25+ Killer WordPress Security Checklist For 2021

WordPress Security Checklist
WordPress Security Checklist

Get Your WordPress Website an SSL

Google had announced that they will demote unsecured websites. So, if you aren’t using an SSL certificate to encrypt your website’s connection with the end user’s browser, it will be gradually demoted.

Not just that, SSL is an important step towards making the web a less spamy and insecure place.


Here’s the answer:

If a website doesn’t have an active SSL and you visit it using a public or private IP address, anybody sharing the same network can tap into that information and potentially retrieve credit card information, login details, and other online activities.

That doesn’t happen when visiting a website with a valid SSL certificate. Information sent and received is completely encrypted.

Furthermore, almost all the servers and web hosting providers offer a free SSL. If they don’t, you can easily install an open-source SSL powered by Let’s Encrypt.

So, just install an SSL ASAP.

Migrate to a powerful and more secure WordPress Hosting

Bluehost- WordPress security

Many people sign up with a shady web hosting companies in the search of a cheap and affordable web hosting provider. These companies might not have any firewall or DDoS protection.

So, if you think that your web hosting provider doesn’t offer any such protection against generic cyber attacks, it’s time to migrate to a more powerful server.

If you have the time and knowledge, I’d strongly recommend using a Virtual Private Server where you’ll have 100% control over your server.

Plus, you can enforce new firewall rules and DDoS protection protocols.

Change your WordPress Admin URL & Limit Login Attempts

change login uri- WordPress security

WordPress is an open-source CMS.

This means that login URL for every WordPress installation will be the same.

And, bad guys are going to use this information to guess your password and username.

For single-authored blogs, usernames are simply visible in the “Author Box” in the single post area.

All they have to do is guess the password.

So, you need to change the login URL of your website to stop people from entering random login details.

How do you change the login URL of your website?

Download WPS Hide Login and install it on your WordPress website.

Once installed, head over to the plugin’s settings page and insert your new login address.

I recommend inserting some random alpha-numeric string instead of a word such as “login”, “admin-login” and so on.

The next step is to limit the login attempts on your website.

How to limit the login attempts on your WordPress website?

Just install the Limit Login Attempts Reloaded plugin and configure it to limit the number of login attempts to your website.

This will make sure that people are locked out of the login page after a certain number of login attempts. Even if they know your login page.

Ban suspecious users and IP Addresses

ban suspicious IP- WordPress security

Cyber-Attacks go beyond username guessing and trying to log in using the WordPress login URL.

There are automated scripts to scrap information off your blog, send bots to keep posting garbage comments and finding any vulnerability on your website using the previous bug report published by WordPress.

To stop these attacks and to make your website safe, you need to analyze traffic coming to your website and flag/block and blacklist suspicious IP addresses right away.

WordPress doesn’t offer this out of the box.

So, you will have to install a security plugin to get this done.

I recommend WP Cerber Security.

Block traffic coming from specific countries

Geo-specific websites are targeted to people coming from a certain locations. So, you don’t need people from UK to visit a website that’s run by a Japanese blogger.

Or, if you run a car rental website and you only provide service locally, there’s no point in making your portal available globally.

So, install Defender Security – Malware Scanner, Login Security & Firewall and choose which countries you expect traffic from.

Disable User Registration

Most single-authored blogs and business websites don’t require the user-registration module on WordPress.

So, if you think that you are never going to enable front-end user-registration, disable this feature completely.

Head over to your WordPress admin panel and, go to your “General Options” panel and uncheck the “Anyone can register” option.

Remove XML-RPC From WordPress

I won’t get into the technical side of XML-RPC.

In simple terms, XML-RPC is a data transfer method using HTTP and XML that’s a built-in WordPress feature.

This feature has been exploited many time in the past and most WordPress website don’t even make use of this feature making it a loophole for attackers to exploid.

If you want to read more about the exploit related to XML-RPC, here’s a complete article by GetAstra.com.

You need to disable XML-RPC completely.

If you have installed Asset CleanUp plugin, you will have a setting to disable XML-RPC completely.

Remove Unnecessary Plugins

Many of my clients have a few unnecessary plugins installed on their website.

Plugins such as Hello Dolly, Template Monster, ManageWP should be installed immediately.

Hire a professional WordPress developer and security expert to see how many unnecessary plugins you need to get rid of.

Delete Themes That You Don’t Use

At any given time, your website only uses a single WordPress theme. So, there’s no point in keeping all the other themes active on your website.

Delete all of them and keep the active theme updated at all times.

Add Two Factor Authentication(App, not SMS)

One of the most popular methods of securing your online accounts is to enable a Two-Factor Authentication process. I recommend using an authenticator app.

Install Google Authenticator Plugin and active it.

You will see a new setting under the “Settings” options in the admin menu.

On the plugin settings panel, you can select if you want the authentication code to appear on the login screen, and also select the user roles that can enable and disable Google Authenticator Plugin.

two factor authentication - WordPress security

Now, go back to the settings page and it will ask you to set up the Authenticator App with your Authenticator App on your phone.

two factor authentication- WordPress security

That’s it.

