WordPress Security Checklist – 17 Ways to Protect Your Site  

Last Updated: 14 mins By: Zakra Author

Are you searching for a WordPress security checklist to secure your site? Do you want to know how to improve WordPress security? 

If your answers to the above questions are yes, this article is just for you. 

WordPress is undoubtedly one of the best content management systems (CMS). But it’s also a fact that a large number of WordPress sites face security issues.  

Thus, in this article, we’ve created a WordPress security checklist that you can implement on your site to prevent such issues.  

Let’s start! 

Why Should You Prioritize WordPress Security? 

WordPress is an open-source CMS allowing anyone to use, modify, and distribute it. Anyone can use the platform and integrate third-party features or functionalities like themes and plugins.  

WordPress Security Checklist

But this freedom has made the platform vulnerable to multiple security threats.  

It doesn’t mean WordPress is not good for creating websites. It’s undoubtedly the best CMS one can ever use.   

However, as you create a WordPress site, there’re many things you should take care of. And security should be your top priority.  

Here are a few reasons why WordPress security is important: 

  • To prevent attackers: Implementing fool-proof security measures on your site deters attackers. That’s because targeting vulnerable sites is easier for them than the ones with highly maintained security.  
  • To protect sensitive information: Prioritizing WordPress security helps you protect sensitive information like the personal data of users, payment details, etc. 
  • To maintain brand reputation: Security attacks like data breach cause downtime and decrease traffic. This ultimately harms your brand reputation. 
  • To prevent financial loss: Security attacks can result in financial loss as you may need to spare expenses for restoring your site and legal fees.

But protecting your site from cyber-attacks is also easy.

You don’t require extensive coding or technical knowledge. You just need to know what you can do and implement that knowledge on your site. 

Thus, let’s jump into the WordPress security guide that helps improve your site’s security.  

17 Ways to Improve WordPress Security – Ultimate Checklist

Here are 17 tips you can implement to secure your login page, installed themes and plugins, admin panel, and more.

Secure Your WordPress Login Page

1. Use Strong Passwords  

To secure your WordPress login page, you should always use a password that no one can guess. Better yet, the pattern of the password should be unique.  

As per the data from NordPass, the most common password is “password.” Such passwords are easily guessable and leave your website vulnerable to attackers. 

So, use a password with at least 12 characters. Also, your password should include a mix of uppercase and lowercase letters, some numbers, and special characters.  

You can also use password generators like Delinea to create strong passwords for you.  


Meanwhile, it would also help if you regularly change your password. 

2. Enable Two Factor Authentication 

Enabling two-factor authentication is like adding an extra layer of security.

The first authentication is your username and password, while the second uses a separate app or device.  

For example, you can set your email or phone number for the second authentication. It will then authenticate the user while logging in by sending a security code to a phone or email.  

Users can only log in if they enter the same code. To do so, you must install and activate a plugin that adds two-factor authentication functionality.  

Two Factor Plugin

Some examples of such plugins are Two-Factor, Two Factor Authentication, and so on.  

3. Limit Login Attempts 

When you set the limit for login attempts, attackers get banned from logging into your WordPress site after crossing the limit. 

Login Attempts Remaining

They can no longer enter the username and password by guessing multiple times. It also prevents brute force attacks, one of the easiest ways to attack any website.  

We shall talk more about brute-force attacks in the next section. 

When a hacker or attacker fails to log in by attempting multiple times, they’ll move on to other vulnerable sites. Also, they’ll get blocked after failing to enter the correct password.  

Limit Login Attempts Reloaded

To limit login attempts, you can use a plugin like Limit Login Attempts Reloaded, offering the functionality.  

4. Change the Default Login URL 

One of the easiest ways for attackers to attack your WordPress site is through the login URL. It’s easy to find the default WordPress login URL if you haven’t changed it. 

The default login URL for any WordPress website is domain-name/wp-login or domain-name/wp-admin.

For example, the login URL of the website example.com is www.example.com/wp-admin.   

Thus, you should change your login page URL and use a custom login URL. A unique login URL is difficult to find for attackers.  

User Registration Plugin

You can use the User Registration plugin to change the default login URL. 

5. Change Default Username – admin   

Usernames like admin and administrator are generic and easy to guess. Therefore, you should change the username from admin to something unique so that nobody can crack it.  

Using an email address to log in is even better than a username.  

WordPress doesn’t allow changing usernames by default. But you can change the username by creating a new admin and deleting the old one.  

