Looking for WordPress website security checklist before making your website live? 

WordPress is the hot favorite topic of hackers and has WordPress websites in their line of fire. They always keep an eye on the weaknesses and vulnerabilities of websites that can help them to steal data. 

Do you know, According to a survey, WordPress faces attacks at an average of 90,000 attacks per minute? And this is why WordPress security is so important for anyone who owns, runs, or manages a WordPress website.

Here’s a detailed WordPress website security checklist. Make sure to implement all of them before making your website live. 

1. Install themes, plugins, and scripts from the official sources

Actually, there’s no harmif you install your website theme, plugins, and scripts from any unofficial source to bypass the payment. But, this can affect your website security. If WordPress security is important to you, stay away from pirate sites.

Do you know, 52% of 4,000 known vulnerabilities are from WordPress plugins according to a WPScan Report, compared to 37% from core WordPress and 11% from themes?

One of the issues is that outdated plugins are a weak point that hackers can exploit.

Being the owner of a small business, if you can’t afford to buy the paid themes and plugins then go with the FREE option. WordPress directory is so vast and you can easily find your required free themes and plugins from there. 

Don’t even trust “free” WordPress scripts. There are people whose business is just to steal other people’s work. WordPress.org is the best place where plugins and themes for WordPress are found. 

WordPress theme directory
WordPress plugins

2. Choose a secured hosting service

No doubt, finding the best WordPress hosting is hard. A good WordPress hosting service protects your site from hacking attacks and keeps your website secure. 

According to a report, 41% of WordPress attacks are caused by a vulnerability on the WordPress hosting platform? This WordPress website security checklist has you covered.

Best WordPress hosting service provides :

  • Better visibility for your business
  • Offers a positive user experience
  • Technical support
  • Speed & site performance
  • Offers plenty of data storage
  • Monitor your website status
  • Gives better SEO ranking

WordPress hosting is a bit of a hot topic. Click here to learn more about WordPress hosting.

WordPress website security checklist

3. Limit login attempts

By limiting the failed login attempts on your WordPress website, you can lock the hackers and bots out to enter your website. Password guessing is the most common type of brute force attack.

Do you know, According to cybersecurity firm Wordfence, there were over 4 billion attempts to exploit WordPress vulnerabilities blocked by their software in 2020, and that doesn’t include successful attempts. The company also blocked more than 90 billion malicious login attempts.

Limited login attempts can prevent : 

  • Unauthorized access 
  • Traffic surge and server crash
  • Web host suspension

WordPress limit login attempts plugin is the option to limit login attempts on your WordPress website. You just need to install and configure its settings.

WordPress website security checklist - login attempts
WordPress login

4. Enable two-factor authentication

Two-factor authentication means adding an identity/ access management security method to your website. It requires two forms of identification to access resources and data.

According to a study, 1.6 Million WordPress Sites were hit with 13.7 million attacks in 36 hours from 16,000 IPs?  In any case, two-factor authentication is one of the best ways to protect against password hacking attempts.

The benefits of adding 2-factor authentication to your website are : 

  • Stronger security
  • Increase productivity and flexibility
  • Reduce fraud and build secure online relationships

To enable two-factor authentication on your WordPress website, follow these steps:

  • Navigate to the WordPress admin dashboard > Users > Your Profile
  • Enable the preferred authentication methods in the section labeled “Two-Factor Options“
  • Select the “Update Profile” button to save the settings
WordPress website security checklist - 2 factor authentication

5. Install a firewall

The WordPress Firewall is a cloud-based WAF to stop website hacks and attacks. Your website firewall should be sufficient enough to deal with both internal and external threats. Also, be able to deal with malicious software such as worms.

According to data from Sucuri, over 84% of websites didn’t have a website application firewall (WAF), making this the top WordPress hardening recommendation. WordPress Firewall should provision your system to stop forwarding unlawful data to another system.

The benefits of adding a firewall to your WordPress website are : 

  • Prevent attacks
  • Ensure compliance
  • Stop customer data from being compromised

Wordfence and Sucuri are the two best plugins that will help you to install a firewall on your WordPress website. 

WordPress website security checklist - Install firewall

6. Implement HTTP/HTTPS authentication

HTTP Authentication is a security mechanism to verify the users who are eligible to access your website resources. HTTPS is the most secured version, here S stands for Security Socket Layer (SSL) to establish encryption in communication. 

The benefits of using HTTP/HTTPS authentication are :

  • Secures data 
  • Protects your website from data breaches
  • Removes “NOT Secure” warnings.
  • Improves website ranking
  • Helps to boost revenue per user

With HTTP authentication, you can restrict access by asking for a username and password on the request of any certain page. You can also significantly reduce the number of bot attacks by implementing it for your admin dashboard or login page.

WordPress website security

7. Disable directory browsing

Directory browsing can put your WordPress website at risk. Hackers can steal important information from here. Disabling directory browsing is one of the most undermined security countermeasures. 

In your WordPress website, you can disable it by accessing the .htaccess file. Follow these steps to disable directory browsing for your website: 

  • Go to your cPanel > Files > File Manager. 
  • It will open a box pop-up asking when files you wish to look at.
  • Select the Web Root directory option
  • select your domain
  • check the box that says Show Hidden Files.
  • You will then be taken to another screen listing all the files within that certain domain. Look for the .htaccess file here and click
  • Scroll to the top of the screen that says View

Add this code at the bottom. 

Options All -Indexes

That’s all! Save your changes.

You can test this out by adding /wp-includes/ to your URL again. If you’ve done this correctly, you will get a 404 Error or Permission Error.

8. Hide the wp-config file

Each WordPress site has a ‘wp-config.php file which is one of the most significant WordPress files. It contains many configuration parameters which can be modified for better site security.

Follow these Hardening Tips to Secure Your WordPress Site Using the wp-config File:

  • Change database prefix
  • Disable editing theme/plugins files
  • Prevent users from installing or updating plugins & themes
  • Enforce the use of ‘FTP’
  • Change security keys
  • Hide the ‘wp-config.php’

9. Disable XML-RPC

XML-RPC enables data to be transmitted with HTTP acting as the transport mechanism and XML as the encoding mechanism. The biggest issues with XML-RPC are the security concerns that arise. 

There are two main weaknesses to XML-RPC :

  • Brute force attacks to gain entry to your site
  • taking sites offline through a DDoS attack

To disable XML-RPC you have two methods : 

  • Disabling Xmlrpc.php With Plugins i-e : Disable XML-RPC
  • Disabling Xmlrpc.php Manually. Inside your .htaccess file, paste the following code:

To check the XML-RPC file, you can run your website through the XML-RPC Validator tool. If you get an error message, then it means you don’t have XML-RPC enabled.

10. Segregate your WordPress databases

If you are running multiple websites on the same hosting, then you might create all of the sites in the same database. This creates a WordPress security risk. If by chance any one of the websites gets hacked, then all the other sites hosted on the same database will be at risk of hacking.

Always create a new database, when setting up your WordPress installation. Give it a separate database name, database user name, and password.

Segregate your WordPress databases


Wrapping up! WordPress website security is very crucial. A hacked WordPress site can cause serious damage to your business. 

To make your website protected against vulnerabilities can minimize your chances of being the victim of an attack. And, you can optimize your site’s performance as well. So, you have to focus on protecting your website more than anything else in this regard.

Hopefully, this WordPress website security checklist will keep your website fully secured and you will retain the trust and confidence of your visitors. 

Share your thoughts about these security tips with us in the comments section below. 

Source: https://wpsupportdesk.com/blog/wordpress-website-security-checklist/

You might also like this video

Leave a Reply