Note: Forget not to store the backup security codes somewhere secure or else you will be locked out of your website.

Create Daily, Off-site Backups

This one is not a big secret.

You have to create daily backups of your website no matter what.

It doesn’t matter if your server creates backups for you or if you have a plugin that creates automatic backups on a regular basis.

If things go wrong, you will lose your website and database in seconds.

So, to stay on the safer side, I recommend downloading a backup of your website on a daily basis and storing it in your local computer.

You can also use an external hard disk to do this.

If you are worried about the space, only retain up to 5 websites backups at a time and delete all the previous backups.

You can use any of these plugins to create and download a complete backup of your website:

Why should you download the backup if your server creates backups?
Servers are basically computers working in a network. No matter how secure the network, there’s always the chance of cyberattacks, data removal, and data corruption.

So, having an off-site local backup will save your website all the progress in the worst-case scenario.

Disable Directory Browsing

Here’s a list of some of the more known WordPress directories:

  • /wp-content/
  • /wp-content/plugins/
  • /wp-content/themes/
  • /wp-content/uploads/

Not just these, if you don’t disable directory browsing, people can go through your plugins and themes without any problems.

Most web hosting providers and servers these days don’t allow directory browsing right out of the box, but in some cases, if you aren’t sure if your web hosting provider does that, add the following codes in your .htaccess file.

Options -Indexes

That’s it.

No more directory browsing.

Download Themes From a Reputable Source/Marketplace

themeforest - WordPress security

Experienced WordPress users are aware of the risk associated with downloading/purchasing themes and plugins from shady websites and marketplaces.

But, some new WordPress users find themselves struggling with this.

They don’t know where to purchase their themes from and end up spending money on some outdated product that’s no longer supported by the developers.

And, outdated themes and plugins will put a target on your website.

So, only spend money on the most reputed theme sellers.

Here’s a list of the most reliable and popular theme marketplaces:

  • Themeforest
  • Elegantthemes
  • Astra
  • GeneratePress

I don’t trust themes available on Template Monster and other similar portals as their sellers usually abandon themes and plugins after a few years.

Some themes on Themeforest have been around for over 8 years now.

That’s a solid track record of reliability.

Never Use Nulled/Hacked Themes or Plugins

What’s a nulled WordPress theme or Plugin?

Nulled is basically a hacked theme that doesn’t require a license to function properly.

Most premium themes in the market come with a premium license that you have to install in order to receive future updates, install demo templates and get customer support.

So, you can’t download these themes for free.

But, some websites offer “nulled” themes and plugins.

These are the premium themes and plugins that are available for free.

You don’t know what’s hidden inside the theme or the plugin but people download it because it’s a premium product that they can get for free.

There’s isn’t a single experienced WordPress user or a developer who will advocate in favor of using a nulled WordPress theme.

Here’s why:

  • Most of these nulled themes and plugins are infected with malicious codes and redirect scripts. If you’re naïve enough to install a nulled theme/plugin, you wouldn’t be able to find any such hidden codes.
  • You are stealing from the developers who’ve worked day and night to bring a good product to the market.
  • You don’t receive any future updates with these nulled items. Which means that sooner or later you will need to purchase a premium license.

So, just stay away from these products.

If you want the premium products, spend some money.

You can get most premium themes for the price of couple of pizzas.

Scan Your Website Regularly For Malware

scan WordPress website- WordPress security

The only problem with an open-source software is the fact that you will have to regular scan your website to see if everything is working as it’s supposed to.

Themes and plugins are the two culprits when it comes to WordPress optimization and security.

And, there’s only one way to keep yourself safe from future troubles; Regular Website Scans.

You can either use a WordPress plugin or rely on an external security scanner service to get this done.

I prefer HackerTarget’s specialized WordPress scanner to detect issues on my websites.

If your website has any security issue(s), it will recommend the steps that you can follow to mitigate the situation.

I don’t recommend any WordPress plugins for this job as all of them have a pay gate and can’t detect issues if it affects your domain and DNS.

Enable Server-Level DDoS and Brute-force protection

DDoS: Distributed Denial of Service.

Sending an exceptionally large amount of traffic/data to an IP address at a time to take down the server. When your server receives too many requests, it will slow down and when it fails to handle that many requests, it crashes.

Brute-force: Trying various combinations of usernames and passwords to get access to your admin panel.

How do you stop it?

DDoS can be stopped at the server level by installing a decent firewall that can differentiate between a real user and a bot or a suspicious user.

You can use free-to-use firewall system offered by Cloudflare to achieve this.

But, if you disable XML-RPC and WordPress REST API, you should be safe. But, I strongly recommend Cloudflare’s Firewall or any CDN that offers a firewall.

If you want to stop Brute-force attacks, the best option is to hide your admin panel and use strong username and password combination.

Here’s what I recommend:

  • Use random alphanumeric strings for your username and password.
  • Choose a lengthy password generated by a password generator.
  • Never type your password. Instead, use a password manager to insert password for you.
  • Limit your login attempts to 3 and lock the IP address out after that.
  • Allow login attempts from only a few selected IP addresses.

And, you’ll have no problem with Brute-force attacks.

