The Complete WordPress Security Checklist for Beginners (2026 Edition)

After years in WordPress development, and I learned a brutal lesson: WordPress security isn’t optional. It’s not something you think about “eventually.” It’s the foundation everything else sits on.

The good news? Most WordPress hacks are preventable with basic security practices. You don’t need to be a security expert or install expensive tools. In this guide, I’ll walk you through 20 practical, actionable steps that will make your WordPress site significantly harder to hack.

Why WordPress Sites Get Hacked (It’s Not What You Think)

First, let’s dispel a myth: WordPress itself isn’t insecure. The core WordPress software is actually quite secure, maintained by a dedicated team and tested by thousands of developers.

So why do we hear about WordPress sites getting hacked all the time?

It’s popular. WordPress powers over 40% of all websites. For hackers, that’s a huge target. They develop tools specifically for WordPress because one successful exploit can be used thousands of times.

Outdated software. According to WPScan, 70% of WordPress installations have known vulnerabilities because they’re running outdated versions of WordPress, themes, or plugins.

Weak passwords. Yes, even in 2026, “123456” and “password” are still among the most common passwords. Hackers know this.

Nulled themes and plugins. That “premium” theme you got for free from a sketchy site? It probably contains malware.

Unpatched plugins. A single outdated plugin can give hackers the keys to your entire site.

Here’s the thing: hackers aren’t targeting you personally (unless you’re running a major news site or government portal). They’re using automated scripts that scan thousands of sites looking for known vulnerabilities. Make your site hard enough to crack, and they’ll move on to easier targets.

The Most Common WordPress Attacks

Understanding how attacks happen helps you defend against them:

Brute Force Attacks: Automated scripts try thousands of username/password combinations until they get in. If your password is “admin123,” this takes about 2 seconds.

SQL Injection: Hackers insert malicious SQL code into input fields (like search boxes or contact forms) to access or manipulate your database. This is how massive data breaches happen.

Cross-Site Scripting (XSS): Attackers inject malicious JavaScript into your site. When visitors load a page, the script executes, potentially stealing their data or hijacking their sessions.

File Inclusion Exploits: Hackers upload malicious files to your server, then execute them to take control. This is often done through vulnerable contact forms or upload features.

Pharma Hacks: Your site suddenly starts promoting pharmaceutical products. Hackers inject spam links into your database to boost SEO for illegal drug sites.

Backdoor Attacks: Even after you clean up a hack, the attacker leaves a “backdoor”—a hidden way to get back in later.

I’ve dealt with all of these at various points. The worst was a backdoor attack where I cleaned the site three times before finally finding the hidden malicious file the hacker kept using to re-enter.

The 20-Step WordPress Security Checklist

I’ve organized this checklist by difficulty level. Start with the basics—these are things you can implement today, right now—and work your way up to more advanced techniques.

Basic Security (Do These Today)

These are the absolute fundamentals. If you do nothing else on this list, do these seven things.

1. Use Strong, Unique Passwords

I know, I know. You’ve heard this a million times. But here’s a stat that should wake you up: 81% of data breaches are due to weak or stolen passwords.

What makes a strong password:

• At least 16 characters (yes, 16)
• Mix of uppercase, lowercase, numbers, and symbols
• Not based on dictionary words
• Not reused from other sites
• Not your birthday, pet’s name, or anything personal

My recommendation: Use a password manager like Bitwarden (free), 1Password, or LastPass. Let it generate random passwords like this:

Kx9$mP2@nQ7&vL4!zR8%

Could you remember that? No. Do you need to? No. Your password manager remembers it for you.

How to update your WordPress password:

1. Log into WordPress
2. Go to Users → Profile
3. Scroll to “Account Management”
4. Click “Generate Password”
5. Copy the generated password to your password manager
6. Click “Update Profile”

Do this for all user accounts, especially administrators.

2. Enable Two-Factor Authentication (2FA)

2FA means that even if someone steals your password, they still can’t get in without the second factor—usually a code from your phone.

