WordPress Security Hardening: A Publisher's Checklist

WordPress is the most attacked CMS on the internet not because it is inherently insecure but because it is the most common. Its market share makes it the highest-return target for automated scanning and exploitation. A default WordPress installation is not a hardened one — but hardening it is straightforward, well-documented work that most publishers skip until something goes wrong.

This checklist covers the high-impact measures that materially reduce your attack surface.

Keep Everything Updated

The majority of WordPress compromises exploit known vulnerabilities in outdated core, plugin, or theme versions. Patches for these vulnerabilities are published regularly and attackers begin scanning for unpatched sites within hours of a vulnerability disclosure.

Enable automatic updates for WordPress core minor releases. For plugins and themes, either enable automatic updates or schedule a weekly manual update review. The risk from an auto-updated plugin occasionally breaking something is lower than the risk of running unpatched software.

In wp-config.php:

define( 'WP_AUTO_UPDATE_CORE', true );

Use a Security Plugin

Wordfence and Solid Security (formerly iThemes Security) are the two most capable options. Both provide:

• Malware scanning against known signatures
• File integrity monitoring (alerting on unexpected file changes)
• Login protection (rate limiting, lockouts after failed attempts)
• Firewall rules blocking known exploit patterns
• Two-factor authentication

Wordfence’s free tier covers the essentials. The premium version adds real-time threat intelligence and faster firewall rule updates.

Install one security plugin. Running two simultaneously causes conflicts.

Protect wp-admin Access

The /wp-admin/ directory and /wp-login.php are the most heavily attacked endpoints on any WordPress site. Automated bots attempt credential stuffing and brute-force attacks against these URLs constantly.

Limit login attempts. Your security plugin handles this, but confirm it is configured. Three to five failed attempts before lockout is appropriate.

Enable two-factor authentication for all administrator and editor accounts. Wordfence, Solid Security, and standalone plugins like WP 2FA all provide this. A brute-forced password is useless if the attacker also needs a TOTP code.

Change the default login URL. Moving /wp-login.php to a custom URL (e.g., /site-login/) eliminates the majority of automated bot traffic before it touches your server. Solid Security handles this; WPS Hide Login is a lightweight standalone option.

Restrict wp-admin by IP if your editorial team works from predictable IP ranges. Add to .htaccess:

<Directory /path/to/wp-admin>
  Order Deny,Allow
  Deny from All
  Allow from YOUR.IP.ADDRESS.HERE
</Directory>

This is high-friction for mobile or remote teams but highly effective for sites with a small, fixed editorial team.

Database and File Hardening

Change the database table prefix. WordPress defaults to wp_ for all table names. Automated SQL injection attacks frequently target this prefix. Change it to a random string during initial installation, or use Solid Security’s database prefix changer for existing installations.

Protect wp-config.php. This file contains your database credentials and secret keys — the most sensitive file in a WordPress installation. Block direct access in .htaccess:

<files wp-config.php>
  order allow,deny
  deny from all
</files>

Disable file editing in the admin. The WordPress admin includes a built-in code editor for themes and plugins. If an attacker gains admin access, this editor lets them execute arbitrary code. Disable it:

define( 'DISALLOW_FILE_EDIT', true );

Set correct file permissions. Directories should be 755, files should be 644, and wp-config.php should be 600. Overly permissive file permissions (777 directories) are a common vulnerability on shared hosting.

SSL and HTTPS

Every WordPress site should run on HTTPS in 2026. SSL certificates are free through Let’s Encrypt and most managed hosting providers include them automatically.

Confirm your site forces HTTPS redirects and that your wp-config.php reflects the secure URL:

define('WP_HOME', 'https://yoursite.com');
define('WP_SITEURL', 'https://yoursite.com');

Add HTTP Strict Transport Security (HSTS) headers to prevent protocol downgrade attacks. Cloudflare handles this automatically if your site is proxied through Cloudflare.

User and Role Hygiene

Audit your WordPress user list regularly.

• Remove accounts for former contributors, contractors, and employees immediately upon departure
• Assign the minimum role necessary — contributors who only need to write drafts do not need Editor access
• Avoid using “admin” as a username — it is the first credential automated attacks try
• Use strong, unique passwords. Enforce this through your security plugin’s password policy settings

Backups

Backups are not a security hardening measure but they are the security net that makes everything else recoverable. Configure automated daily backups to off-site storage — not on the same server as your WordPress installation.

UpdraftPlus (free tier covers the essentials), BackupBuddy, and WP Rocket’s companion plugin all handle this. Store backups to S3, Google Drive, Dropbox, or another remote destination.

A site that gets compromised but has clean backups from the previous day is an afternoon of recovery work. A compromised site without backups is a potential total loss.

A Hardened Installation in Practice

A WordPress installation that is current, running a properly configured security plugin, protected by two-factor authentication, with file editing disabled and off-site backups running, has eliminated the vast majority of the risk surface that causes real-world WordPress compromises. None of these steps are technically complex. The barrier is mostly attention — setting them up and keeping them maintained.

• wordpress
• security
• hardening
• publishing infrastructure
• how to