WordPress security checklist
Use this checklist to check whether your WordPress site is set up securely. Most hacks exploit known, unpatched vulnerabilities — these points close the most important gaps.
The checklist
- Core, themes and plugins up to date (automatically where it is safe to do so).
- Only actively used plugins/themes installed.
- Strong passwords + two-factor authentication for administrators.
- Login page protected (rate limiting, no 'admin' user).
- Automatic backups with restore testing.
- HTTPS enforced everywhere.
- Security headers and, where possible, a WAF.
- Monitoring for malware and uptime.
Why this matters
Outdated plugins are the number one cause of hacked WordPress sites. Structured WordPress maintenance with secure hosting keeps these risks under control.
WordPress — security hardening (official) (official source).
Frequently asked questions
Short, direct answers — written for people and for AI search features alike.
Updating in good time. Most hacks exploit known vulnerabilities in outdated core versions, themes or plugins. Automatic updates for security releases, combined with monitoring and backups, close off by far the most attack routes.
No. A security plugin helps, but it does not replace good maintenance, strong logins, secure hosting and backups. Security is a combination of measures, not a single plugin.
Updates and monitoring should run continuously; a full run-through of the checklist is advisable each quarter and after every major change to the site.
Want to know whether you are audit-ready?
Schedule a no-obligation audit scan and find out, in a single conversation, where you stand and what the next step is.