My plugin of choice: Wordfence Login Security (free)

Setup process:

1. Install Wordfence Login Security
2. Go to Login Security → Settings
3. Click “Enable Two-Factor Authentication”
4. Install an authenticator app on your phone (I use Google Authenticator or Authy)
5. Scan the QR code with your authenticator app
6. Enter the 6-digit code to verify
7. Save your recovery codes somewhere safe (password manager is perfect)

Now when you log in, you’ll enter your password, then a 6-digit code from your phone. Even if a hacker has your password, they can’t access your site without your phone.

Important: Save those recovery codes. If you lose your phone, you’ll need them to access your site.

3. Keep WordPress Core Updated

WordPress releases security updates regularly. When they announce an update, hackers immediately start exploiting sites that haven’t updated yet. You’re in a race, and you don’t want to lose.

How to update WordPress:

1. Go to Dashboard → Updates
2. Click “Update Now”
3. Wait for it to complete (usually 1-2 minutes)
4. Clear your cache and test your site

Better yet, enable automatic updates. Add this to your wp-config.php file:

define( 'WP_AUTO_UPDATE_CORE', true );

This enables automatic updates for minor releases (security patches). Major releases (like 6.4 to 6.5) still require manual approval.

What about automatic updates breaking my site? It’s a valid concern. Here’s my approach:

• Always have a backup (we’ll cover this in step 12)
• Test major updates on a staging site first
• Let WordPress auto-update for minor/security releases
• Manually approve major version updates after testing

4. Keep Themes and Plugins Updated

This is where most vulnerabilities come from. Hackers love outdated plugins because they can scan your site, identify which plugins you’re using, and exploit known vulnerabilities.

WordPress makes this easy:

1. Go to Dashboard → Updates
2. Check all plugins and themes that need updating
3. Click “Update Plugins” or “Update Themes”

Enable automatic updates for plugins:

1. Go to Plugins → Installed Plugins
2. For each plugin, click “Enable auto-updates”

I enable auto-updates for all plugins except page builders and complex plugins that might break my site. Those I update manually after reading the changelog.

Before updating plugins:

• Create a backup (see step 12)
• Read the changelog (click “View details” next to the plugin)
• If it’s a major version update, test on staging first

I learned this the hard way when a WooCommerce update broke my entire checkout process. Always back up first.

5. Delete Unused Themes and Plugins

Inactive plugins can still be exploited. Even if they’re not running, the files are still on your server. Hackers can potentially access and execute those files.

My plugin audit process:

1. Go to Plugins → Installed Plugins
2. For each inactive plugin, ask: “Will I use this in the next month?”
3. If no, delete it (not just deactivate—delete)
4. Do the same for themes: Appearance → Themes

Exception: Keep one default WordPress theme (like Twenty Twenty-Four) activated as a fallback. If your main theme breaks, WordPress will revert to this.

I once had 47 plugins installed. After an audit, I was down to 18. That’s 29 potential vulnerabilities eliminated.

6. Use a Reputable Hosting Provider

Your host is your first line of defense. A good host provides:

• Server-level security (firewall, malware scanning)
• Regular server updates
• DDoS protection
• SSL certificates
• Daily backups
• Fast response to security issues

Hosts I trust for security:

• SiteGround
• Kinsta
• WP Engine
• Cloudways

Red flags:

• Unlimited storage/bandwidth for $2/month (too good to be true)
• No mention of security features on their site
• Shared hosting with thousands of sites on one server
• Frequent downtime
• Slow support response

I started on cheap shared hosting and got hacked twice. After moving to SiteGround, I haven’t had a security incident in 6 years. You get what you pay for.

If you’re stuck with budget hosting, the other steps in this checklist become even more critical.

7. Install an SSL Certificate (HTTPS)

SSL encrypts data between your server and visitors’ browsers. Without it, passwords, credit card numbers, and personal information are sent in plain text.

Also, Google now marks non-HTTPS sites as “Not Secure” in Chrome. That’s not a good look.

Good news: Most hosts offer free SSL certificates through Let’s Encrypt.

How to install SSL:

1. Check if your host offers free SSL (most do)
2. Enable it in your hosting control panel (usually one click)
3. Install the Really Simple SSL plugin (free)
4. Activate the plugin—it handles the rest automatically

Really Simple SSL will:

• Force all traffic to HTTPS
• Fix mixed content warnings
• Update internal links

After enabling SSL, visit your site and check for the padlock icon in the address bar. Click it to verify the certificate is valid.

