WordPress Security Checklist: 12 things to do to secure your website

Back to Blog


When talking about WordPress security, many things can be done to secure your website and prevent hackers and vulnerabilities from affecting your online presence.

WordPress is one of the most popular platforms for self-hosted blogs and websites and powers over 29% of all websites on the web. Even WhiteHouse.gov is using WordPress platform. So because of its popularity, it may fall victim to attacks by hackers.

With the various themes and plugins that exist out there, it is not a surprise that vulnerabilities exist and are continually affecting websites.

The last thing that you want to happen is to find out one day that your website got hacked. In our efforts to help you prevent this from happening, we will be sharing multiple tips and techniques you can use to secure your WordPress website and stay protected.

Before discovering ways to make your WordPress website more secure, it is essential for you to understand why does WordPress websites get hacked (different types of WordPress security vulnerabilities).

WordPress Security Checklist 2018

This post may be a subject of updates with relevant information, having in mind the fact that things are always changing when it comes to WordPress platform and new vulnerabilities arise every day.

1. Invest in Rock-solid WordPress Hosting

Every web host out there should take security very seriously. The reason why it is essential that you choose a web host you can rely on for your business.

Here at ChemiCloud, we use cloud infrastructure for all of our WordPress Hosting customers to keep their data safe. By distributing data across redundant servers, the information hosted in the cloud is always protected against hardware failure.

In addition to this, our servers run on CloudLinux OS which allows us to use a virtualized file system for each account and completely isolating it. A significant advantage of it is that it if one user account becomes compromised, the malware infection does not spread to the other accounts hosted on the same server. This way we are adding an extra layer of protection compared to our competitors.

2. Always Keep WordPress version and Plugins up to date

You should always keep your WordPress version up to date as well as all of your plugins and themes. These are the #1 attack vector being exploited by cybercriminals.

Each update not only brings with it new features but more importantly, bug fixes and security fixes. These help your site remain safe against easy-to-exploit vulnerabilities.

Unfortunately, WordPress stats show us that over 76% of WordPress installations are not up to date:

WordPress security

Plugins play a significant role in making WordPress as accessible as it is today. As of this writing, there are 53,342 plugins available for download in the official WordPress plugin directory. That is an incredible selection of plug and play software. However, you obviously need to be careful with them. A WordFence study reported that plugin vulnerabilities represented 55.9% of the known entry points for hackers.

When you are searching for a plugin, pay attention to the “Last Updated” date and how many ratings a plugin has.

Be wise when it comes to plugins. Look at the “Last Updated” date and how many ratings a plugin has. It is strongly recommended to stay away from outdated plugins and the ones that have bad ratings.

WordPress security

How to Update WordPress version

To update your WordPress install to the latest version, click on “Updates” in your WordPress dashboard and click on the “Update Now” button.

WordPress security

If you decide to update WordPress manually, you will need to download the latest version and uploading it via FTP. For help with manual updates, visit the Updating WordPress Codex page.

WordPress core auto updates

If you want the WordPress auto updates to handle major core updates too, you will have to add a single configuration line. To manually enable automatic updates for WordPress you just need to add the following line of code in your wp-config.php file:

define( 'WP_AUTO_UPDATE_CORE', true );

How to Update WordPress Plugins

To update your plugins to the latest version, click on “Updates” in your WordPress admin panel, select the plugins you want to update, and click on “Update Plugins.”

WordPress Plugins Updates

WordPress Plugins auto updates

If you want the plugins to be automatically updated when a new version is released, just add the following line in your wp-config.php file:

add_filter( 'auto_update_plugin', '__return_true' );

3. Use Smart Usernames and Strong Passwords

Be wise when it comes to your username and password for your WordPress dashboard. Avoid using a username as “admin” and always choose a complex password. Don’t use “admin” as your username but instead use a unique WordPress username for the administrator that is not related to your domain name.

Make sure to choose a complex password. Google has some great tips on how you can choose a secure password. Alternatively, you can use an online tool like LastPass Password Generator.
If you are managing multiple WordPress sites, it is prudent to use different passwords. The best way is to use an online password manager such as LastPass, which offers a free subscription.

If you want to store your passwords locally, on your computer, then you can use a free tool such as KeePass.

4. Use Two-Factor Authentication

Take advantage of Two-Factor Authentication to completely secure your WordPress login. Two-Factor Authentication involves a second step to the login process. It is a text (SMS), or time-based one-time password (TOTP) required to login.It is a 100% effective way to prevent brute force attacks on your WordPress admin panel.

We prefer using the free Google Authenticator plugin as you can use it for an unlimited amount of users. Just install the plugin and click on a user account. You can then set up two-factor authentication by creating a new secret key or by only scanning the QR code. Then make sure to mark it “Active.”

Google Authenticator Plugin Settings

With Google’s 2-Step Verification enabled, on your login page, you will be asked to enter a six-digit code after you provide your username and password.

WordPress Login
If you do not provide this six-digit number, you will not be able to log in, even if you have the correct username and password.

5. Lock Down your WordPress Login URL

If you want to make it even harder for hackers to find certain backdoors, then you are less probable to be the target of an attack. Locking down your WordPress admin URL and login is a right way to increase your login security.

