Table of Contents 4 sections
Securing a WordPress site is not a one-time task — it is an ongoing process that starts before your site goes live and continues throughout its lifetime. Whether you are launching a new site or maintaining an existing one, this comprehensive checklist covers every critical security measure you need.
We have organized this guide into three phases: pre-launch hardening, ongoing maintenance, and incident response. Bookmark this page and revisit it regularly.
Phase 1: Pre-Launch Security Hardening
These are the security measures you should implement before your site goes live. Getting these right from the start prevents the majority of attacks.
Pre-Launch Checklist
Always start with the most current version. Enable auto-updates for minor (security) releases.
Delete the default themes you are not using (Twenty Twenty-Three, etc.) and any plugins you installed for testing. Deactivating is not enough.
Directories: 755. Files: 644. wp-config.php: 400 or 440. Disable PHP execution in the uploads folder.
Use Let’s Encrypt (free) or your host’s SSL. Force HTTPS site-wide. Use TLS 1.2 or 1.3 only.
Configure CSP, X-Frame-Options, HSTS, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy.
Replace the default ‘wp_’ prefix with a random string to block automated SQL injection attacks.
Unless you use the WordPress mobile app or Jetpack, block xmlrpc.php to prevent brute-force amplification and DDoS attacks.
Use a unique username (not ‘admin’), a password with 16+ characters, and enable two-factor authentication.
Install a plugin or configure server-level rate limiting to block brute-force attacks after 3–5 failed attempts.
Before going live, scan your site for vulnerabilities, missing headers, SSL issues, and exposed sensitive files.
Phase 2: Ongoing Security Maintenance
Security does not stop at launch. New vulnerabilities are discovered every day, and attackers constantly evolve their techniques. Here is what you should do on a regular schedule.
Daily
- Monitor uptime — set up alerts so you know immediately if your site goes down
- Review notifications — check for WordPress update notifications, security plugin alerts, and hosting warnings
Weekly
- Update plugins and themes — check every Monday and apply updates. Test on staging for critical sites.
- Review user accounts — look for unfamiliar admin accounts (a sign of compromise)
- Check Google Search Console — monitor for security issues or manual actions
Monthly
- Run a full security scan — comprehensive check of headers, SSL, vulnerabilities, and blocklist status
- Verify backups — do not just trust that backups are running — test a restore
- Review security logs — look for patterns of failed login attempts or suspicious activity
- Check file integrity — compare core WordPress files against originals to detect modifications
Quarterly
- Full plugin audit — remove anything you no longer use or that has not been updated in 12+ months
- Rotate passwords — update admin, FTP, hosting, and database passwords
- Test disaster recovery — simulate a site failure and verify you can restore from backup
- Review hosting plan — ensure your host is still providing current PHP/MySQL versions and security features
Common mistake
Many site owners set up security once and forget about it. But new plugin vulnerabilities are disclosed every week, and attackers automate exploitation within hours. A plugin that was secure last month may have a critical vulnerability today.
Phase 3: Incident Response Plan
Even with perfect security practices, no site is 100% immune. Having a plan in place before an incident occurs dramatically reduces damage and recovery time.
If You Suspect a Hack
Put up a maintenance page to prevent further damage to visitors and your reputation while you investigate.
WordPress admin, hosting panel, FTP/SFTP, database, and any connected services (email, CDN, etc.).
If you have a verified clean backup, restore it. This is faster and more reliable than manual cleanup.
If no clean backup is available, scan every file for malicious code, backdoors, and web shells.
WordPress core, all plugins, all themes. Remove anything you do not actively use.
If your site was blocklisted, submit a review request through Google Search Console after cleanup is complete.
Record how the breach happened, what was affected, and what you have done to prevent recurrence. This becomes your security improvement roadmap.
Automate Your Security with Regular Scanning
Manually checking every item on this list is time-consuming and easy to forget. The most effective approach is to automate what you can:
- Set up automated weekly security scans that check headers, SSL, vulnerabilities, and blocklist status
- Configure uptime monitoring with instant alerts for downtime
- Enable auto-updates for WordPress minor releases
- Use a security dashboard that gives you a single view of your site’s security posture
Start with a free security scan
Check your site against this entire checklist in 30 seconds.
Scan Your Site FreeFAQ
Frequently Asked Questions
Before launch, ensure WordPress core is updated to the latest version, remove all unused plugins and themes, set secure file permissions (755 for directories, 644 for files), configure SSL/HTTPS, implement security headers, disable XML-RPC if not needed, change the default database prefix, and run a comprehensive security scan.
Daily: monitor uptime and check for suspicious activity. Weekly: update plugins and themes, review user accounts. Monthly: run a full security scan, verify backups work, review security logs. Quarterly: audit all plugins and remove unused ones, update passwords, and test your disaster recovery plan.
Removing unused plugins and themes is the most overlooked step. Even deactivated plugins can contain vulnerabilities that attackers exploit. Many site owners install plugins to test them and never remove them, creating an expanding attack surface over time.
Yes. The default prefix 'wp_' is well-known and targeted by automated SQL injection attacks. Changing it to a random prefix like 'x7k_' adds a layer of obscurity that blocks many automated attacks, though it should not be your only defense.
Immediately take the site offline, change all passwords (WordPress admin, hosting, FTP, database), restore from a clean backup if available, scan all files for malware, remove any backdoors, update all software, and submit your site for review if it was blocklisted by Google. Consider hiring a professional if you are unsure about the cleanup.
Tags
Related Posts
Website Uptime Monitoring: Why Every Minute of Downtime Costs You Money
Website downtime costs businesses an average of $5,600 per minute. Learn why uptime monitoring is essential, how it works, and what to look for in a monitoring solution.
SSL Certificates Explained: Why HTTPS Is Non-Negotiable for Every Website
SSL certificates encrypt data between your visitors and your server, protect against man-in-the-middle attacks, and are now a Google ranking factor. Here's everything you need to know.
How Security Headers Protect Your Website: A Non-Technical Guide
Security headers are your website's first line of defense against common attacks. Learn what each header does, why they matter, and how to check if your site has them.