Intermediate Security (Implement These Next)

You’ve covered the basics. Now let’s level up your security with these intermediate steps.

8. Change the Default Admin Username

WordPress used to create an “admin” user by default. While this has changed in recent versions, many sites still have an “admin” user. This makes brute force attacks easier—hackers already know the username, so they only need to guess the password.

How to check if you have an “admin” user:

1. Go to Users → All Users
2. Look for “admin” in the username column

If you have an “admin” user, here’s how to change it:

WordPress doesn’t allow username changes through the dashboard, so:

Option 1: Create a new admin user and delete the old one

1. Users → Add New
2. Create a new user with administrator role
3. Choose a unique username (not “administrator” or “webmaster”)
4. Log out and log in with the new user
5. Delete the old “admin” user
6. When prompted, attribute all posts to the new user

Option 2: Use the Username Changer plugin

1. Install Username Changer plugin
2. Go to Users → All Users
3. Edit the admin user
4. Change the username
5. Update profile

Bonus tip: Don’t use your real name as your username either. If your name is “John Smith” and your username is “johnsmith,” hackers will try that.

9. Limit Login Attempts

By default, WordPress lets anyone try to log in unlimited times. Automated scripts can try thousands of password combinations without consequence.

Solution: Limit login attempts. After 3-5 failed attempts, block that IP address for a period of time.

My plugin recommendation: Wordfence Security (free version includes this)

Setup:

1. Install Wordfence Security
2. Go to Wordfence → Login Security
3. Enable “Limit login attempts”
4. Set lockout threshold: 5 attempts
5. Immediately lockout invalid usernames: Check
6. Notify me about lockouts: Check

Now if someone (or some bot) tries to brute force your login, they get locked out after 5 attempts.

You’ll receive email notifications about lockouts. I get about 5-10 of these per week on my sites. All blocked automatically.

10. Install a Security Plugin

A comprehensive security plugin monitors your site, blocks attacks, and alerts you to issues.

The two I recommend:

Wordfence Security (free):

• Firewall
• Malware scanner
• Login security
• Real-time threat intelligence
• Traffic monitoring

Sucuri Security (free):

• Security activity auditing
• File integrity monitoring
• Remote malware scanning
• Blacklist monitoring
• Post-hack security actions

I use Wordfence on most sites. It’s powerful, actively maintained, and the free version is genuinely useful (not a crippled trial).

Basic Wordfence setup:

1. Install and activate Wordfence Security
2. Go to Wordfence → Dashboard
3. Click “Manage Firewall”
4. Choose “Optimized” firewall configuration
5. Run your first scan: Wordfence → Scan
6. Address any issues found (Wordfence will explain what each issue means)

Scans take 5-15 minutes depending on your site size. Schedule them to run automatically (Wordfence does this by default).

Important: Don’t install multiple security plugins. They can conflict with each other. Choose one comprehensive plugin.

11. Disable File Editing in wp-admin

By default, WordPress lets administrators edit theme and plugin files directly from the dashboard. This is convenient but dangerous. If a hacker gets admin access, they can inject malicious code directly into your theme.

Disable this feature by adding one line to wp-config.php:

define( 'DISALLOW_FILE_EDIT', true );

Add it above this line:

/* That's all, stop editing! Happy publishing. */

Save the file. Now if you go to Appearance → Theme File Editor, you’ll see a message that file editing has been disabled.

If you need to edit theme files, use FTP or your hosting file manager. It’s a bit less convenient, but much more secure.

12. Set Up Automated Backups

Backups aren’t technically security, but they’re your insurance policy. If everything goes wrong—you get hacked, a plugin breaks your site, your host has a catastrophic failure—a recent backup means you can restore everything.

My backup requirements:

• Automated (I don’t want to remember to do this)
• Includes database and files
• Stores backups off-site (not just on the same server)
• Daily or weekly depending on update frequency
• Easy restoration process

My plugin of choice: UpdraftPlus (free version is excellent)

Setup:

1. Install UpdraftPlus
2. Go to Settings → UpdraftPlus Backups
3. Click “Settings” tab
4. Choose backup schedule:
   • Files: Weekly
   • Database: Daily (if you post frequently) or Weekly (if not)
5. Choose a remote storage location:
   • Google Drive (free, easy)
   • Dropbox
   • Amazon S3
   • Many others
6. Connect your storage account (UpdraftPlus walks you through this)
7. Click “Save Changes”
8. Run a manual backup to test

Important: Test your backups by actually restoring them to a staging site. A backup you can’t restore is worthless.