Remove Default Admin Username (Username: Admin, User ID: 1)

The most common username is WordPress is “admin” with user ID: 1.

Unfortunately, admin is also the most powerful user role in WordPress (by default).

If not changed, you make it easy for the attackers as they no longer have to guess the username of your website.

All they have to do is guess the password.

If you haven’t really changed the default admin username, chances are that might be using a easy-to-guess password.

So, add a new user, give it admin right and login using the new user ID and delete the “admin” username from your Website.

Create a complex username with numbers, alphabets, and special characters

You might have heard of experts advising to use complex passwords with a mix of numbers, alphabets, and special characters but this rule should also apply to the admin usernames in WordPress.

Create a username that’s hard to guess.

I use a mix of numbers and random alphabets that even I can’t remember.

Since I use password manager, I don’t have to remember the login URL, Usernames and Passwords.

Only use Admin ID to modify, optimize, moderate, migrate or conduct maintenance on your website

Admin account is the most powerful account on your WordPress website. You can pretty much reset your entire site with such account privilege.

So, you shouldn’t use this account to post articles and moderate content on your website.

You should only use Admin ID to manage your WordPress website.

All the posts, pages, and every piece of content that appears on the front-end of the website should actually be uploaded/updated using an “Author/Editor” account.


Author accounts limit you to only the content that’s published by you. So, if the account is compromised, you don’t have to worry about your entire website going down.

You can use your Admin ID to disable/delete that particular user account and create a new author account with fresh login information.

Furthermore, author username is visible in the front-end of the website. So, most people will be able to get the username of your account within a few seconds.

If they manage to guess your passwords, they will have access to all the settings inside the admin dashboard.

So, create an author account even if you are the only user running your WordPress blog or website.

Disable File Editing Inside WordPress Admin

Did you know that you can edit plugin files and theme files, and you can also take down your entire website if you misplace a “;” inside your functions.php file.

To avoid any such blackouts for your front-end users, make sure to disable file editing from admin dashboard of your website.

Here’s a complete and in-depth article on how to disable file editing in WordPress admin area.

Use Strong Passwords created by a strong password generator

If you aren’t already, start using very strong password for your WordPress website and hosting accounts.

To generate a strong password, head over to PasswordGenerator.net and generate your password.

Also, make sure to only use unique password for each website and services.

Change Password Weekly

Having a bulletproof password will help you solve a lot of password leaking issues but if you want to kick it up a notch, make a habit of changing passwords weekly.

You can use the same password generator to create your new passwords as well.

You will not be able to remember all these secure passwords. So, start using a password manager.

I strongly recommend Bitwarden password manager.

It is 100% free and offers all the features that you’d find on a typical password manager.

Disable REST API

Did you know you can use WordPress as a Content Management System that throws a bunch of information that you can retrieve via an API, and use this data on any other website or custom application?

WordPress REST API does exactly that.

With REST API, you can get REST links to posts, pages, taxonomies and other WordPress data types.

 Learn More About WordPress Rest APIs Here 

Most WordPress users don’t actually need this function.

So, it is safe to disable it completely.

Thankfully, you can do that easily by using the “Disable REST API” plugin.

Remove WordPress Generated Tags

WordPress and WordPress plugins that you install generate a lot of tags such as:

  • WordPress version
  • Plugin information

WordPress releases bug reports on the public domain whenever they release a new security update or an upgrade. So, anybody can read this bug report and learn about the loopholes.

Let’s say that you forgot to update the WordPress core or plugins.

Attackers will use the information shared in those bug reports to attack your website as it is still running the vulnerable version.

To avoid this, you can easily disable the WordPress generate tags using Asset CleanUp plugin.

Update WordPress Core, plugins and themes when the updates are available

A no-brainer, yet most users don’t take it seriously.

Updating the WordPress core, plugins and themes is the bare-minimum that you can do to keep your website safe.


Well, old plugins, themes and WordPress core are very vulnerable.

Plus, WordPress releases bug reports disclosing all the loopholes and vulnerabilities in a specific version of the core and other assets.

Not to mention, older version of WordPress, themes and plugins are relatively slower.

So, update the core whenever the new update it released.

Don’t share your login details online & create a dummy user account for developers and helpers

Want to get your website customized a bit and have hired a freelancer?

Now, you need to share the login information.

Don’t share you admin login details right away.

Create a complete backup of your website and create a dummy admin account for your developer.

You can also create a staging website for your developer to conduct the customization.

When the customization is completed, you an push from staging to production easily.

Don’t use the same password on any other website, application, or on your web hosting account

Yes, using the same password for multiple websites will put all the websites and other online accounts at risk.

If someone manages to get a hold of your password that you’ve used on a single website, they will most probably use the same password to get access to all the other online accounts.

If you use unique login details for each website, you will only end up losing one account if your login details are leaked.

It’s that simple.

Conclusion: WordPress Security Checklist

Making a WordPress website secure is not that hard or complicated, but it take a few hours and you will have to be very careful.

Make sure to create a full backup of your website and avoid heavy security plugins on a shared hosting plan.

I will keep on adding new steps to this list and help you take the security of your WordPress website further.