Every security measure your WordPress site needs — organized by category, prioritized by severity, and updated for 2026.
8 items
Always run the latest version of WordPress. Core updates patch security vulnerabilities that attackers actively exploit.
Outdated plugins are the #1 attack vector for WordPress sites. Enable auto-updates or check weekly.
Themes with known vulnerabilities are common entry points. Keep your active theme and any parent themes updated.
Directories should be 755, files should be 644, and wp-config.php should be 600 or 640. Incorrect permissions allow unauthorized modification.
Set WP_DEBUG to false on live sites. Debug output exposes file paths, database queries, and PHP errors to attackers.
The "admin" username is the first thing brute-force bots try. Create a unique administrator username and delete the default one.
Older PHP versions (7.x and below) no longer receive security patches. Run PHP 8.1+ for both security and performance.
Remove the WordPress version number from your site's HTML source. Knowing your version helps attackers target specific exploits.
8 items
Require passwords with at least 12 characters, mixed case, numbers, and symbols. Weak passwords are the easiest entry point for attackers.
Add TOTP-based 2FA for all administrator and editor accounts. Even if a password is compromised, 2FA blocks unauthorized access.
Lock out IP addresses after 3-5 failed login attempts. This stops brute-force attacks that try thousands of password combinations.
Move /wp-admin and /wp-login.php to a custom URL. This eliminates automated bot traffic targeting the default login page.
Regenerate the authentication keys in wp-config.php. These encrypt cookie data and session tokens.
Audit all user accounts quarterly. Remove inactive accounts, downgrade unnecessary admin access, and ensure each user has the minimum required role.
If your site doesn't need public registration, disable it in Settings → General. Open registration is an easy target for spam accounts.
Auto-logout users after 15-30 minutes of inactivity. This prevents unauthorized access from unattended browsers.
7 items
A WAF blocks SQL injection, XSS, and other common attacks before they reach your site. This is your first line of defense.
XML-RPC allows remote authentication and is commonly exploited for brute-force amplification attacks. Disable it unless you use the WordPress mobile app or Jetpack.
The REST API exposes user information by default. Block unauthenticated access to /wp-json/wp/v2/users to prevent user enumeration.
Maintain a blocklist of known malicious IPs. A good security plugin will auto-block IPs after suspicious activity.
Limit the number of requests per IP to prevent abuse. Target login pages, admin-ajax, and API endpoints.
If your audience is region-specific, block traffic from countries where you don't do business to reduce attack surface.
Pingbacks can be used for DDoS amplification attacks. Disable them in Settings → Discussion unless actively used.
6 items
Add define('DISALLOW_FILE_EDIT', true); to wp-config.php. If an attacker gains admin access, they can't inject malware through the built-in editor.
Add Options -Indexes to your .htaccess file. Without this, anyone can browse your directory structure and find vulnerable files.
Move wp-config.php one directory above your web root, or add server rules to deny direct access. This file contains your database credentials.
Prevent direct access to .htaccess via server rules. A compromised .htaccess can redirect all traffic to malicious sites.
Add a .htaccess rule to wp-content/uploads/ that denies PHP execution. Malware often hides as uploaded PHP files.
Block direct access to wp-includes directory from the browser. These core files should only be loaded internally by WordPress.
5 items
Change wp_ to a unique prefix. SQL injection attacks often target the default prefix to access known table names.
Back up your database daily. Store backups off-site (cloud storage or remote server). Test restores quarterly to ensure backups work.
Remove old post revisions, expired transients, and spam comments. A bloated database is slower and harder to back up.
Your WordPress database user should only have SELECT, INSERT, UPDATE, DELETE, CREATE, ALTER, and DROP permissions. Never grant GRANT or SUPER privileges.
Don't use "wordpress" or "wp" as your database name. A unique name makes it harder for attackers to target your database in shared hosting environments.
6 items
Log all login attempts, user actions, plugin changes, and settings modifications. Activity logs are essential for detecting and investigating breaches.
Get instant alerts when your site goes down. Downtime can indicate an active attack, server compromise, or failed update.
Monitor core files, plugins, and themes for unauthorized changes. File integrity checks detect injected malware before it causes damage.
Schedule automated malware scans at least weekly. Catch infections early before they spread or get your site blocklisted by Google.
Set up real-time email notifications for failed login spikes, new admin users, plugin installations, and file changes.
Document what to do when a breach occurs: who to contact, how to isolate the site, where backups are stored, and how to restore.
4 items
Install an SSL certificate and redirect all HTTP traffic to HTTPS. This encrypts all data between your visitors and your server.
HSTS tells browsers to always use HTTPS, preventing SSL stripping attacks and insecure downgrades.
CSP prevents cross-site scripting (XSS) by controlling which scripts, styles, and resources the browser is allowed to load.
X-Frame-Options prevents clickjacking by blocking your site from being embedded in iframes. X-Content-Type-Options prevents MIME type sniffing attacks.
3 items
Deactivated plugins and themes can still be exploited if they contain vulnerabilities. Delete anything you're not actively using.
Use WordPress.org, verified developers, or reputable marketplaces. Never install nulled (pirated) plugins — they almost always contain backdoors.
Review every installed plugin: is it still maintained? Does it have known vulnerabilities? Is it actually being used? GuardPress's vulnerability scanner automates this check.
GuardPress Pro handles 25+ of these 47 checks automatically. Install it once and your WordPress security runs on autopilot.
WordPress hardening is the process of reducing the attack surface of your WordPress site by applying security best practices. This includes keeping software updated, securing authentication, configuring firewalls, protecting files, hardening the database, and monitoring for threats.
You should review your WordPress security at least quarterly. Critical items like updates and backups should be checked weekly. Use this checklist as a recurring audit tool to ensure nothing is missed.
Yes. Security plugins like GuardPress Pro can automate many hardening tasks including firewall rules, login protection, file integrity monitoring, vulnerability scanning, and security header configuration. Manual items like reviewing user accounts still require human oversight.
Yes. Each item includes a brief explanation of what it does and why it matters. Items are sorted by severity (Critical, High, Medium, Low) so you can prioritize the most important security measures first.