I schedule database backups daily (they’re small) and file backups weekly. My sites don’t change much day-to-day, so this works. If you’re running an e-commerce site or forum with lots of user activity, back up more frequently.

13. Change the Database Table Prefix

WordPress uses a database to store all your content. By default, all database tables start with wp_—like wp_posts, wp_users, etc. Hackers know this and can target these tables specifically in SQL injection attacks.

Changing the prefix adds a layer of obscurity. Instead of wp_posts, you might have xyz_posts.

How to change it:

This is more technical and risky, so back up your database first.

Option 1: During installation When you install WordPress, you can set a custom database prefix. If you haven’t installed yet, use something like wp_8x2k_ (random characters).

Option 2: After installation (use a plugin)

1. Back up your database
2. Install Change DB Prefix plugin
3. Go to Tools → Change DB Prefix
4. Enter a new prefix (e.g., xyz_)
5. Click “Generate New Prefix” for a random one
6. Click “Change DB Prefix”

Option 3: Manually (advanced) This involves editing the database and wp-config.php. I only recommend this if you’re comfortable with phpMyAdmin. There are many tutorials online if you want to go this route.

Truth time: Changing the database prefix is security through obscurity. It’s not a strong defense, but it does make automated attacks slightly harder. I consider this a bonus, not a requirement.

14. Protect wp-config.php

Your wp-config.php file contains your database credentials. If a hacker gets access to this file, they have the keys to your kingdom.

Add this to your .htaccess file to deny access to wp-config.php:

<files wp-config.php>
order allow,deny
deny from all
</files>

This prevents anyone from accessing wp-config.php via a browser.

Even better: Move wp-config.php one directory above your WordPress root. WordPress will automatically find it there, but it’s outside your web-accessible directory.

How to move wp-config.php:

1. Connect via FTP
2. Navigate to your WordPress root (usually public_html or www)
3. Download wp-config.php (backup!)
4. Move wp-config.php one directory up
5. Test your site

If something breaks, just move it back.

Warning: Some hosts don’t allow this. If your site breaks after moving the file, move it back.

Advanced Security (For Maximum Protection)

You’ve implemented the basics and intermediate steps. Now let’s harden your WordPress site to NSA levels. (Okay, maybe not NSA, but pretty darn secure.)

15. Implement Security Headers

Security headers tell browsers how to behave when handling your site’s content. They prevent various types of attacks, from clickjacking to XSS.

The key security headers:

X-Frame-Options: Prevents your site from being embedded in an iframe (protects against clickjacking)

X-Content-Type-Options: Prevents MIME-type sniffing

Referrer-Policy: Controls how much referrer information is passed

Permissions-Policy: Controls which browser features your site can use

Add these to your .htaccess file:

<IfModule mod_headers.c>
  Header set X-Frame-Options "SAMEORIGIN"
  Header set X-Content-Type-Options "nosniff"
  Header set Referrer-Policy "strict-origin-when-cross-origin"
  Header set Permissions-Policy "geolocation=(), microphone=(), camera=()"
  Header always set X-XSS-Protection "1; mode=block"
</IfModule>

Check if they’re working: Visit https://securityheaders.com and enter your URL. It’ll grade your security headers and explain what each one does.

After implementing these headers, I went from an F grade to an A. It’s a nice confidence boost.

16. Disable XML-RPC

XML-RPC is a system that allows remote connections to WordPress. It’s used by the WordPress mobile app and some plugins. It’s also a favorite target for brute force attacks because it allows multiple authentication attempts in a single request.

Unless you specifically need XML-RPC (you probably don’t), disable it.

Add this to your .htaccess file:

<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

Or use your security plugin: Wordfence has an option to disable XML-RPC:

1. Wordfence → Firewall → Manage Firewall
2. Find “Disable XML-RPC authentication”
3. Toggle it on

How to check if you’re using XML-RPC: If you’re not using the WordPress mobile app and all your plugins work after disabling it, you weren’t using it.

