The Complete WordPress Security Hardening Checklist for 2026 (25 Steps, Verified)

Before You Start: Run a Baseline Scan

Security without measurement is guesswork. Before working through this checklist, run a baseline scan at wp-scan.org/malware-check and save the results. After completing the checklist, you'll run it again to compare and verify every step worked. The scan checks 6 categories: malware, blacklists, security headers, XML-RPC exposure, user enumeration, and plugin/theme CVEs. Think of your starting score as a before photo. ---

Section 1: Software Updates (Items 1–5)

The single highest-impact security action is keeping software current. With a 5-hour exploitation window after disclosure, delays are measured in risk.

✅ 1. WordPress Core Updated

Go to Dashboard → Updates. If an update is available, apply it now. ``php // Enable automatic minor (security) updates via wp-config.php: define('WP_AUTO_UPDATE_CORE', 'minor'); `

✅ 2. Every Plugin Updated

Zero exceptions. Outdated plugins account for 91% of all WordPress vulnerabilities. `php // Enable automatic plugin updates: add_filter('auto_update_plugin', '__return_true'); `

✅ 3. Every Theme Updated

Including themes you're not actively using. If you're not using a theme, delete it — it's attack surface.

✅ 4. PHP 8.1 or Higher

PHP 7.x is end of life and actively exploited. Check your PHP version in Tools → Site Health or your hosting control panel. Ask your host to upgrade if needed.

✅ 5. Remove Unused Plugins and Themes

Deactivated plugins still exist as files. Files can be directly requested by an attacker even if the plugin is "off." Delete anything you don't actively use. ---

Section 2: Authentication (Items 6–10)

✅ 6. Two-Factor Authentication on All Admin Accounts

Enable 2FA with WP 2FA (free plugin). Even a compromised admin password is useless without the second factor. Verify: Try logging in — you should be prompted for a TOTP code after your password.

✅ 7. Strong Unique Passwords

All admin accounts should use unique, randomly-generated passwords (16+ characters). Use a password manager. The WordPress password generator (User Edit → Generate Password) creates suitable passwords.

✅ 8. Disable XML-RPC

`apache # .htaccess — blocks at server level: Order Deny,Allow Deny from all ` Verify: wp-scan.org/malware-check checks XML-RPC status.

✅ 9. Limit Login Attempts

Install Limit Login Attempts Reloaded (free) or add server-level rate limiting. Default lockout after 3 failed attempts is appropriate for most sites.

✅ 10. Block or Restrict wp-login.php

`apache # Option A: Restrict to your IP(s) only: Order Deny,Allow Deny from all Allow from YOUR.IP.ADDRESS.HERE # Option B: Add HTTP Basic Auth over wp-login.php (via cPanel) # Many hosts offer this as a one-click option ` ---

Section 3: File and Database Security (Items 11–15)

✅ 11. Correct File Permissions

`bash # Via SSH: find /path/to/wordpress/ -type f -exec chmod 644 {} \; find /path/to/wordpress/ -type d -exec chmod 755 {} \; chmod 440 wp-config.php `

✅ 12. Harden wp-config.php

`php // Disable file editing from the WordPress admin dashboard: define('DISALLOW_FILE_EDIT', true); // Force HTTPS for all admin sessions: define('FORCE_SSL_ADMIN', true); // Regenerate keys at: https://api.wordpress.org/secret-key/1.1/salt/ define('AUTH_KEY', 'REPLACE_WITH_NEW_KEY'); define('SECURE_AUTH_KEY', 'REPLACE_WITH_NEW_KEY'); // ... (8 defines total) `

✅ 13. Block PHP Execution in Uploads

`apache # Create /wp-content/uploads/.htaccess with: Order Deny,Allow Deny from all ` This prevents uploaded malicious PHP files from executing, even if an attacker successfully uploads them.

✅ 14. Change Database Table Prefix

If you're setting up a new site: change $table_prefix in wp-config.php from wp_ to something random (e.g. xk9m3_). This stops SQL injection attacks that assume the default prefix. For existing sites: use a plugin like Brozzme DB Prefix & Tables Manager to change it safely.

✅ 15. Database User Privilege Reduction

Your WordPress database user should only have: SELECT, INSERT, UPDATE, DELETE, CREATE, DROP, INDEX, ALTER. It should NOT have SUPER, GRANT OPTION, or FILE. Adjust via your hosting control panel or phpMyAdmin. ---

Section 4: HTTP Security Headers (Items 16–19)

All four of these are checked by wp-scan.org/malware-check — it's the only way to verify they're actually being sent in HTTP responses. `apache # Add to .htaccess inside : Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains" Header always set X-Content-Type-Options "nosniff" Header always set X-Frame-Options "SAMEORIGIN" Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https:; style-src 'self' 'unsafe-inline' https:; img-src 'self' data: https:;" Header always set Referrer-Policy "strict-origin-when-cross-origin" Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()" ` Note: The Content-Security-Policy above is a starting point — you may need to adjust it based on the external scripts your theme and plugins load.

✅ 16. HSTS Enabled (Strict-Transport-Security)

✅ 17. X-Content-Type-Options: nosniff

✅ 18. X-Frame-Options: SAMEORIGIN

✅ 19. Content-Security-Policy

---

Section 5: Information Exposure (Items 20–22)

✅ 20. Hide WordPress Version

`php // functions.php: remove_action('wp_head', 'wp_generator'); // Remove version from assets: add_filter('style_loader_src', function($src) { return remove_query_arg('ver', $src); }); add_filter('script_loader_src', function($src) { return remove_query_arg('ver', $src); }); ` Also delete /readme.html — it contains your exact WordPress version number.

✅ 21. Block User Enumeration

`php // functions.php: add_filter('rest_endpoints', function($endpoints) { if (!is_user_logged_in()) { unset($endpoints['/wp/v2/users']); unset($endpoints['/wp/v2/users/(?P[\d]+)']); } return $endpoints; }); add_action('template_redirect', function() { if (isset($_GET['author']) && !is_admin()) { wp_redirect(home_url(), 301); exit; } }); ` Verify: wp-scan.org/malware-check checks both vectors.

✅ 22. Disable Directory Listing

`apache # .htaccess: Options -Indexes ` Without this, visiting yoursite.com/wp-content/uploads/` shows a full directory listing of all uploaded files. Attackers use this for reconnaissance. ---

Section 6: Monitoring and Backups (Items 23–25)

✅ 23. Automated Daily Backups to Offsite Storage

Use UpdraftPlus (free) with Google Drive, S3, or Dropbox as the destination. Test your restore process quarterly — a backup you've never tested is not a backup you can trust.

✅ 24. Uptime Monitoring

UptimeRobot (free tier, 5-minute checks) alerts you if your site goes down. A sudden outage is often the first sign of a suspension due to malware.

✅ 25. Monthly External Security Scan

Schedule a monthly reminder to run wp-scan.org/malware-check. This is the only check that catches cloaked malware, verifies your security headers are actually working, and confirms your XML-RPC block is in effect from outside your server. ---

After the Checklist: Your Post-Hardening Scan

Now re-run the scan at wp-scan.org/malware-check and compare to your baseline. A site that's completed all 25 items should show:

• •✅ No malware detected
• •✅ Not blacklisted
• •✅ XML-RPC blocked
• •✅ User enumeration protected
• •✅ All 4 security headers present
• •✅ WordPress version hidden

If any items still flag, the scan report tells you exactly what to address. ---

Quick Reference Table

| Item | Priority | Verification | |------|----------|-------------| | Core/Plugin/Theme updates | 🔴 Critical | Dashboard Updates | | Delete unused plugins/themes | 🔴 Critical | Plugins list | | 2FA on all admins | 🔴 Critical | Login test | | Disable XML-RPC | 🔴 Critical | External scan | | File permissions (644/755/440) | 🔴 Critical | SSH/FTP | | wp-config.php DISALLOW_FILE_EDIT | 🔴 Critical | Admin check | | Block PHP in uploads | 🔴 Critical | File check | | Limit login attempts | 🟠 High | Plugin settings | | Security headers (all 4) | 🟠 High | External scan | | Block user enumeration | 🟠 High | External scan | | Remove WordPress version | 🟠 High | External scan | | Disable directory listing | 🟠 High | Directory URL test | | Daily offsite backups | 🟠 High | Backup plugin | | PHP 8.1+ | 🟠 High | Site Health | | Uptime monitoring | 🟡 Medium | UptimeRobot | | Monthly external scan | 🟡 Medium | Calendar reminder | → Verify your hardening at wp-scan.org/malware-check

Free external scan — 22 checks, instant report. No plugin, no account.

Run Free Scan → wp-scan.org/malware-check

Tags: wordpress security checklist wordpress hardening wordpress security 2026 wordpress best practices secure wordpress wordpress configuration

📬 Enjoyed this article?

Get the next one in your inbox — free WordPress security guides, weekly.

Subscribe