The 2021 WordPress Website Security Checklist


The 2021 WordPress Website Security Checklist

The 2021 WordPress Website Security Checklist

You might have stumbled on this article and are thinking to yourself, “Do I really need a WordPress website security checklist? My website has never been hacked.” If that’s the case then you might be surprised to hear this next quote.

Dick Lake, Director of Global Security at the Gates Foundation said, “there are two types of organizations: the ones that have been hacked and those that don’t know they’ve been hacked.”

In fact, a recent study noted that in 2018, Google sent more than 45 million notifications to registered website owners via Search Console, notifying them of a potential breach to their websites which could impact its search engine optimization (SEO).

To put it into perspective, a whopping 50,000 websites are hacked every day. That’s too many sites not to take appropriate action to secure your WordPress website.

That goes double for e-commerce sites which are particularly vulnerable given all the data collected from customers.

Now that we’ve laid down some numbers, your next question is most likely, “what do I do?”

Lucky for you, we’ve developed a thorough WordPress security checklist to get your website secure to prevent damage to your site or reputation from potential hackers.

Types of WordPress Breaches

Many people are unfamiliar with the various types of WordPress breaches, but it’s necessary to understand them to protect your website as a preventative measure.

A breach means that a hacker has found a security vulnerability in your website, and your data may be exposed for theft. Several consequences can arise from there.

Let’s look into some of the most common ways website security can be compromised and what to expect so you can protect your website.


Malware is malicious software designed to inflict harm on a computer, network server, website, or application. There are a number of different types of malware including traditional viruses, computer worms, Trojan horses, spyware, or ransomware.

SQL Injection

An SQL injection is used to target database-driven programs, wherein malicious SQL queries are ‘injected’ into the database that allows an attacker to view information they would normally not be authorized to view.


Backdoor security breaches occur through unsecured backends of a website, allowing cybercriminals to gain access to your WordPress instance. This can compromise the data or information saved on the website.

Malicious Redirects

Based on the name, this type of security breach occurs when someone clicks on a URL and is redirected to an entirely different website, typically rife with malicious code. This happens by creating backdoors in WordPress installations using FTP or SFTP as an example. This can expose you, your customers, and hurt your brand reputation.

Cross-Site Scripting (XSS)

Cross-Site Scripting (XSS) is the process of injecting malicious script into a reputable application or website or application. Once this breach has occurred, the cybercriminals can send malicious code to the end-user unbeknownst to them. This will allow the attacker to grab session or cookie data or even re-write page HTML.

DDoS Attack

A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the regular traffic of a targeted server. The objective is to overwhelm the server with multiple requests from various unidentifiable sources, thus overwhelming and shutting down the server.

These are just a few of the most common brute force attacks that occur on WordPress websites. In the next section, let’s discuss the preventative measures you can take to provide your site with the ultimate security.

12-Point WordPress Security Checklist

Use these security tips to help make sure your WordPress website is protected.

1. Invest in Secure Hosting

Your website is the home of your business and, therefore, requires high-quality, secure hosting. The best WordPress hosting providers take the extra steps necessary to protect their servers against common threats.

Your WordPress hosting service plays the most crucial role in the security of your WordPress site. 

2. Use HTTPS Prefix and SSL Certificates

Switching to HTTPS and opting for SSL certification is another way to secure your WordPress website. The traditional HTTP protocol isn’t encrypted and therefore leaves your site vulnerable to cyber-attacks.

Alternatively, HTTPS is an internet communication protocol that keeps any data safe while in transit between your computer and the server, thus protecting it from outside threats.

3. Ensure Users Utilize Strong Passwords

One of the simplest ways to secure your website is to create a strong password for the login page that no one can guess easily.

To make it easier for multiple users, complex passwords can be stored once in a program like LastPass and the application can automate your login so you don’t have to remember the password each time you log in.