After disabling XML-RPC, I saw a dramatic decrease in brute force attempts. Apparently, lots of bots specifically target this feature.

17. Hide WordPress Version

By default, WordPress announces its version number in your site’s HTML and RSS feeds. This tells hackers exactly which version you’re running and which exploits might work.

Remove the WordPress version from your site by adding this to your theme’s functions.php file:

// Remove WordPress version from header
remove_action('wp_head', 'wp_generator');

// Remove WordPress version from RSS feeds
add_filter('the_generator', '__return_empty_string');

// Remove WordPress version from scripts and styles
function remove_wp_version_strings( $src ) {
    global $wp_version;
    parse_str(parse_url($src, PHP_URL_QUERY), $query);
    if ( !empty($query['ver']) && $query['ver'] === $wp_version ) {
        $src = remove_query_arg('ver', $src);
    }
    return $src;
}
add_filter( 'script_loader_src', 'remove_wp_version_strings' );
add_filter( 'style_loader_src', 'remove_wp_version_strings' );

To verify it’s working:

1. View your site’s source code (right-click → View Page Source)
2. Search for “WordPress” or your version number
3. It should be gone

This is another security-through-obscurity measure. It won’t stop a determined attacker, but it makes automated scans less effective.

18. Set Correct File Permissions

WordPress files and directories need specific permissions. Too permissive, and hackers can modify files. Too restrictive, and WordPress can’t function.

The standard permission scheme:

• Directories: 755 or 750
• Files: 644 or 640
• wp-config.php: 600 or 640

How to set file permissions via FTP:

1. Connect to your site via FTP (I use FileZilla)
2. Right-click a directory → File Permissions
3. Enter the numeric value (755 for directories)
4. Check “Recurse into subdirectories”
5. Apply to directories only
6. Repeat for files (644)

Or use this command via SSH:

# Set directory permissions
find /path/to/wordpress/ -type d -exec chmod 755 {} \;

# Set file permissions
find /path/to/wordpress/ -type f -exec chmod 644 {} \;

# Set wp-config.php permission
chmod 600 /path/to/wordpress/wp-config.php

Replace /path/to/wordpress/ with your actual WordPress directory path.

Warning: Some hosts require different permissions. If your site breaks after changing permissions, revert them.

I set wp-config.php to 600 (only the owner can read/write) for maximum security.

19. Use a Web Application Firewall (WAF)

A WAF sits between your site and the internet, filtering out malicious traffic before it even reaches your server.

The best free WAF: Cloudflare

Yes, the same Cloudflare from our speed optimization guide. It’s a speed booster AND a security powerhouse.

Cloudflare’s free security features:

• DDoS protection
• Web Application Firewall
• Bot management
• SSL/TLS encryption
• Always Online (serves cached version if your server goes down)

Setting up Cloudflare (if you haven’t already):

1. Sign up at cloudflare.com
2. Add your site
3. Cloudflare scans your DNS records
4. Verify records are correct
5. Change your domain’s nameservers to Cloudflare’s
6. Wait for DNS propagation (up to 24 hours)

Security settings to enable:

Security → Settings
Security Level: Medium (or High if you're experiencing attacks)
Challenge Passage: 30 minutes

Security → WAF
Enable WAF: On
OWASP Core Ruleset: On

SSL/TLS → Overview
Encryption mode: Full (strict)

Scrape Shield
Email Address Obfuscation: On
Server-side Excludes: On
Hotlink Protection: On

Cloudflare’s firewall blocks millions of attacks daily. Since implementing it, I’ve seen zero successful attacks on my sites.

20. Monitor for File Changes

If a hacker does breach your site, they’ll likely modify files—injecting malware, creating backdoors, etc. File integrity monitoring alerts you to these changes.

How to monitor file changes:

Option 1: Wordfence (free) Wordfence scans your files and compares them to the official WordPress/plugin repositories. It alerts you to any changes.

1. Wordfence → Scan
2. Review results
3. Any modified core files will be flagged

Option 2: Sucuri Security (free) Similar functionality:

1. Sucuri Security → File Integrity Monitoring
2. Review alerts

Option 3: Your host Some hosts (like SiteGround and Kinsta) offer built-in file change monitoring. Check your hosting dashboard.

I run weekly Wordfence scans and review any changed files. Usually, it’s just plugin updates, but occasionally I catch something suspicious.