You can create a new user by navigating to Users >> Add New and giving the role of Administrator.

Create New Admin

You can also use the username changer plugin like Easy Username Updater or update the username from phpMyAdmin.  

Secure Your Installed Themes and Plugins

6. Download Themes and Plugin from Trusted Sources

WordPress offers many amazing plugins and themes to add extra functionalities to your site. But it would be best if you were very careful in choosing those themes and plugins.  

For using free themes and plugins, always download them from the WordPress repository. Also, choose the theme or plugin by looking at their user reviews.  

And for the premium themes and plugins, you should buy them from the official website of the respective theme and plugin.  

For example, you can buy the premium version of the WordPress theme – Zakra, from its official website, zakratheme.com.

Zakra WordPress Theme

Or you can also buy themes from a reputed marketplace like Envato’s ThemeForest.

Besides, you can also hide the theme details you’re using on your WordPress site for further security.  

7. Update Themes and Plugins 

As WordPress regularly updates its core, third-party themes and plugins also release frequent updates.

Therefore, you should update them as soon as you get the notification of the new version. With every new version, themes and plugins fix their bugs and security gaps.

Also, they’re made compatible to fit with the newly released version of WordPress. 

To check whether you have the latest version of themes and plugins, you can go to Updates on your dashboard.

Check for Updates

Moreover, themes and plugins that aren’t updated for too long pose security risks for your site. So, immediately change the theme and plugin if they’re no longer updating.  

You can also read our article on updating WordPress, themes, and plugins to the latest version

8. Use WordPress Security Plugin 

Another important thing that you should do to maintain your site’s security is to use a security plugin.

There’re lots of security plugins that are built to look after the WordPress site’s security. Thus, find a trustworthy security plugin and install it on your website.

Meanwhile, you should choose an up-to-date, verified, secured security plugin like Sucuri Security that can prevent possible WordPress attacks.  

Sucuri Security

We also have a list of some excellent security plugins that you can refer to.  

9. Delete Unused Themes and Plugins  

After running a WordPress website for years or months, you might have tried and tested many themes and plugins.  

And there’s also a high probability that you might not have deleted those unused themes and plugins as shown in the image below. All the themes except Zakra are inactive themes.

Deactivated Themes

But you should know that your unused themes and plugins are vulnerable to security threats. 

As they remain on your site without any update, they can invite other malware to your site. So, make sure that you remove inactive themes and plugins from your website. 

Here’s the full guide on deleting unused themes that you can follow.  

Secure Your Administrative Panel

10. Regularly Update WordPress Core Software 

WordPress brings many fixes to its bug and security-related issues with each update. Failing to update your core WordPress means inviting attackers.

But don’t worry! It’s super easy to update WordPress core with a single click. For your convenience, WordPress notifies you of every major update right on your dashboard.  

Update WordPress Core

Thus, keep your WordPress up to date to prevent any attacks. However, please create a website backup before updating the core WordPress.  

11. Create a Backup Regularly 

Creating a backup of the entire website helps restore your website in case of security attacks. This way, you don’t lose any important data due to the security breach. 

Also, it can be a huge advantage later if you mistakenly make some changes to your website.

Besides the website, you should also create a backup of your database. 


The good news is that it takes no time to back up your site. You can simply install a backup plugin like UpdraftPlus, which handles the rest.   

Here’s the full list of backup plugins that you can choose from.  

12. Enable Web Application Firewall 

A web application firewall (WAF) can block all malicious web traffic before they reach your website.

It monitors and filters incoming and outgoing traffic between the Internet and a web application. The WAF allows sending only genuine traffic to your web server.

Thus, it protects web applications from attacks like cross-site scripting (XSS), SQL injection, etc.  

Wordfence Security

To enable a WAF, you can install a good security WordPress plugin like Wordfence, Sucuri Security, and Cloudflare.  

13. Hide wp-config File 

The wp-config file consists of all the information related to the configuration of a WordPress site.

It has parameters connecting to the database, security keys, passwords, and many more. If the attacker accesses this file from your website, it can cause a serious issue.

Therefore, you should hide the wp-config file from attackers.  

By default, the wp-config file is located in the public_html folder. Thus, you can simply change the location of the file.  

14. Grant Access as per User Role 

WordPress has the feature of assigning user roles. By default, there are 5 user roles in WordPress with specific privileges.

Thus, you should grant user access to your website per their role.  

