As soon as your WordPress site, or any site, goes online, it will come under attack. Bots scour the web looking for sites to compromise and infect. Sites are probed nonstop and attacked hundreds of thousands of times a year.
Cyber criminals will exploit any soft spot, whether it’s a vulnerable plugin, a misconfigured file permission, or a weak password. As a WordPress site owner, the best way to keep your site safe is to regularly check key systems for misconfigurations and vulnerabilities.
In this article, we’ll run through a WordPress security checklist that includes some of the most important areas to examine during a WordPress security audit. A managed WordPress hosting company will take care of many of these for you, but if you’re self-hosting or using a low-cost hosting provider, site security is your responsibility.
A WordPress security audit is a systematic review of your website’s core files, plugins, themes, and security features to identify vulnerabilities that hackers might exploit. Experts recommend conducting a security audit at least quarterly or more often if your site handles sensitive data.
Skipping regular audits exposes your site to risks that include:
PHP is the scripting language that powers WordPress. Outdated PHP versions may contain vulnerabilities that attackers can exploit. Likewise, web server software like Apache or Nginx and database systems like MySQL need regular updates to patch security flaws and improve performance.
To ensure your site is protected, check your hosting control panel or ask your provider which PHP and server versions are currently running. Always use supported PHP releases.
Many budget hosts are slow to upgrade PHP because their systems are designed in a way that makes doing so inconvenient and disruptive. If your host doesn’t offer recent versions, consider migrating to a provider that prioritizes security and keeps server software up to date.
Each new WordPress release addresses bugs and compatibility issues discovered in previous versions. Plus, old versions eventually become unsupported, so they no longer receive security patches.
To stay protected, regularly check your dashboard for update notifications and apply them. If you have doubts that your WordPress host is making updates available promptly, check for new releases on WordPress.org. If automatic core updates are supported by your WordPress hosting provider, turn them on.
As a general rule, the WordPress project supports only the most recently released major version. Recent older versions may receive security patches, but not indefinitely.
You may have noticed a theme here: keeping everything updated is the foundation of WordPress security. Review your site’s plugins and themes in the WordPress dashboard, apply available updates, and remove anything you no longer use. Be wary of plugins or themes that haven’t been updated in months; abandoned software is at risk of being hijacked by malicious actors or left with unpatched vulnerabilities.
As with core updates, the best managed WordPress hosting providers support automatic plugin updates with post-upgrade performance and functionality testing.
Weak or compromised passwords are among the most common entry points for attackers targeting WordPress sites. If users rely on simple or reused credentials, bots can gain access through brute force attacks that repeatedly guess login details until they succeed.
To minimize risk, enforce strong password requirements and encourage users to create unique, complex passwords. Modern security tools can also alert you if a password has been compromised elsewhere.
Alongside secure credentials, enable brute force protection to automatically block repeated failed login attempts from suspicious sources. WordPress security plugins like Sucuri Security and Limit Login Attempts Reloaded offer brute force protection alongside other security features.
Jetpack Security, which is available for free with Pressable’s managed WordPress hosting, includes password and brute force protection at no additional cost.
Permissions control who can read, write, or execute files on your WordPress site. If permissions are too loose, attackers may gain unauthorized access to upload malicious files or modify critical site components.
Reputable WordPress hosting providers configure these permissions securely by default, reducing the risk of accidental exposure. However, if you self-host or have recently migrated your site, it’s a good idea to verify that permissions remain correct. Even on managed hosting, occasional checks can catch misconfigurations caused by plugins or manual changes.
As a rule of thumb, directories should be set to 755 and files to 644, with sensitive files like wp-config.php set even more restrictively.
Learn how to manage PHP file permissions on Pressable.
Reliable backup and restore procedures are a cornerstone of WordPress security. If your site is compromised, a recent backup lets you quickly restore a clean, working version. Without that safety net, your recovery time will be longer and more expensive.
Here’s a quick checklist for effective backup and restore:
Pressable’s automatic backups make this easy: WordPress files are backed up every day, databases every hour, and all backups are stored for 30 days. Real-time updates and one-click restores are also available with Jetpack Security.
Malware and vulnerability scanning tools check your WordPress site for harmful code and known security weaknesses in plugins, themes, or core files. Scans typically compare your site’s files against trusted versions and a database of known threats. Anything unusual is flagged for you to review.
If you don’t have robust scanning in place, your site could be silently compromised for weeks or months before you notice. Vulnerabilities left unaddressed make it easy for attackers to gain control or use your server for malicious purposes like crypto mining or as part of a botnet.
Many site owners turn to paid external services like Sucuri or Wordfence for these features, but with Pressable, malware scanning and threat monitoring are included and fully automated at no additional cost.
A web application firewall (WAF) analyzes incoming traffic for suspicious patterns and blocks known attack signatures. A WAF can stop many of the most common and dangerous attacks before they ever reach your site.
Unlike traditional network firewalls, which protect servers at the network or transport layer, a WAF operates at the application layer. It understands and inspects web traffic, identifying threats like SQL injection, cross-site scripting (XSS), and other attacks that target website functionality.
Activity logs record events like logins, content changes, plugin installations, and settings modifications. A running history of what has happened on your site makes it easier to troubleshoot issues and track down the source of unexpected changes.
If a security incident occurs, you can review exactly what happened and when, so you can pinpoint vulnerabilities or unauthorized actions. It’s also useful for ongoing site management: you can audit user actions and ensure everyone follows best practices.
WordPress does not provide detailed activity logging for site events. WordPress site owners can implement logging with premium plugins like WP Activity Log or Malcare.
Every site hosted on Pressable benefits from powerful activity logging via our free access to Jetpack Security.
If your site is hosted on budget WordPress hosting or you self-host, it’s imperative that you run a WordPress security audit every one to three months. If any of the components mentioned in our checklist are missing or misconfigured, your site is potentially at risk.
On Pressable managed WordPress hosting, we take care of security. Each of the security tasks and features mentioned here is included at no extra cost in our standard managed WordPress hosting plans.
To learn more about Pressable’s WordPress security features, schedule a demo today.
If you’re thinking about using iFrames on your website, you should first consider the search engine optimization (SEO) impact. iFrames offer an easy way to share content between two pages or websites. Rather than copying […]
Have you ever wondered what that little padlock symbol next to a website’s URL means? It’s a sign that the website is using SSL (Secure Sockets Layer), also known as TLS (Transport Layer Security). This […]
If you’re considering WordPress as the CMS of choice for your website, you are probably wondering if it offers solid security. WordPress software is in fact very secure. WordPress is used by 60%+ of the […]