What to Do If You Get Hacked (Recovery Steps)

Despite your best efforts, hacks can still happen. Here’s my incident response plan:

Immediate steps:

1. Don’t panic. Seriously. Panicking leads to mistakes.

2. Take the site offline. Put up a maintenance page or take the site completely down. You don’t want visitors getting infected or seeing the defaced version.

3. Change all passwords. WordPress admin, database, FTP, hosting account—everything.

4. Identify the attack vector. Check your security plugin logs. When did the hack occur? What files were modified?

5. Restore from backup. This is why you have backups, right? Restore to a point before the hack occurred.

6. Scan the restored site. Run a malware scan to ensure the backup wasn’t already infected.

7. Update everything. WordPress core, all themes, all plugins. The hack likely exploited an outdated component.

8. Change all passwords again. Yes, again. The hacker might have stolen them.

9. Implement the missing security measures. Whatever allowed the hack to happen, fix it.

10. Monitor closely. Watch for re-infection over the next few weeks.

If you don’t have a clean backup:

1. Hire a professional. Companies like Sucuri offer malware removal services (starting around $200). It’s worth it.

2. Or, manual cleanup:

   • Download a fresh copy of WordPress
   • Replace all core files (don’t touch wp-content)
   • Delete and reinstall all plugins
   • Delete and reinstall all themes
   • Scan wp-content for malicious files (this is the hard part)
   • Change all passwords
   • Update everything

I’ve done manual cleanup exactly once. It took 14 hours. I now have daily backups on all my sites.

Security Plugins Comparison Table

Here’s a quick comparison of the major free security plugins:

Feature	Wordfence	Sucuri	iThemes Security
Firewall	Yes (advanced)	Basic	Basic
Malware Scanning	Yes, deep scan	Yes, basic	Limited
Login Security	Yes, 2FA included	Basic	Yes, 2FA available
Brute Force Protection	Yes, excellent	Yes	Yes
File Monitoring	Yes	Yes	Yes
Security Hardening	Manual	Guided	Guided wizard
Live Traffic Monitoring	Yes	No (premium only)	No
Ease of Use	Moderate	Easy	Easy
Resource Usage	Medium	Light	Light
Best For	Sites needing comprehensive protection	Beginners wanting guided setup	WordPress beginners

My recommendation: Start with Wordfence. It’s the most comprehensive free option. If you find it overwhelming, switch to Sucuri or iThemes for a simpler experience.

Monthly Security Maintenance Routine

Security isn’t a one-time task. Here’s my monthly checklist:

First Monday of each month:

• Check for WordPress, theme, and plugin updates
• Apply updates (after backing up)
• Review security plugin logs for suspicious activity
• Run a full malware scan
• Review user accounts (delete any you don’t recognize)
• Check login attempts and lockouts
• Verify backups are running successfully
• Test a backup restoration on staging (quarterly, not monthly)

This takes about 30 minutes per site. Set a calendar reminder so you don’t forget.

I manage 7 WordPress sites, so I’ve turned this into a Monday morning ritual with coffee. It’s become therapeutic in a weird way.

Final Thoughts

WordPress security doesn’t have to be complicated or expensive. The vast majority of hacks exploit basic vulnerabilities—weak passwords, outdated software, lack of backups. Fix those, and you’re already ahead of 90% of WordPress sites.

I’ve been running WordPress sites for almost a decade now. In that time, I’ve been hacked exactly twice—both before I implemented these practices. Since adopting this security checklist, I’ve had zero successful attacks across all my sites.

Zero.

That doesn’t mean I’m invincible. A zero-day exploit in a plugin could still get me. A sophisticated targeted attack could potentially break through. But automated attacks—the kind that compromise thousands of sites daily—won’t touch me. And they won’t touch you either if you follow this checklist.

Start with the basics. Get those seven fundamental steps implemented today. Then chip away at the intermediate and advanced steps over the coming weeks.

Your site is worth protecting. Your content, your audience, your reputation—they all depend on keeping your WordPress site secure.

Now get out there and lock down your site. The hackers can move on to someone else.

—Taufik Hidayat

P.S. If you found this guide helpful, bookmark it. I update it regularly as new security threats emerge and best practices evolve. Stay secure out there.