WordPress security checklist for website admins


Are you wondering why we have published a WordPress security checklist if other bloggers have done it before exceptionally well?

The shocking truth is that the average WordPress user doesn’t care much about security, and hackers focus on WordPress vulnerabilities. 70% of all WordPress sites in the Alexa Top 1,000,000 are vulnerable to hacker attacks. Even big names don’t pay the needed attention to security.

Securing a website requires time and resources, but it certainly pays off in the long run. We value your time and understand why you may neglect your site security from time to time.

The uniqueness of this checklist is that it condenses valuable tips into a concise and digestible format. Use it periodically, and you will considerably strengthen your site security.

Backup Regularly

Your site isn’t more secure if you have a recent copy of it. But a recent backup does give you that needed peace of mind when you work on improving the site security.

Much more, a site copy is golden when your site is infected with malware.

There is no shortage of great backup plugins, and some of them are free of charge. UpDraftPlus, Duplicator, and BackWPUp are great plugins that allow you to schedule automatic backups, save your backups on several remote locations, and restore your site with ease.

Estimated Time

Installing, activating, and setting up a backup plugin takes 10 minutes. You should also check the integrity of the copies periodically.

Install a Security Plugin


A robust security plugin is the best friend of a thorough website admin. Luckily, the same as backup plugins, users have at their disposal a bunch of security plugins, and millions of satisfied users have tested some of them.

I find it hard to believe that you won’t find a satisfying security plugin. Wordfence, All In One WP Security & Firewall, and iThemes Security are plugins that fully deserve your attention.

The most critical actions of a security plugin are:

  • Scanning the site’s files against malware
  • Checking the files against security vulnerabilities
  • Blocking users by IP or by country
  • Whitelisting and blacklisting IPs.

Estimated Time

Installing, activating, and setting up a security plugin takes 20 minutes. Note that most security plugins come jam-packed with many features. Check all the features to make sure that you consolidate the site security.

Audit Your Hosting, Themes, and Plugins

This suggestion is frequently ignored even by the experts and security-conscious bloggers. Their ignorance is because you rarely have to audit your host provider, themes, and plugins. Don’t make the same mistake!

Your hosting provider is capital for the security and performance of your site. Consider your hosting provider as the foundation of your website. You can’t build a robust website on a weak foundation.

Chose a provider that uses the latest technologies and ensures a secure environment. You may be tempted to save money by using a cheap provider, and that’s understandable. However, in the long run, a good hosting provider is better because your files will be secured. On top of that, the hosting is responsible for loading speed. It’s a no brainer how vital speed is.

Expect to have malware and vulnerabilities if you use a theme or plugins from shady providers. Uninstall anything that raises a question mark. Install themes and plugins from the WordPress repository or trusted sources only.

Estimated Time

30–45 minutes is enough to evaluate your hosting provider, theme, and plugins.

Strengthen Users’ Passwords


Is this one a useless tip featured just for the sake of writing more? Unfortunately, it’s not! Weak passwords are guilty of 81% of company data breaches. Hence, resetting the passwords of all users and asking them to use more complex credentials is a good idea.

Some security plugins force users to use complex passwords, so once again, a plugin does the legwork for you.

Estimated Time

It depends on the site’s complexity, but resetting the passwords and sending an email to users about your intention should take 15–20 minutes. Add another five minutes to set up a security plugin to ask for complex passwords.

Keep Everything Updated

An army of talented developers does their best to make WordPress a more secure environment continually. Conversely, a bigger army of skilled hackers tries everything to identify a vulnerability in the WordPress core, or a plugin, or theme.

Nothing human-made is perfect, so each product is hackable to some extent. Yeah, hackers can break into your site even if you update everything. But you streamline their job by using old versions of the WordPress core, themes, and plugins.

Estimated Time

It takes less than a minute once in a while to update these things. It helps to save time by using a service like ManageWP.

Remove Everything Not in Use

Every theme or plugin installed but not used is an additional vulnerability from a security perspective. Head to your dashboard and look at the plugins and themes you didn’t use. Remove them to improve your site security.

Bonus: by removing these unused elements, your site will load faster!

Estimated Time – It takes about a minute to remove unused themes and plugins.

User Management

The more privileges users have, the more insecure the site is. From time to time, audit the users and determine the users’ roles. For instance, don’t create an editor account for a user who is only responsible for crafting pieces of content.

Check this WPBeginner’s guide to WordPress user roles and permissions before taking action.

Estimated Time

It depends on the site’s complexity and the number of accounts created. But it takes around 15 minutes to evaluate the role of each user and limit the privileges if necessary.

Disable File Editing

This tip is more impactful on sites with a large number of users. The built-in editor empowers users (depending on their roles) to edit the theme and plugins directly from the WordPress dashboard. However, it’s a double-edged sword.

Indeed, it’s priceless when you need to tweak the code, but it’s a huge vulnerability. It heavily depends on the users’ skills, but they may add (willingly or not) malware or sneaky snippets of code or even crash your site. Don’t ever underestimate the power of a missing semicolon!

The best solution is to disable file editing. You give up to the comfort of changing the code directly from the dashboard. But you can rest assured that untrained people will not change the code.

It’s quite simple to disable file editing. Insert this line of code into your site’s wp-config.php file:

define( ‘DISALLOW_FILE_EDIT’, true );

Delete this line of code if you want to enable file editing.

Estimated Time

It takes one to five minutes, depending on your skills.

We will set this up for you when we configure the premium security plugin that we provide free of charge for all our customers.

Limit Login Attempts

Limit Login Attempts

In essence, brute force attacks are when a hacker tries to guess your site credentials. Guessing the correct credentials is almost impossible by manually typing usernames and passwords. But it became feasible when using a piece of software. It tries thousands of combinations in just one second.

You can add another layer of security for your website by limiting the number of login attempts. It’s simple: install and activate a plugin. Limit Login Attempts Reloaded, and WP Limit Login Attempts are two plugins that have been tried and tested by thousands of satisfied users.

Estimated Time – It takes ten minutes to configure a plugin that limits login attempts.

We will set this up for you when we configure the premium security plugin that we provide free of charge for all our customers.

Wrapping Up

There is no 100% unhackable site, but applying the above tips are enough to secure your site significantly.

Of course, this checklist isn’t exclusive. There are many other ways to secure your website. For instance, expert users could insert a few snippets of code to make the site unpenetrable to hackers’ attacks.

Are you interested in learning more advanced security tips? Please let us know, and we will publish a security guide for advanced users.


Leave a Reply

Your email address will not be published. Required fields are marked *