. If you are sure you’ll never use them, it’s best to delete them.

plugins inactive

Pirated themes and plugins offer you a chance to use premium software for free. But did you know that most pirated software comes with pre-installed malware?

If you install pirated software on your website, you are also installing the malware that would enable hackers to access your site and exploit it.

Even if the pirated software is not infected with malware, they are dangerous. Pirated software doesn’t receive updates which means when vulnerabilities crop up, sooner or later, they will leave your website vulnerable to attacks.

Delete all pirated themes and plugins and take a pledge to never use pirated software again.

ii. Change Weak Username & Password

Beside pirated and outdated software, another major vulnerability that enables hackers to access your site is the use of weak login credentials.

Hackers target the WordPress login page to try to guess your username and password and break into your website (recommended read – Brute force attacks). If you are using an easy-to-guess username and password, they can access your site easily. Hence change weak credentials.

Things to consider when choosing a strong username:

  • Do not use the word ‘admin’ in your username.
  • Do not use generic names like John, David, Will, etc because they are easy to guess.
  • Do not use the name of your website as your username.
  • Make sure that your username cannot be found on the website. It should not appear on the author’s name, or about us or the team member’s page.

Learn how to change your WordPress username.

Things to consider when choosing a strong password:

  • Do not use the ‘password’ in your username.
  • Do not use common words like star wars, football, etc because they are easy to guess.
  • Do not use publicly known details like the name of your website or location of your business.
  • Make sure to use a combination of uppercase, lowercase, and special characters
  • Create a long password with 10 to 15 characters.

Learn how to create a strong WordPress password.

account management

iii. Evaluate & Enforce Strong Username & Passwords

A WordPress website can have many users but maintaining them is a challenge. Many of them could be using weak login credentials.

We have discussed how in brute force attacks, hackers exploit weak credentials to gain access to the website. Therefore, all WordPress users must use strong credentials.

Here’s what we strongly suggest you do:

  1. Find out which users are using weak credentials.
  2. Educate them on the importance of strong usernames and passwords.
  3. Ask to create unique usernames and strong passwords.
  4. Then enforce strong passwords to ensure no one can use easy-to-guess passwords on your website ever again. Here’s a guide that’ll help you do that – How to Enforce Strong Password on WordPress?

iv. Re-evaluate User Roles

WordPress allows you to assign 6 different user roles and those are – Administrator, Editor, Author, Contributor, Subscriber, and Superadmin.

Every user’s role comes with a set of powers. The Administrator and Superadmin have complete control over the site. You must allot them to trusted users.

We’d strongly suggest that you re-evaluate the roles that you have allotted to your users, especially the ones with admin roles. Do they really need admin access to your site?

We have mentioned earlier how hackers try to guess your username and password to gain access to your website. You can reduce this risk by granting admin access to only those who really require it.

If you want to change user roles, here’s how to go about it:

  1. Log in to your WordPress dashboard and select Users > All Users.
  2. Select the user profile of your choice, then click on Edit.
  3. Go to Role, select the new user role.
  4. Then scroll down to the end of the page and select Update User.

That’s it, folks.

wordpress roles

v. Remove Inactive Users

Running a WordPress website may involve a lot of people.

For instance, you will need designers to upload images on your pages and posts. You may need an SEO person to optimize your articles. You may have half a dozen writers who are uploading their articles. All these people have access to your website.

Some of these users are going to abandon their accounts. For instance, a freelance writer may upload a few articles and move to a different client. Every account present on your site gives hackers another opportunity to break into your site. Therefore it’s best to remove all inactive accounts from your site.

If you remove inactive users from your website, you are reducing the chances of a breach.

To remove inactive users, you need to take the following steps:

  1. Log in to your WordPress dashboard and select Users > All Users.
  2. Select the inactive profiles.
  3. Then go to Bulk Action, select Delete and then Apply.

And that’s it.

wordpress user delete

vi. Implement IP & Geo-blocking On Malicious Visitors

Hackers are constantly scanning the internet for websites that they can hack into. It does not matter what the size of your website is or what sort of traffic it draws, they are going to try and break into the website to exploit your resources.

Therefore, it is not surprising if you find your security plugin or firewall showing you alarming reports on dozens of failed login attempts.

It’s distressing to learn that your website is under attack on a daily basis. What if hackers find a way to break in? Luckily you can reduce the chances of a breach by preventing hackers from accessing the website. You can do this by implementing IP blocking or geo-blocking.

What is an IP blocking or geo-blocking?

Hackers who launch an attack on your website use devices like a smartphone or a laptop to view your site. Every device that uses the internet has a unique identification code associated with it. This identification code is known as an IP address. If you block the IP address, you can prevent the malicious traffic from accessing your site and trying to break in.

In geo-blocking, instead of blocking a single IP address, you will be blocking every IP address from a specific country. This is helpful if you find that constant attacks are being launched on your site from a particular country. You can block the country once you are sure that you don’t require the rest of the traffic (non-malicious ones) from that country.

If you want to implement IP blocking, we have a complete guide you can follow- How to Ban an IP Address? And if you want to implement geo-blocking, follow this guide – How To Block a Country In WordPress?

geoblock countries

vii. Test Backups

Taking backups is one of the daily tasks that you need to undertake. A backup is going to be useful at times of crisis when you need to get your website up and running immediately. But what if the backups fail?

You’d be surprised to know that many website owners fail to restore their website back to normal because the backups that they were taking were incomplete or had issues.

Therefore, it is important to test your backups on a monthly basis to ensure that the backups are working.