4. Use Two-Factor Authentication for Added Security

Using a two-step Authenticator adds another layer of protection for your WordPress logins, especially from common malware like phishing. It’s easy for a website to be misplaced but having the extra step of authorizing the user can protect them better long term.

We use Google Authenticator at Interrupt Media but there are various options on the market.

5. Limit WordPress Permissions

One of the best security measures to protect your WordPress website is to use permissions to limit editing and WordPress admin access to only those who absolutely need it.

6. Limit Login Attempts

Furthermore, if you limit login attempts, this helps to prevent unauthorized access. The app Login LockDown can record the IP address and timestamp of any failed login attempt and alert you so you can verify the attempts were authentic before granting the user access again.

7. Keep WordPress Core, Plugins, PHP, and Themes Updated

WordPress is constantly updating its capabilities and features to improve them and prevent security issues. Therefore it’s essential to update your core, plugins, and WordPress themes to the latest version as updates become available.

Applications get updated as security threats are understood and patched. Hackers know this so when they see you’re not using the latest version of WordPress, they know just what to do to bypass your security measures and get inside. This is yet another reason to keep your WordPress site up-to-date.

8. Harden Your WP-config.php File

Another way to strengthen your WordPress website is to create a customized URL for your standard login. After you’ve installed and activated the plugin, “/wp-admin” and “/wp-login.php” will be inaccessible and will be replaced by a custom URL that you can rename as you wish. Then, only those that know the custom URL will be able to log in to your site.

9. Disable XML-RPC

Hackers are always on the lookout for vulnerabilities or loopholes they can bypass to gain access to your site and your valuable data.  XML-RPC is a remote procedure call protocol that uses XML to encode its calls and HTTP as its transport mechanism. Unfortunately, it allows third-party apps to publish content on your site which can include malicious links.

Newer versions of WordPress have replaced XML-RPC with REST API. If you’re using an older version of WordPress, we highly recommend updating it to the newer version, but if you can’t, we recommend you at least disable XML-RPC.

Don’t worry, you don’t have to be a developer to disable XML-RPC, the Disable XML-RPC plugin can do it for you.

10. Utilize WordPress Security Plugins

Another helpful preventative measure is to use trustworthy, reputable WordPress security plugins that can help to prevent vulnerabilities and include monitoring functionality to help detect suspicious behavior. We recommend finding a private, paid service instead of using an open-source application that could’ve been modified to cause harm rather than prevent it.

Here are a few that we recommend:

  • BulletProof Security
  • Acunetix WP Security
  • iThemes Security 
  • WordFence
  • Sucuri WordPress Security

11. Always Make WordPress Backups

Such a simple step that most forget: backup everything but especially your website.

A backup is a copy of your site that you can reinstall should something detrimental happen or if a hacker steals a copy. Backing up is something lots of people forget, yet it takes minimal effort for preventive measures. You’ll always trust you have a saved copy of your WordPress site, just in case.

12. DDoS Protection

A distributed denial-of-service (DDoS) attack is a malicious attempt to disrupt the regular traffic of a targeted server and overwhelm it with requests from various sources, forcing it to shut down.

A Web Application Firewall (WAF) can protect against these attacks. Additionally, continuous monitoring of traffic loads, so that when a certain threshold is reached, you will be alerted and can prevent the attack by directing traffic to a different node.

Get Your Website Off on the Right Foot

Why does this matter? Hackers can use your site to infect your site visitors with malware and steal data from your website or your customers. That’s why it’s your responsibility as a business to protect your WordPress website.

Investing in WordPress security from the get-go is the best way to guarantee long-term sustainability and growth for your WordPress installation. That’s why we always recommend this security checklist to new customers who are WordPress users.

This ensures that any sensitive information in their WordPress database is secure and they can be confident that any of our website marketing efforts will not be in vain.

We hope that you’ve found this tutorial helpful. If you’d like to find out more about our WordPress web design, UX, and development offerings, please feel free to reach out to us.

Topics: , , ,

Related Posts: