How it works Pricing Status

Resources

The WordPress Paradox Security Checklist Website Speed Health Check Guide Maintenance Explained Plugins vs Code

Language

🇬🇧 English 🇩🇰 Dansk 🇩🇪 Deutsch

WordPress Security

The WordPress Security Checklist for Non-Technical People

You don't need to be a developer to keep your WordPress site secure. You just need this list.

Asger Teglgaard · · 9 min read

TL;DR

WordPress security isn't complicated, but it does require consistency. The top 3 things: keep everything updated (core, plugins, themes), use strong unique passwords, and have regular backups. Most hacks exploit known, already-patched vulnerabilities — meaning the fix was available, just never installed. This checklist covers 10 practical steps anyone can follow.

Security sounds scary. It doesn't have to be.

When people hear "WordPress security," they imagine firewalls, code audits, and penetration testing. That's the enterprise version. For most WordPress site owners — small businesses, freelancers, shops — security is much simpler than that.

Most WordPress hacks aren't sophisticated. They exploit the basics: outdated software, weak passwords, and abandoned plugins. If you get the basics right, you're more secure than 90% of WordPress sites out there.

Here's your checklist. Ten points. No jargon. No developer tools required.

1. Keep everything updated

This is the single most important thing you can do. And it's the one most people skip.

WordPress core, every plugin, and every theme should be running the latest version. Security vulnerabilities are discovered constantly — the WPScan database logs new ones every week. When a vulnerability is found, the developer releases a patch. If you install the patch, you're safe. If you don't, you're a target.

According to Sucuri's research, the vast majority of hacked WordPress sites were running outdated software. Not zero-day exploits. Not advanced attacks. Just known vulnerabilities that had already been fixed — the site owner just hadn't installed the update.

DIY difficulty: Medium. Updates are easy to install but can break things. Always back up first (see point 6).

2. Use strong, unique passwords

If your WordPress admin password is "admin123," "companyname2024," or anything you use on other sites, change it right now.

Brute force attacks — where bots try thousands of password combinations — are constant. They happen to every WordPress site, every day. A strong password stops them cold.

A good password is:

  • At least 16 characters
  • Random (not based on dictionary words)
  • Unique (not used anywhere else)
  • Stored in a password manager (you don't need to remember it)

Check if your current passwords have been exposed in data breaches at Have I Been Pwned.

DIY difficulty: Easy. Get a password manager (1Password or Bitwarden are great) and let it generate passwords for you.

3. Limit login attempts

By default, WordPress allows unlimited login attempts. That means a bot can try "admin/password1," "admin/password2," "admin/password3" — thousands of times per minute — until it gets in.

A login limiter blocks an IP address after a few failed attempts. It's a simple, effective protection against brute force attacks.

Most security plugins include this feature. You can also use a standalone plugin like "Limit Login Attempts Reloaded" — it's free, lightweight, and does exactly what it says.

DIY difficulty: Easy. One plugin, 2 minutes to set up.

4. Make sure you have SSL (HTTPS)

SSL encrypts the connection between your visitors and your site. Without it, any data submitted through your forms (including login credentials) is sent in plain text — visible to anyone monitoring the network.

Beyond security, SSL is required for Google ranking, and browsers display "Not Secure" warnings for sites without it.

Most hosting providers offer free SSL through Let's Encrypt. If your site still shows "http://" instead of "https://," contact your host and ask them to enable it.

DIY difficulty: Easy to medium. Your host usually handles the setup. Make sure it auto-renews.

5. Add security headers

Security headers are instructions your server sends to browsers, telling them how to handle your content safely. They prevent things like:

  • Clickjacking — someone embedding your site in a hidden frame on their site
  • XSS attacks — injecting malicious scripts into your pages
  • MIME sniffing — browsers misinterpreting file types

The key headers you should have:

  • X-Frame-Options: SAMEORIGIN
  • X-Content-Type-Options: nosniff
  • Strict-Transport-Security (forces HTTPS)
  • Content-Security-Policy (controls what resources can load)

You can check your current headers at SecurityHeaders.com.

DIY difficulty: Medium to hard. This usually requires editing server configuration or using a plugin. Ask your developer or host.

6. Have regular, tested backups

Backups aren't just for recovering from hacks. They're insurance against everything: failed updates, accidental deletions, hosting failures, and yes, security incidents.

