WordPress is the most attacked CMS on the internet not because it is inherently insecure but because it is the most common. Its market share makes it the highest-return target for automated scanning and exploitation. A default WordPress installation is not a hardened one — but hardening it is straightforward, well-documented work that most publishers skip until something goes wrong. This checklist covers the high-impact measures that materially reduce your attack surface.