If you are backing up your site using BlogVault, then you can easily test your backups with the help of BlogVault’s Test Restore feature.

test restore site blogvault

4. Annual Checklist for Website Security

On an annual basis, you need to take the following measures –

i. Renew SSL Certificate
ii. Renew Hosting Plans

i. Renew SSL Certificate

An SSL certificate enables you to move your WordPress site from HTTP to HTTPS. It helps make your website secure for visitors. Moreover, Google made it mandatory to have SSL certificates.

At present, SSL can have a validity of two years. However, most SSL certificates expire after 1 year.

Limited-length certificates are necessary to ensure that you renew your SSL certificates and use the latest SSL technology to protect your visitors.

But if you delay in renewing the certificate, you are exposing your visitors to a hack attack.

Generally, you will receive a warning via email when your SSL certificate is about to expire. If you miss the email and have moved past the expiry date, then visitors on your site will see this warning message, “The site’s security certificate is expired.”

This is why it’s important to renew your SSL certificate.

To renew your SSL certificate, you need to go to the vendor from where you purchased the certificate. For instance, if you purchased it from your hosting provider then you need to log into your account and renew it from there.

ii. Renew Hosting Plans

Hosting is the backbone of your website. When your hosting plan expires, your website goes down.

Generally, when your hosting plan is about to expire, hosting providers send you reminders to renew your hosting plan. If you miss out on those emails and forget to renew, your hosting plan will lapse and your website will be taken down.

There are two ways of ensuring this does not happen:

  1. You can set a recurring payment which means when your hosting plan expires, the amount to renew your hosting plan will be deducted automatically from your bank. You can set recurring payments by logging into your hosting account.
  2. You can set a reminder on your calendar and ensure that the notifications are turned on.

With this, we have come to the end of the WordPress security checklist.

We are confident that if you follow the instructions of this checklist, you will ensure that your website is safe from hackers and bots.

IMPORTANT: That said this is not an exhaustive list on WordPress security. There are few security measures that MUST take to keep your website protected. These measures are not a part of the checklist because you don’t need to implement them on a regular basis. You just need to set them up once and let them protect your website. Manual interventions are not required.

In the next section, we will be touching on those measures, and we strongly recommend that you implement them on your website.

Set & Forget WordPress Security Measures

There are certain security measures that you don’t have to take on a regular basis, but it’s important to ensure that they are in place.

1. Block Bad Traffic With Firewall

Hackers can’t launch attacks on your WordPress website if they can’t access your website. A WordPress Firewall helps block malicious visitors from accessing your website.

2. Limit Login Attempts

Some malicious visitors can be hard to identify by the firewall. In this case, you can protect your website’s login page by limiting login attempts made by hacker bots that are trying to guess your credentials to break into your site (recommended read – Brute force attacks).

3. Implement HTTP Authentication & Two-Factor Authentication

Another way to secure your login page is to add a layer of protection on the page. You can do that by installing HTTP authentication and two-factor authentication.

https authentication malcare

4. Hide Display Name

Oftentimes, the names displayed on your website (like the author name) are the same as your usernames. You have to hide the display name to prevent hackers from finding it and using it to break into your website.

To learn how to hide display names, open our guide on WordPress security and jump to Change Your Display Name.

5. Disable XML-RPC

XML-RPC is a feature of the WordPress website which can be exploited to extract user details like a username. Hence, we suggest that you disable XML-RPC on your website.

6. Disable Directory Browsing

A WordPress website is made up of many directories. If there is a misconfiguration, the list of directories can be displayed on the website. This can lead to the exposure and exploitation of information. Prevent this by disabling directory browsing on your WordPress website.

7. Restrict File Permissions

As we mentioned, a WordPress website is made up of many directories. Each directory will contain several files and folders that help run your site. Restricting file permissions will ensure that only a few people can access them, reducing the chances of exploitation.

change permission

8. Change the WordPress Database Prefix

Executing malicious activities on your database is possible because hackers know that the default WordPress database prefix is ‘wp_’ If you change the prefix, it will block hackers from finding these tables and thus, prevents hacks.

9. Hide wp-config Files

WP-Config is one of the most important WordPress files. If hackers gain access to the file, you will lose control of your website. We strongly recommend hiding the wp-config file.

10. Disabling PHP Execution in Specific Folders

PHP execution is a method by which commands are executed on a WordPress website. If hackers have access to crucial files and folders, they can insert commands that will execute malicious activities. You can prevent this from happening by disabling PHP execution on certain folders.

With that, we have come to the end of WordPress security measures that you need to implement on your site.

Final Thoughts

We’re fairly confident that this checklist should be more than enough to manage your website’s security on your own. And, yes — we understand that following through with the entire checklist of security measures can be exhausting and intimidating.

That’s exactly why we strongly recommend using the tools we’ve mentioned in this article to automate your security measures in a few clicks.

For instance, MalCare is a comprehensive suite of security tools that can scan your website daily, manage your users, update your themes and plugins, limit login attempts, implement a firewall, block malicious PHP execution, and a whole host of other security measures in a jiffy.

You can manage your entire site’s security from a simple, user-friendly dashboard which makes managing the WordPress security checklist much easier!

Try MalCare Security Plugin Right Now!

Sophia Lawrence,

Sufia is a WordPress enthusiast, and enjoys sharing their experience with fellow enthusiasts. On the MalCare blog, Sufia distils the wisdom gained from building plugins to solve security issues that admins face.

Copy link
Powered by Social Snap