Running a WordPress site for your Singapore business? This checklist covers the security fundamentals — with specific considerations for Singapore's regulatory environment and hosting landscape.
Print this out. Work through it item by item. Each one takes 5–15 minutes.
The Checklist
Foundation (Do These First)
✅ 1. Update WordPress Core, Plugins, and Themes
Check right now: Dashboard → Updates.
- Update WordPress core to the latest version
- Update every plugin
- Update every theme (including inactive ones — or better, delete them)
- Enable auto-updates for minor security releases:
// Add to wp-config.php
define('WP_AUTO_UPDATE_CORE', 'minor');
Singapore note: If your site runs on a local host like Exabytes or Vodien, check their PHP version support before major WordPress updates. Some Singapore hosts are slower to upgrade PHP.
✅ 2. Remove Unused Plugins and Themes
Every installed plugin is attack surface — even if it's deactivated.
- Delete every plugin you're not actively using
- Keep only one theme (your active theme)
- Delete Twenty Twenty-Three, Twenty Twenty-Four, etc. if you don't use them
✅ 3. Use Strong, Unique Passwords
For every account:
- WordPress admin: 16+ characters, randomly generated
- Hosting panel (cPanel/Plesk): unique password
- FTP/SFTP: unique password (or better, use SSH keys)
- Database: unique password
Use a password manager (1Password, Bitwarden). Never reuse passwords.
Singapore note: Check haveibeenpwned.com — Singapore was affected by the Singtel data breach and several regional breaches. If your email appears, change every associated password.
✅ 4. Enable Two-Factor Authentication
Install 2FA on every admin and editor account. Options:
- Email codes (built into WO Security Shield)
- TOTP authenticator app (Google Authenticator, Authy — also built into WO Security Shield)
- Hardware keys (for maximum security)
2FA blocks 100% of password-based attacks. There's no reason to skip this.
Access Control
✅ 5. Change Your Login URL
Move /wp-login.php to a custom path:
- Reduces automated brute-force attempts by ~90%
- Bots targeting /wp-login.php get a 404 instead
- WO Security Shield: Settings → Login Security → Custom login path
✅ 6. Limit Login Attempts
Configure brute-force protection:
- Max 5 failed attempts per 15-minute window
- Lock out IPs for 30 minutes after hitting the limit
- WO Security Shield does this automatically
✅ 7. Review User Accounts
Go to Users → All Users:
- Does every account belong to someone you know?
- Does every admin account actually need admin privileges?
- Remove or demote any account that doesn't need full access
- Delete any accounts for people who no longer work with you
Server & Hosting
✅ 8. Use HTTPS Everywhere
Your site should be HTTPS-only:
- SSL certificate installed and valid
- Force HTTPS in wp-config.php:
define('FORCE_SSL_ADMIN', true);
- .htaccess redirect from HTTP to HTTPS
Singapore note: Most Singapore hosts (SiteGround SG, Vodien, Cloudways) offer free Let's Encrypt SSL. There's no reason to run HTTP in 2026.
✅ 9. Secure wp-config.php
- Move it one directory above your web root (WordPress supports this natively)
- Set permissions to 600 or 640
- Ensure your database credentials aren't reused elsewhere
- Regenerate your WordPress security salts: api.wordpress.org/secret-key/1.1/salt
Hardening
✅ 10. Disable XML-RPC
Unless you use the WordPress mobile app or Jetpack:
- WO Security Shield: Settings → Hardening → Disable XML-RPC
XML-RPC is used for brute-force amplification attacks — one request can try hundreds of passwords.
✅ 11. Block PHP in Uploads
PHP files should never execute from wp-content/uploads/. Add this .htaccess rule (WO Security Shield does this automatically):
# wp-content/uploads/.htaccess
<Files "*.php">
Require all denied
</Files>
✅ 12. Add Security Headers
Enable these headers (one checkbox in WO Security Shield → Hardening):
- X-Frame-Options
- X-Content-Type-Options
- Referrer-Policy
- Strict-Transport-Security (HSTS)
Monitoring & Recovery
✅ 13. Set Up Daily Backups
Backup your site daily:
- Database + files
- Store backups off-server (different hosting account, cloud storage)
- Test restoration at least once every 3 months
- Keep at least 7 days of backup history
Singapore note: If your site handles customer data, PDPA (Personal Data Protection Act) requires you to have data recovery procedures. Backups are a PDPA compliance requirement, not just a nice-to-have.
✅ 14. Enable File Integrity Monitoring
Know immediately when files change:
- WO Security Shield monitors WordPress core files against official checksums
- Alerts on new PHP files in uploads
- Detects modified theme and plugin files
Set up monitoring before you need it — not after an incident.
✅ 15. Install a Web Application Firewall
A WordPress-level firewall that:
- Filters malicious requests (SQL injection, XSS, path traversal)
- Rate limits requests per IP
- Blocks known bad user agents and bot networks
WO Security Shield includes a built-in firewall that runs inside WordPress — no DNS changes, no external proxy, no traffic leaving Singapore.
PDPA Considerations for Singapore Sites
If your WordPress site collects personal data (contact forms, user accounts, e-commerce orders), PDPA compliance requires:
Data breach notification — you must notify PDPC and affected individuals within 3 days of discovering a breach. A security plugin with event logging helps document the timeline.
Reasonable security measures — the PDPC expects "reasonable security arrangements." Having no security plugin, no firewall, and no backups is arguably negligent.
Data retention limits — don't store personal data longer than necessary. Regularly audit your database and form submissions.
Access controls — restrict who can see customer data. Use WordPress roles appropriately.
Download This Checklist
Bookmark this page and work through it once a quarter. WordPress security isn't a one-time setup — it's ongoing maintenance, like changing the locks and checking the smoke detectors.
Written for Singapore businesses running WordPress. Applicable to any WordPress site with local adjustments for hosting and regulatory requirements.