Best practices for your WordPress Website

Absolute security doesn’t exist. Practical security does. Start with this checklist to shut doors attackers target most.

Backup & Recovery Planning

Be able to bounce back fast.
Pending
Tasks for Backup & Recovery Planning
Always back up before big changes
Incomplete
Automate off-site backups of files and database
Incomplete
Keep multiple backup versions (daily/weekly/monthly)
Incomplete
Test restore regularly
Incomplete

Content Security & Privacy

Keep inputs clean and users protected.
Pending
Tasks for Content Security & Privacy
Publish a clear privacy policy and collect consent where required
Incomplete
Restrict allowed upload types and verify MIME types
Incomplete
Use CAPTCHA on public forms and an anti-spam plugin
Incomplete
Validate and sanitize all form inputs server-side
Incomplete

Core WordPress Security

Lock down the basics so attacks have fewer ways in.
Pending
Tasks for Core WordPress Security
Disable file editing in admin (DISALLOW_FILE_EDIT)
Incomplete
Force HTTPS for admin and website visitors
Incomplete
Keep WordPress core up to date
Incomplete
Rotate auth keys & salts on a schedule or after incidents
Incomplete
Secure wp-config.php (restrict access; permissions ~600)
Incomplete

Database Security

Protect the data layer.
Pending
Tasks for Database Security
Grant least-privilege permissions to the database user
Incomplete
Remove demo and test data from production
Incomplete
Secure the DB connection (localhost/socket or TLS)
Incomplete
Use a strong, unique database user password
Incomplete

Emergency Response Plan

If hacked, don't panic. Act fast and methodical.
Pending
Tasks for Emergency Response Plan
Change all passwords and rotate salts
Incomplete
Put the site in maintenance or limit access while investigating
Incomplete
Restore from a known-clean backup if needed
Incomplete
Scan and clean malware (plugin plus server-side)
Incomplete
Update everything and fix the root cause; monitor for reinfection
Incomplete

Monitoring & Maintenance

Catch problems early.
Pending
Tasks for Monitoring & Maintenance
Enable uptime monitoring with alerts
Incomplete
Enable vulnerability alerts for plugins and themes
Incomplete
Review security and admin activity logs regularly
Incomplete
Schedule malware and integrity scans
Incomplete

Operational Hardening

Reduce human error on live sites.
Pending
Tasks for Operational Hardening
Avoid direct editing on production; use a deploy process
Incomplete
Protect staging (HTTP auth, no indexing, separate credentials)
Incomplete
Store secrets outside code (env vars or a secure vault)
Incomplete

Server & Hosting Security

Stop most attacks before they reach WordPress.
Pending
Tasks for Server & Hosting Security
Deny PHP execution in wp-content/uploads
Incomplete
Run the latest supported PHP version
Incomplete
Set correct file permissions (dirs ~750, files ~640) and disable directory listing
Incomplete
Use a WAF/CDN and rate-limit /wp-login.php (throttle or block xmlrpc.php if unused)
Incomplete

Themes & Plugins Management

Reduce risk from third-party code.
Pending
Tasks for Themes & Plugins Management
Back up before major updates
Incomplete
Delete unused or abandoned plugins and themes
Incomplete
Install only from trusted sources (check reviews and update cadence)
Incomplete
Keep all plugins and themes updated (enable safe auto-updates)
Incomplete

User Management & Authentication

Make accounts hard to break into.
Pending
Tasks for User Management & Authentication
Disable public registration unless truly needed
Incomplete
Enable 2FA for all admins (and editors if possible)
Incomplete
Enforce strong, unique passwords for all users
Incomplete
Rate-limit login attempts
Incomplete
Remove default “admin” user and avoid common usernames
Incomplete