How to Secure a WordPress Site

Your WordPress site is a prime target for bots and attackers trying stolen passwords, outdated plugins, and insecure hosting setups. The good news: you don’t need to be a developer to close most of the easy doors they use to get in.

In this step-by-step checklist, you’ll secure your WordPress site with practical tasks you can complete in an afternoon: backups, login protection, security plugins, safe updates, and basic hardening. We’ll keep everything non-technical where possible and clearly label the few options that require editing files or hosting settings.

If you’re completely new to security concepts, you can also review our beginner WordPress security best practices guide as a companion, then come back here to follow this hands-on checklist.

Prerequisites

Before you start changing security settings, make sure you have access to everything you need and a way to undo mistakes. That way, even if something breaks, you can quickly roll back.

• Admin login to your WordPress dashboard.
• Access to your hosting control panel (cPanel, Plesk, or similar) or SFTP.
• Permission to install and configure plugins.
• Ability to receive email alerts from your site (working admin email).
• At least one working backup from the last week (we’ll improve this in Step 2).

Step 1: Audit Your Current WordPress Security Status

Start by understanding how exposed your site is today. This quick audit will show you where you’re vulnerable so you can prioritize the rest of the checklist.

1. Log in to WordPress and go to Dashboard > Updates. Note if WordPress core, plugins, or themes are out of date.
2. Go to Settings > General and make sure your site URL starts with https://, not http://. If not, your site likely isn’t using SSL correctly.
3. Visit Users > All Users. Check that:
   • There is no user with the username admin.
   • Only people who truly need it have the Administrator role.
4. Check your hosting control panel or dashboard for any existing security tools (firewalls, malware scans, or backups).

Make a simple list of issues (e.g., “5 plugins outdated”, “no SSL”, “admin user exists”). You’ll fix them in the steps ahead.

Step 2: Set Up Safe, Automated WordPress Backups

A secure WordPress site is not just about preventing hacks; it’s also about being able to recover quickly if something goes wrong. Before you harden anything else, make sure you have reliable backups.

1. Install a reputable backup plugin if your host doesn’t already provide automatic backups.
2. Configure daily backups for the database and at least weekly full site backups (files + database).
3. Send backups to remote storage (cloud drive, S3, or your host’s off-site storage) so you’re protected even if the server fails.
4. Perform a test restore on a staging or test site to confirm the backup actually works.

For a deeper strategy on how often to back up and where to store copies, follow our detailed WordPress backup strategy once your basic schedule is in place.

Step 3: Harden WordPress Logins and User Accounts

Most successful WordPress hacks begin at the login form. Attackers try thousands of password combinations or exploit weak usernames. Locking down your login page is one of the highest-impact steps you can take.

1. Go to Users > All Users and:
   • Change any “admin” username by creating a new admin user, assigning content, then deleting the old account.
   • Remove any admin accounts for people who no longer need access.
2. Use unique, strong passwords for all admin and editor accounts. A password manager makes this easy.
3. Install a security or login protection plugin that supports:
   • Login rate limiting (lockouts after several failed attempts).
   • Two-factor authentication (2FA) for at least all administrator accounts.
   • Optional CAPTCHAs on the login form.
4. Enable 2FA and test it by logging in from a different browser or device.

Step 4: Add a Security Plugin for Firewall and Malware Scans

A dedicated security plugin provides features that WordPress doesn’t offer by default, such as web application firewalls, file change detection, and malware scanning. Used correctly, it significantly reduces your attack surface.

1. Choose one reputable security plugin (avoid installing multiple full security suites at once).
2. Install and activate it, then complete any onboarding wizard to:
   • Enable the firewall (application-level or endpoint-based).
   • Turn on automatic malware scans and email alerts.
   • Configure login protection if not already covered in Step 3.
3. Run a full site scan and review any warnings or critical issues.

If you’re deciding which plugin fits your setup and hosting, our comparison of best WordPress security plugins can help you evaluate features and performance before committing.

Step 5: Keep WordPress Core, Plugins, and Themes Updated Safely

Outdated plugins, themes, and core versions are one of the most common paths attackers exploit. Updating regularly closes known vulnerabilities and keeps your site aligned with current security standards.

1. Create or confirm a fresh backup (see Step 2) before major updates.
2. In WordPress, go to Dashboard > Updates:
   • Update WordPress core if a newer version is available.
   • Update plugins in batches of a few at a time, testing the site after each batch.
   • Update themes, even inactive ones; delete themes you don’t use (except a default fallback theme).
3. Consider enabling automatic updates for minor core releases and trusted plugins.

If you prefer using WP-CLI (via SSH), you can update everything with a single command run from your WordPress directory:

wp core update
wp plugin update --all
wp theme update --all

Always test your homepage, a key blog post, and critical pages (like checkout or contact) after updates to catch issues early.

Step 6: Harden Your Server, Files, and Configuration

Beyond plugins and updates, there are simple configuration tweaks that make it harder for attackers to modify your files or execute malicious code. Most of these are “set-and-forget” changes.

1. Disable file editing in the dashboard:
   • Using your hosting File Manager or SFTP, open wp-config.php.
   • Add this line near the bottom (above the comment that says “That’s all, stop editing!”):

   define( 'DISALLOW_FILE_EDIT', true );

2. Check file permissions:
   • Folders should typically be 755, files 644.
   • Use your File Manager or SFTP client to fix anything marked as world-writable.
3. Secure admin access:
   • If possible, restrict /wp-admin/ access by IP in your hosting control panel or via .htaccess.
   • Ensure your SSL certificate is active so all logins happen over https://.

Step 7: Monitor Your Site and Build a Simple Security Routine

Secure wordpress site is not a one-time project. The most secure WordPress sites have simple, repeatable routines. The good news: with the right setup, you can keep your weekly security tasks under 15 minutes.

1. Enable notifications: In your security plugin and backup plugin, confirm that:
   • Email alerts are enabled for failed logins, malware findings, and backup failures.
   • These alerts go to an inbox you actively monitor.
2. Create a weekly checklist:
   • Check Dashboard > Updates for new updates.
   • Review recent login attempts in your security plugin logs.
   • Confirm the latest backups completed successfully.
3. Review user accounts monthly: Remove unused accounts and downgrade roles that no longer need admin access.

Secure Wordpress Site Over Time

By completing this checklist, you’ve significantly improved your WordPress security posture: you now have working backups, hardened logins, a firewall and malware scanner, safer update habits, and basic server-level hardening. These steps alone eliminate many of the easiest ways attackers break into WordPress sites.

From here, your biggest wins come from consistency. Keep your weekly security routine, review new plugins and themes carefully before installing them, and adjust your setup as your traffic and business grow. A secure WordPress site isn’t about perfection—it’s about making your site a much harder target than the millions of outdated, unprotected sites attackers scan every day.

Further Reading

• WordPress Security: Complete Overview
• How to Back Up a WordPress Site
• WooCommerce Hardening Checklist
• How Do I Secure My WordPress Downloads?
• WordPress Maintenance and Backup Plan

Frequently Asked Questions