The Complete WordPress Security Checklist for 2025

WordPress powers 43% of the web. That makes it the biggest target. Here's the complete security checklist to protect your site in 2025.

✅ Authentication

• Use a strong, unique password (20+ characters, generated by a password manager)
• Enable TOTP two-factor authentication on all admin accounts
• Move WordPress login to a custom URL
• Enable brute-force lockout (5 failures → 30-minute lockout)
• Block username enumeration via ?author=N and REST API
• Disable the default admin username
• Set strong password enforcement for all users

✅ File System

• Set wp-config.php permissions to 600 (owner read/write only)
• Disable file editing from WordPress admin (Appearance → Editor)
• Set uploads directory to block PHP execution (.htaccess or Nginx config)
• Enable file integrity monitoring (baseline + continuous watch)
• Run weekly full integrity scans
• Enable near-real-time monitoring for files modified in the last 10 minutes

✅ Core, Plugins, and Themes

• Keep WordPress core updated to the latest version
• Enable automatic minor updates for security patches
• Keep all plugins updated
• Keep all themes updated
• Delete unused plugins (deactivated is not enough — delete them)
• Delete unused themes (keep only one backup theme)
• Only install plugins from trusted sources (WordPress.org or commercial vendors)
• Never use nulled/pirated plugins or themes

✅ Database

• Change the default wp_ table prefix to something random
• Use a strong, unique database password
• Restrict database user to only the permissions WordPress needs (no SUPER or FILE)
• Regular database backups

✅ Firewall and Traffic

• Enable WordPress application firewall (WAF)
• Block known malicious user agents (sqlmap, Nikto, WPScan, etc.)
• Enable rate limiting to prevent DDoS and crawlers
• Block countries you don't serve (if appropriate)
• Enable DDoS auto-trigger for spike detection

✅ Backups

• Daily automated backups
• Backups stored off-site (not just on the same server)
• Test restore process at least quarterly
• Keep at least 30 days of backup history

✅ Monitoring and Alerting

• Email alerts for critical security events
• Dashboard sync for centralised multi-site management
• Vulnerability monitoring — alerts when a CVE is published for your plugins
• Traffic monitoring for anomaly detection

✅ SSL/TLS

• HTTPS enforced sitewide (301 redirect from HTTP)
• HSTS header enabled
• SSL certificate auto-renews

✅ Security Headers

• X-Frame-Options: SAMEORIGIN (clickjacking protection)
• X-Content-Type-Options: nosniff (MIME type sniffing protection)
• Referrer-Policy: strict-origin-when-cross-origin
• Content-Security-Policy (if feasible for your site)
• Remove WordPress version from page source

Getting everything in one plugin

WO Security Shield covers every item in the Authentication, File System, Firewall, Monitoring, and Security Headers sections above — in a single plugin with a unified dashboard.

Start your free 14-day trial at wosecurity.com.

Monthly Security Audit Tasks

Beyond the setup checklist, run through these items every month:

User Account Audit

• Review all WordPress admin accounts — remove any you don't recognise
• Check when each admin last logged in — dormant accounts are a risk
• Ensure no user has been silently elevated to administrator
• Verify email addresses on admin accounts haven't been changed

Plugin and Theme Audit

• Check every installed plugin against the WPScan vulnerability database
• Remove any deactivated plugins — they're still exploitable even when inactive
• Verify no new plugins were installed that you didn't authorise
• Check theme files for unexpected modifications

File System Audit

• Scan for PHP files in /wp-content/uploads/ (there should be none)
• Check .htaccess for unexpected redirect rules
• Verify wp-config.php hasn't been modified
• Look for unfamiliar files in /wp-includes/ and /wp-admin/

Security Hardening Priorities by Site Type

Not every site needs every security measure. Prioritise based on your situation:

Blog / Content Site

Priority: Protect admin access, prevent SEO spam injection

• Strong passwords + 2FA (critical)
• XML-RPC disabled
• File integrity monitoring
• Security headers

WooCommerce / E-commerce

Priority: Protect customer data, PCI compliance

• Everything above, plus:
• SSL/TLS enforced on all pages (critical)
• REST API secured
• Database encryption for customer records
• PCI-compliant hosting
• WAF with DDoS protection

Business / Lead Generation

Priority: Protect reputation and uptime

• Everything in the blog tier, plus:
• Server hardening
• Automated backups with off-site storage
• Uptime monitoring with instant alerts
• Phishing page detection

Multi-site / Agency

Priority: Isolation between sites, centralised monitoring

• Everything above, plus:
• Multisite-specific hardening
• Per-site user role restrictions
• Centralised security dashboard
• Network-level firewall rules