The default WordPress site’s login URL is domain.com/wp-admin. One of the problems with this is that all of the bad bots, hackers, and scripts out there also know this. By changing the URL for your WordPress admin panel, you can make yourself less of a target and better protect your site against brute force attacks.

How to Change Your WordPress Login URL

To change your WordPress login URL, we recommend using a free plugin called WPS Hide login.

This plugin lets you quickly and safely change the URL of the login form page to anything you want. It renames or changes files in the core, nor does it add rewrite rules. It merely intercepts page requests and works on any WordPress website. This way, the wp-admin directory and wp-login.php page become inaccessible.

Once installed, go to General Settings of your WordPress dashboard and just set your admin panel URL.

Deactivating this plugin brings your site back precisely to the state it was before.

6. Hardening your wp-config.php file

The wp-config.php stores all the necessary details for an intruder to gain access to your site’s database. It is one of the most important files in your entire WordPress install.

How to deny access to wp-config.php

You can prevent the file from being accessed by adding the following code to your .htaccess file.

<Files wp-config.php>
order allow,deny
deny from all

Anyone that tries to access your site’s wp-config.php will receive a 403 Forbidden error.

7. Disable directory listing

By default, when your web server does not find an index file (index.php or index.html), it automatically displays an index page showing the files and folders in that web directory.

This could make your site vulnerable to attacks by revealing the critical information needed by hackers to take advantage of a vulnerability in a WordPress plugin, theme, or your server in general.

How to disable directory browsing in WordPress

Just add the following line in the site’s .htaccess file located in the root directory of your website.

Options -Indexes

If you are a ChemiCloud customer, we have you covered. By default, the directory listing is disabled on our servers.

8. Disable PHP Execution in WordPress Directories

Most of the times, hacked WordPress sites usually have backdoor files. These backdoor files are often disguised as core WordPress files and are placed in /wp-includes/ or /wp-content/uploads/ folders.

An easier way to improve your WordPress security is by disabling PHP execution for some WordPress directories.

Create a blank .htaccess file and paste this code inside it:

<Files *.php>
deny from all

Then upload this file to /wp-content/uploads/ and /wp-includes/ directories.

9. Use HTTPS for Encrypted Connections (SSL Certificate)

HTTPS for Encrypted Connections

One of the most neglected ways to harden your WordPress website is to install an SSL certificate and run your site’s URL’s over HTTPS.

HyperText Transfer Protocol Secure (or “HTTPS” ) is the internet standard for secure communication between your browser and any web server.

HTTPS is encrypting the communication end-to-end: only your computer and the web server can see what data gets transmitted.

What are the benefits of HTTPS?

  • Your data is encrypted and secure. No plain text is ever passed. This is an essential aspect of e-commerce transactions but also for even logging into your website.
  • Google has officially said that HTTPS is a ranking factor.
  • The green padlock bar helps build trust and credibility for your visitors.
  • Avoid the Chrome warning that was introduced in January 2017 which is going to mark HTTP pages that collect sensitive information as non-secure.

Many hosts, including ChemiCloud, offer free SSL certificates with Let’s Encrypt.

10. Prevent Hotlinking

Hotlink Protection will prevent other websites from directly linking to files on your website. An example of hotlinking would be using a <img> tag to display an image from your site on some other site on the internet. This will result in the other site stealing your bandwidth.

How to prevent Hotlinking

To prevent hotlinking simply insert the following code into your .htaccess file:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?domain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

Alternatively, you can use this online tool in order to create a .htaccess file for hotlink protection of your images and pictures.

11. Perform regular backups

Backing up your site is about creating a copy of all the site’s data, and storing it somewhere safe. That way, you can restore the site from that backup copy in case anything bad happens.

Most hosting providers now provide backups. ChemiCloud has free automated backups, that are stored offsite, allowing to be quickly restored so that you can rest easy knowing your data is safe!

WordPress security


WordPress Backup Plugins

If your host doesn’t have backups there are some popular WordPress backup services and plugins which you can use to automate the backup task.

  • Duplicator
  • WP Time Capsule
  • BackupBuddy
  • UpdraftPlus
  • BackUpWordPress
  • BackWPup
  • WP BackItUp

12. Hide Your WordPress Version

Another good practice is to hide your WordPress install version. Anyone that checks the source code of your site can easily reveal what version of WordPress you are running and if you aren’t good at staying up with the latest updates this can be a welcome sign for intruders.

WPBeginner has a great code snippet you can use to remove the WordPress version. Simply add the following code to your functions.php file.

function wpversion_remove_version() {
return '';
add_filter('the_generator', 'wpversion_remove_version');

Please note that editing the source code of WordPress functions.php file could break your site if it is not done correctly. If you are not feeling comfortable doing this, please check with your web developer first.


As you can see there are various ways you can improve your WordPress security, so it is important to take into serious the security of your site and find some time and implement some of the security best practices mentioned above, sooner rather than later.

If you know any other WordPress security tips that may help, please feel free to let us know in the comments area.

self hosted wordpress

You may be also interested in reading the article How to move WordPress.com website to a self-hosted WordPress

Leave a Reply

Your email address will not be published. Required fields are marked *