WordPress powers a huge share of the web, which makes it the single most-attacked CMS on the planet. The good news: the vast majority of compromises exploit a small set of avoidable weaknesses — weak logins, outdated plugins, and loose file permissions. This 12-step checklist covers the practical hardening every WordPress site should have in 2026, working outward from the login screen to the server. Work through it top to bottom and you’ll close the doors attackers rely on.
1. Use Strong, Unique Admin Credentials
Never use admin as a username, and use a long, unique password stored in a password manager. The default admin account is the first thing every brute-force bot tries.
2. Enable Two-Factor Authentication (2FA)
2FA is the single highest-impact step you can take. Even if a password leaks, an attacker can’t log in without the second factor. Use an authenticator-app plugin (TOTP) for every administrator account.
3. Limit Login Attempts
Cap failed logins to stop brute-force attacks dead. A security plugin can lock out an IP after a few failures; at the server level, Fail2Ban does the same. Pair this with a CAPTCHA on the login form.
4. Keep Core, Themes & Plugins Updated
Outdated plugins are the number-one cause of hacked WordPress sites. Enable automatic updates for minor core releases and security patches, and review plugin updates promptly.
# Enable automatic background updates — wp-config.php
define( 'WP_AUTO_UPDATE_CORE', 'minor' );5. Remove Unused Themes & Plugins
Every installed plugin is potential attack surface — even when deactivated, its files are still on disk and can be exploited. Delete anything you’re not actively using, and only install from reputable sources.
6. Set Correct File Permissions
The safe baseline is 644 for files and 755 for directories, owned by the web user. Never use 777. Make wp-config.php — which holds your database credentials — especially strict:
find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;
chmod 600 wp-config.php7. Disable File Editing in the Dashboard
The built-in theme/plugin editor lets anyone with admin access run PHP — a gift to an attacker who steals a session. Turn it off:
// wp-config.php
define( 'DISALLOW_FILE_EDIT', true );8. Protect wp-config.php and Disable XML-RPC
xmlrpc.php is a frequent brute-force and DDoS amplification vector and most sites don’t need it. Block both at the web-server level:
# .htaccess
<Files wp-config.php>
Require all denied
</Files>
<Files xmlrpc.php>
Require all denied
</Files>9. Install a Web Application Firewall (WAF)
A WAF filters malicious requests before they reach WordPress. Use a plugin-based firewall (such as the one in a reputable security suite), an edge WAF like Cloudflare, or server-side ModSecurity/Imunify360 — ideally a combination.
10. Force HTTPS Everywhere
Install a free Let’s Encrypt certificate and redirect all HTTP traffic to HTTPS so logins and cookies are never sent in clear text. Also force secure admin sessions:
// wp-config.php
define( 'FORCE_SSL_ADMIN', true );11. Take Regular, Off-Site Backups
Security is about recovery as much as prevention. Keep automated daily backups of files and the database, store at least one copy off-site, and — crucially — test that you can actually restore them.
12. Monitor, Scan & Use Least Privilege
Run a malware/integrity scanner on a schedule, enable activity logging so you can see who did what, and give every user the lowest role they need — an editor doesn’t need administrator rights. Review user accounts regularly and remove stale ones.
Quick-Reference Checklist
| # | Step | Layer |
|---|---|---|
| 1–3 | Strong creds, 2FA, login limits | Authentication |
| 4–5 | Updates, remove unused code | Maintenance |
| 6–8 | Permissions, disable editor, block XML-RPC | Hardening |
| 9–10 | WAF, HTTPS | Network |
| 11–12 | Backups, monitoring, least privilege | Resilience |
Conclusion
WordPress security isn’t one big switch — it’s these twelve layers working together. Start at the login screen with strong credentials and 2FA, stay patched, lock down files and configuration, put a firewall and HTTPS in front, and keep tested off-site backups behind it all. Work through this checklist once and revisit it quarterly, and your site will be far harder to compromise than the millions still running on defaults.