A good backup strategy:

  • Back up at least weekly (daily for active sites)
  • Store backups in a different location than your hosting (not just on the same server)
  • Keep multiple copies (at least 5 recent backups)
  • Test your backups occasionally — an untested backup is a prayer, not a backup

Your database is the most critical part — it contains all your content, users, settings, and orders. File backups (themes, plugins, uploads) are important too, but the database is what you can't recreate.

DIY difficulty: Easy to set up, easy to forget. The hardest part is doing it consistently.

7. Remove unused plugins and themes

Every plugin and theme on your WordPress site is a potential security risk — even if it's deactivated. Inactive code can still be exploited if it has a vulnerability.

Go to your WordPress dashboard right now and check:

  • How many plugins are installed? How many are actually active?
  • When was each plugin last updated by its developer? (If it says "Last updated: 2 years ago," that's a problem.)
  • How many themes are installed? You need one: your active theme. Delete the rest.

Fewer plugins = smaller attack surface = more secure site. It also makes your site faster (see why speed matters). You might be surprised how many plugins can be replaced with a few lines of code.

DIY difficulty: Easy. Go through your plugin list and delete anything you're not using. Just back up first.

8. Check file permissions

File permissions control who can read, write, and execute files on your server. If they're too loose, attackers can modify your files. If they're too tight, WordPress can't function.

The WordPress-recommended settings according to the WordPress developer handbook:

  • Folders: 755
  • Files: 644
  • wp-config.php: 440 or 400 (extra protection for your database credentials)

If those numbers mean nothing to you, that's fine. Ask your developer or hosting provider to verify them.

DIY difficulty: Hard (requires server access). Ask your host to check for you.

9. Disable XML-RPC (if you don't use it)

XML-RPC is a WordPress feature that allows external applications to communicate with your site. It was useful in the early days for mobile apps and remote publishing. Today, most sites don't need it — and it's a popular attack vector.

Attackers use XML-RPC for:

  • Brute force attacks that bypass login attempt limits
  • DDoS amplification attacks
  • Pingback abuse

If you're not using a mobile app to publish to WordPress, or connecting via third-party tools that require XML-RPC, you can safely disable it. Many security plugins have a one-click option for this.

DIY difficulty: Easy with a plugin. One checkbox.

10. Monitor your site

All the security measures in the world are useless if you don't know when something goes wrong. Monitoring means:

  • Uptime monitoring — get an alert when your site goes down.
  • File change detection — get notified when files on your server change unexpectedly.
  • Login monitoring — see who's logging in to your WordPress admin and from where.
  • Google Safe Browsing status — know immediately if Google flags your site.

You don't need expensive enterprise monitoring. Even basic uptime monitoring (many free tools available) is better than nothing. The website health check guide covers monitoring tools in more detail.

DIY difficulty: Medium. Setting it up isn't hard, but monitoring is only useful if someone acts on the alerts.

The honest truth about DIY security

All ten of these points are doable on your own. None of them require a computer science degree. But here's the reality: the hard part isn't doing them once. It's doing them consistently, month after month, year after year.

Point 1 (keeping everything updated) needs to happen every week or every month. Point 6 (backups) needs to run regularly. Point 10 (monitoring) needs someone watching. The moment you get busy — and you will — maintenance slips. And that's when vulnerabilities open up.

WPulse automates points 1 and 6 completely. Every month, we back up your database, update WordPress core and all plugins, and verify everything works. If something breaks, we roll back. No plugins installed on your site. You get an email when it's done.

That leaves you with the easier points to handle yourself: passwords (point 2), removing unused plugins (point 7), and keeping an eye on things (point 10).

Security isn't about being perfect. It's about not being the easiest target. These ten points put you ahead of 90% of WordPress sites on the internet.

Ready to stop worrying about WordPress?

99 kr/month. Automatic updates, backups, and health checks. Cancel anytime.

See pricing

Related reading

What Happens When Your WordPress Site Gets Hacked

What actually happens behind the scenes when a WordPress site is compromised.

GDPR and Your WordPress Site

Are your plugins leaking visitor data to servers outside the EU?

What WordPress Maintenance Actually Means

The full picture of what it takes to keep WordPress running safely.