Checklist – 5 minutes to Secure Your WordPress Website

The website that you’ve built is incredibly important. Hacks happen, and besides relaying on your web host to do their part, it’s your responsibility to reduce the likelihood to the lowest probability possible.

I made this 5 minute check list of best practices to help you harden your website and protect you and your users from hacks.


  1. For shared hosting, ensure that accounts and sites are isolated from each other
  2. Run an https-only website

User Management

  1. Grant only as much access as is needed
  2. Review your user list frequently, deleting those that are obsolete, downgrading roles where possible

WordPress Core, Themes and Plugins

  1. Enable auto-updates wherever possible / practical
  2. Check for updates frequently (at least weekly) and install them as soon as possible
  3. Only download themes and plugins from trusted sources
  4. Remove all unused themes, plugins and old unused WordPress installations immediately


  1. Require strong passwords for all users
  2. Ensure that your login page is running on an https page (e.g https://your-website/wp-admin/)
  3. Limit the rate of login attempts

Server Administration

  1. Only communicate with your server using an encrypted connection (sFTP for file transfer or SSH for shell access)
  2. If you connect to your server over a public network, use a VPN
  3. Secure access to your wp-config.php file, including copies
  4. Secure access to your backups, log files, test files, temporary files and other PHP applications on your web server
  5. Backup your WordPress files and database at least weekly (both with your web host and downloading a copy)
  6. Use a strong password for your MySQL database user
  7. Install a WordPress security plugin like Wordfence

WordPress Security Plugin Must Have Features

  1. Malware scanning
  2. Protection against Brute-force login
  3. Protection against hacker recon techniques
  4. Password auditing
  5. Allow comparison of codes

Secure Your Work Environment

  1. As much as possible do not use public wifi to connect to your website. If needed, try using VPN.
  2. Only install trusted software on your workstation and mobile device
  3. Use a reputable virus scanner
  4. Protect your devices with strong passwords
  5. Watch out for phishing, spear phishing and social engineering attacks

Take Steps to Detect Hacks Early

  1. Set up email alerts through Google web console or Security plugins
  2. Investigate customer reports immediately
  3. Use a website monitoring service that detects site changes
  4. Watch for unexplained spikes in site traffic
%d bloggers like this: