WordPress Security Checklist: 15 Steps to Lock Down Your Site
Why This Checklist Exists
WordPress security is not complicated, but it is easy to overlook. Most compromised WordPress sites were not hacked through sophisticated zero-day exploits. They were compromised through weak passwords, outdated plugins, and basic misconfigurations.
This checklist covers 15 steps, ordered from most impactful to least. Complete the first five and you will be more secure than 90% of WordPress sites.
The Essential Five
1. Use Strong, Unique Passwords
This sounds obvious, but weak passwords remain the number one attack vector. Every WordPress account should use a password that is:
- At least 16 characters long
- Randomly generated (use a password manager)
- Unique to your WordPress site (never reused)
Change the default "admin" username if you have not already.
2. Keep Everything Updated
- WordPress core: Update within 24 hours of a security release
- Plugins: Update weekly (or enable auto-updates for trusted plugins)
- Themes: Update when available
- PHP: Use the latest supported version (8.2+ in 2026)
Outdated plugins are the most common entry point for attackers. If you are not using a plugin, delete it β even deactivated plugins can be exploited.
3. Enable Two-Factor Authentication
Add 2FA to every admin and editor account. Sera Sentinel includes built-in 2FA support with TOTP (Google Authenticator), email codes, and backup codes.
Even if an attacker obtains a password, 2FA prevents them from logging in.
4. Install a Web Application Firewall
A WAF inspects incoming requests and blocks malicious traffic before it reaches WordPress. Sera Sentinel's WAF blocks SQL injection, XSS, remote file inclusion, and other common attacks.
Cloud-based WAFs (like Cloudflare or Sucuri) add another layer by filtering traffic before it even reaches your server.
5. Use Secure Hosting
Your hosting provider is your first line of defense. Choose a host that provides:
- Server-level firewalls
- Automatic backups
- Malware scanning
- DDoS protection
- PHP version management
- SSL certificates
The Hardening Ten
6. Disable File Editing
Add this to wp-config.php: define('DISALLOW_FILE_EDIT', true);
This removes the Theme Editor and Plugin Editor from the admin, preventing attackers who gain admin access from modifying files directly.
7. Protect wp-config.php
Move wp-config.php one directory above your web root, or add server rules to block direct access. This file contains your database credentials and security keys.
8. Change the Login URL
The default /wp-login.php and /wp-admin URLs are targeted by automated bots. Changing them to a custom URL reduces brute force attempts significantly. Sera Sentinel includes this feature.
9. Limit Login Attempts
Block IPs after a configurable number of failed login attempts. Sera Sentinel's progressive lockout system increases the block duration with each offense.
10. Disable XML-RPC
Unless you specifically need XML-RPC (for Jetpack or the WordPress mobile app), disable it. It is a common vector for brute force attacks and DDoS amplification.
11. Set Correct File Permissions
- Directories: 755
- Files: 644
- wp-config.php: 600
Incorrect permissions allow attackers to write to files they should not have access to.
12. Disable Directory Browsing
Add Options -Indexes to your .htaccess file (Apache) or the equivalent Nginx rule. This prevents attackers from listing the contents of your directories.
13. Use Security Headers
Configure these HTTP headers on your server or through a plugin:
| Header | Purpose |
|---|---|
| Content-Security-Policy | Prevents XSS and data injection |
| X-Frame-Options | Prevents clickjacking |
| X-Content-Type-Options | Prevents MIME sniffing |
| Referrer-Policy | Controls referrer information |
| Permissions-Policy | Restricts browser features |
14. Schedule Regular Malware Scans
Run malware scans at least weekly. Sera Sentinel's scanner checks core files, plugins, themes, and database content for known malware signatures and suspicious patterns.
15. Maintain Offsite Backups
Backups are your last line of defense. If everything else fails, a clean backup lets you restore your site. Store backups offsite (not on the same server as your WordPress installation) and test restoration regularly.
Automating Security with Sera Sentinel
Steps 3, 4, 8, 9, 10, 12, and 14 from this checklist are all handled by Sera Sentinel out of the box. Install it, run the initial security audit, and enable the recommended settings. The AI-powered threat analysis adds an extra layer of intelligence that static security plugins cannot match.
Conclusion
Security is a practice, not a product. No single plugin makes your site invulnerable. But following this checklist β especially the Essential Five β dramatically reduces your attack surface and makes your site a much harder target.
The team behind the Sera WordPress ecosystem β building AI-powered tools for performance, security, SEO, and content creation.