For example, if you have a blog team, give them the role of author or editor to publish, edit, and update the article only. They don’t require administrator rights. 

The administration is one of the most important roles, and you should distribute it to only those who require it. 

15. Regularly Scan the Website 

As you know, prevention is better than cure. Hence, you should regularly scan your website.  This assures your site is safe from malware.

Choose from our list of the best security plugins and install any one plugin on your site. Even if it detects some malware, you can remove them on time.  


Plugins like Jetpack can automatically detect changes in your files, find malicious behavior, and protect your site.  

They also notify you about critical issues, monitor downtime, and automatically fix common threats.

Obtain Security Through Hosting

16. Choose a Secured WordPress Hosting Service 

The hosting service that you’ve bought is the home of your website. Therefore, you need to be highly conscious while choosing the hosting service.  

They should provide strict security and, at the same time, support HTTPS, provide SSL certificates, and manage backups. 


Many web hosting providers, such as Bluehost and Hostinger, provide a complete solution for hosting your WordPress site. 

17. Install SSL certificates 

SSL (Secure Sockets Layer), or TLS (Transport Layer Security), is a protocol for establishing encrypted and authenticated links between computer networks. 

It ensures the secure transfer of important across your site and browsers. The SSL certificate provides a cryptographic key pair consisting of a public and private key.

The public key allows a web browser to initiate encrypted communication with a web server. 

On the other hand, the private key is kept on the server and used to sign web pages and other documents digitally.  

The hosting service providers for WordPress offer SSL certificates, handling the setup process for you.


Or you can also add an SSL certificate from certificate authorities like Cloudflare and GoDaddy

Common WordPress Security Issues 

Brute force Attack 

A brute force attack is one of the most common WordPress security issues. In case of a brute force attack, the attacker attempts multiple logins by guessing the password.  

The attackers usually target the website’s login page and attempt to gain unauthorized access. They try to log in until their guessed username and password are correct.

Therefore, you should use a strong password, limit login attempts, use two-factor authentication, and change the default login URL and username. 

SQL Injection 

An SQL injection targets the database of your WordPress site. Attackers try injecting malicious SQL queries into the database to access unauthorized information.  

When those scripts get executed, the attackers can manipulate or remove the database table’s rows. 

In the case of WordPress, through SQL injection, attackers can also attack the plugin and themes that interact with the website’s database.  

Thus, regularly updating the plugins and themes, using a firewall, and creating a website backup can reduce the risk of SQL injection attacks on your WordPress site. 

DDoS Attack 

A DDoS (Distributed Denial of Service) attack overloads a website or server with an unusually large traffic volume. As a result, the user can’t access the website.  

The attackers perform the attack by creating computer bots to send a huge amount of traffic to the target website at the same time 

To prevent such attacks, use a content delivery network (CDN) like Cloudflare to distribute incoming traffic and a web application firewall.

Cloudflare CDN Service

You can also regularly monitor the network traffic of your site and use a secured hosting service. 

Cross-Site Scripting (XSS) 

Cross-Site Scripting (XSS) is another kind of cyber-attack in which an attacker tries to inject malicious executable code or script into a website.  

Attackers can perform an XSS attack through user-generated content like comments, contact forms, or user registration form submissions.  

Hence, you should always validate user input and use secured contact form plugins like Everest Forms and user registration plugins like User Registration.

Everest Forms

Besides that, you should also follow other security measures. 

Wrapping It Up! 

So, that’s all from us on the WordPress security checklist. We hope you thoroughly enjoyed reading the article and understand how to improve WordPress security. 

In short, the security of your WordPress site should always be your priority. It can protect your data and information and maintain your site’s integrity. 

Thus, following our WordPress security checklist, you can reduce the risk of your site being attacked. We also recommend you to use other third-party products carefully.  

If you still got some time, you can explore our blog page. We have amazing articles guiding you to remove theme name from the footer, change the link color, etc.  

Also, follow us on Twitter and Facebook to get the latest updates.   

Disclaimer: Some of the links in the post may be affiliate links. So if you purchase anything using the link, we will earn affiliate commission.
WordPress Security Checklist – 17 Ways to Protect Your Site  
New Zakra Logo

Zakra Author

We are a team of SEO copywriters and editors who work together to present the best quality content related to WordPress. We also promote our product via our blog. Please follow us on Twitter @ThemeZakra and Facebook @Zakratheme to get regular updates.

Scroll to top

Pin It on Pinterest