A short WordPress security checklist

Looking for an easy checklist of how to hardening security on your WordPress site without bloated plugins? Look no further. Here is an easy list without the extra fluff, based on my own experiences. I use it for myself when helping clients. The aim is to make your installation more secure than your neighbor. ;-)


  • WordPress updated to the latest version.

  • Plugins updated to the latest version.

  • Inactivate and delete unused plugins. Don’t just leave them inactivated.

  • Always use safe passwords. Absolutly not one of these.

  • Have a clean installation: don’t leave phpMyAdmin installed (don’t try just to hide it with leaving the version in the directory name like “phpMyAdmin-4.6.4-all-languages”). Also, don’t leave any SQL-files laying around on the server.

Next level

  • If you don’t use file editing, disable it. Add define('DISALLOW_FILE_EDIT', true); in your theme’s functions.php.

  • Make sure directory listing is off, add Options All -Indexes to .htaccess if you are using Apache.

  • Depending on your hosting sometimes PHP error reporting can be on. Add this to your wp-config.php

    ini_set('error_reporting', E_ALL );

  • Install Limit Login Attempts plugin.

  • Create a user with administrator privileges and delete user “admin”.

  • Disable comments, use a plugin or delete the contents of comments.php in your theme. I am sorry, if you don’t have a lot of friends, only spam-bots will post here.

  • Subscribe to a newsletter like Wordfence and shim thru it.

  • Register a free account on UptimeRobot to check the site is up. Tip: Don’t just monitor the front-page of the site, try some page deeper in the hierarchy or setup a monitor for a specific keyword on the front page.

Bonus points

Further reading

Need a simple way to do smarter deployments? Take a look at GitFTP-Deploy. Try free for 7 days.