A Complete WordPress Security Checklist for 2026

WordPress powers 43% of the web — which makes it attack target number one. Every minute, 90,000 hack attempts hit WordPress sites. Good news: most can be prevented with 20 simple steps. This guide covers all of them, with recommended tools for each.

Why WordPress is a target

1. Popularity: hackers tune attacks against WordPress, hitting 4 out of every 10 sites
2. Nulled themes: riddled with backdoors
3. Outdated plugins: not updated for months
4. Weak passwords: admin / password / 123456
5. No WAF: no application firewall

Basics (don't skip these)

1. Update everything — always

• ✅ WordPress core
• ✅ Themes
• ✅ Plugins
• ✅ PHP to 8.2+ (8.3 is better)

70% of hacks target outdated installs. Enable auto-updates.

2. Strong passwords + 2FA

• 12+ characters, numbers, symbols
• Password manager (1Password, Bitwarden)
• Two-factor auth via WP 2FA or Wordfence Login Security
• Don't share admin accounts

3. Change the "admin" username

The simplest brute-force target. Pick something unexpected. If "admin" exists, create a new admin user and delete the old one.

4. Change the database table prefix

From wp_ to anything else (xj7_ for example). Stops common SQL injections. Change before install, or use the Change Table Prefix plugin.

Login protection

5. Limit login attempts

Limit Login Attempts Reloaded plugin — blocks IPs after 5 failed tries. Essential against brute force.

6. Change the admin URL

From /wp-admin to a custom path via WPS Hide Login. E.g., /control-panel-x9z. Hackers won't know where to attack.

7. Hide sensitive info

Remove exposure of:

• WordPress version (from <meta> and RSS)
• Usernames (from author URLs)
• readme.html file
• wp-config-sample.php file

8. Disable XML-RPC if unused

A common brute-force and DDoS target. In .htaccess:

<Files xmlrpc.php>
  Order Deny,Allow
  Deny from all
</Files>

File protection

9. Correct file permissions

# Files: 644
find /var/www/html -type f -exec chmod 644 {} \;
# Folders: 755
find /var/www/html -type d -exec chmod 755 {} \;
# wp-config.php: 600 (most restrictive)
chmod 600 /var/www/html/wp-config.php

10. Disable file editing from admin

In wp-config.php:

define('DISALLOW_FILE_EDIT', true);
define('DISALLOW_FILE_MODS', true);

Prevents an attacker who reaches admin from editing PHP files via the UI.

11. Block PHP execution in uploads

In wp-content/uploads/.htaccess:

<Files *.php>
  Order Deny,Allow
  Deny from all
</Files>

Prevents malicious PHP files disguised as images.

Firewall and scanning

12. Install Wordfence or Sucuri

• WAF firewall
• Daily malware scans
• Real-time alerts
• Free tier is enough to start
• Wordfence Premium: $119/year

13. Cloudflare as a defense layer

• Free DDoS protection
• Bot Management
• Rate Limiting
• Hide your real server IP
• Custom WAF rules for WordPress (Pro plan)

14. Server-level WAF

ModSecurity with OWASP Core Rule Set blocks 90% of common attacks before they reach WordPress. Make sure your host runs it.

Backups

15. Daily automated backups

UpdraftPlus or BackWPup:

• Daily backups
• Off-site (Google Drive, S3, Cloudflare R2)
• Monthly restore tests
• See backup strategy for details

16. Backup before every major update

Always — even if the update seems safe. A major WooCommerce update can break your store.

Themes and plugins

17. Use only trusted sources

• Official WordPress.org
• ThemeForest / CodeCanyon (paid but safe)
• Developer's official site
• ❌ Never "nulled" or pirated themes — riddled with backdoors

18. Remove unused themes and plugins

Each inactive one = a potential attack surface. Deactivate and actually delete; don't leave them.

19. Review plugins monthly

• When was the last update?
• How many reviews and what rating?
• Is it actively supported?
• Compatible with the latest WordPress?

Any plugin without updates for 6+ months = a risk. Find an alternative.

Advanced protection

20. Encrypt everything (full HTTPS)

• SSL on every page
• Force all HTTP to HTTPS in .htaccess
• Enable HSTS

Extra protection for wp-config.php

Move it one level above public_html if possible. WordPress reads it automatically. This hides it from any PHP injection.

Database hardening

• Separate MySQL user per site
• Least-privilege grants (no GRANT ALL)
• Strong password (24+ chars)
• Use prepared statements in custom code

Security logs

Monitor who logs in, when, and from where. Wordfence and Sucuri provide this. Log for at least 90 days.

What to do if you're hacked

1. Take the site offline (maintenance mode)
2. Change all passwords (WordPress, DB, FTP, hosting, Cloudflare)
3. Restore from a clean backup (verify its date)
4. Scan with Wordfence Scanner or Sucuri SiteCheck
5. Call your host's support team (on Best Host, we handle cleanup)
6. Notify Google via Search Console if warnings appeared
7. Analyze breach logs to understand how they got in
8. Close the backdoor before going live

Continuous monitoring tools

• UptimeRobot: alert if the site goes down
• Wordfence: daily scan + logs + alerts
• Sucuri: scan + WAF + CDN
• WP Activity Log: log every admin action
• Google Search Console: security alerts from Google

WooCommerce-specific risks

Stores are a favorite target because of payment data. Extra steps:

• Don't store card data (use a payment gateway, see Mada and Apple Pay)
• PCI-DSS compliance if you process cards
• Quarterly security scan
• Monitor for suspicious orders

Bottom line

WordPress security requires ongoing attention but no deep coding skill. Follow the checklist and you'll shrug off 95% of common attacks. Best Host customers get most of these automatically — firewall, daily scans, backups, security updates, server-level WAF. If you need a security audit for an existing site, contact us.