WordPress Security Checklist: 15 Checks That Actually Matter (And 12 That Don’t)

I’ve been maintaining WordPress sites for 25 years. I’ve read maybe 400 security checklists in that time, and the ones that top Google today are mostly padded for length. They list “rename your admin account” next to “enable 2FA” as if those two are comparable defenses.

Only one of those two things actually stops attacks in 2026. The other stops attacks from 2011, and renaming an admin account hasn’t been meaningful security in over a decade.

What follows is the stripped-down version. 15 checks that meaningfully reduce your attack surface on a modern WordPress install, and 12 popular ones I’m throwing out because they’re theater.

The 15 That Matter

1. Turn on 2FA for every admin account. This is the single highest-ROI security control on WordPress. Credential-stuffing attacks compromise thousands of sites a week, and 2FA stops every one of them dead. Use an authenticator app, not SMS.

2. Use unique, long admin passwords. Password manager, 20 characters or more, never reused anywhere else. This matters even with 2FA, because 2FA can be bypassed on recovery flows. The password has to be the second wall, not the first.

3. Update core within 7 days of any minor release. Minor releases are security patches. Sitting on them for weeks is how known-CVE attacks land on your site. Enable auto-updates for minor versions and be done with it.

4. Update plugins within 7 days of any patch release, same logic. Most WordPress compromises in the last 3 years trace back to an unpatched plugin CVE that had a fix available for weeks before the attacker arrived.

5. Remove every plugin you’re not actively using. Deactivated is not removed. Deactivated plugins still get scanned by attackers and still contain exploitable code. If it’s not running, delete it.

Deactivated is not removed.

6. Remove every theme except the active one, same reason. twentytwentyone sitting unused in your themes directory is attack surface for nothing.

7. Host with a provider that isolates accounts. Shared hosting without account isolation means one infected neighbor site can walk into yours. SiteGround, Kinsta, WP Engine, Rocket, and Hostinger’s Business tier all isolate properly. Avoid anything that doesn’t.

8. Turn off file editing in the admin. Add define('DISALLOW_FILE_EDIT', true); to wp-config. If an admin account is compromised, the attacker can’t drop a webshell through the UI.

9. Limit login attempts, and do it right. A plugin that only tracks IPs gets bypassed by rotating proxies. You want one that also limits per username. That rate-limits the credential-stuffer regardless of how many IPs they cycle through.

10. Move wp-config.php above the webroot, or at minimum protect it via .htaccess. The default install leaves it readable if PHP execution ever breaks, which happens during migrations, plugin conflicts, and PHP upgrades.

11. Force HTTPS everywhere and turn HSTS on. The reason isn’t Google’s ranking signal. It’s that HTTP admin sessions leak cookies to any Wi-Fi sniffer. Set FORCE_SSL_ADMIN in wp-config and serve HSTS headers with a 6-month max-age.

12. Back up to a location outside your hosting account. If your hosting account gets compromised, in-account backups go with it. UpdraftPlus to your own S3, R2, or Dropbox, or use a hosting-tier offsite backup service.

13. Run regular malware scans that include file integrity checks. Pattern matching alone misses every tailored injection. Scans should compare your core and plugin files against known-good hashes, which catches modifications no signature database will.

14. Monitor for new admin users. Attackers create backup admin accounts for persistence. Any new admin account should fire an email to you, not just appear silently in the users list.

15. Turn off XML-RPC if you don’t use it. If you don’t use the Jetpack app, the WordPress iOS or Android app, or Pingbacks, xmlrpc.php is just an attack amplifier. Block it at the webserver level, not via plugin.

That’s the list. Fifteen items. Do all of them and you’re ahead of 97% of WordPress sites on the internet.

Do all fifteen and you’re ahead of 97% of WordPress sites on the internet.

The 12 That Don’t Matter (And Why)

“Change the admin username from admin.” WordPress hasn’t defaulted to that username since version 3.0 in 2010. Your username isn’t a secret, it’s visible in the /?author=1 URL. This is security-through-obscurity where there’s no obscurity to begin with.

“Change the database table prefix from wp_.” Any SQL injection that can read your tables can also read your wp_options table, or your xyz_options table. The prefix doesn’t slow the attack by one second. It just breaks plugin compatibility.

“Hide the WordPress version number.” The attacker doesn’t care what your meta generator tag says. They probe for a vulnerable plugin directly. Version fingerprinting is trivially bypassable and doesn’t gate any real attack.

“Rename the wp-login.php URL.” You can move the login to /my-secret-login. Attackers who care enough to target your site will find it in the HTML of any page that links to it, or via any of 14 other WordPress-specific fingerprints. It stops bulk scanners, not targeted attacks. If you want to stop bulk scanners, rate-limit instead.

“Disable directory browsing.” Disable it, sure, but no attack hinges on directory listings in 2026. Attackers use vulnerability databases now, not filesystem walks.

“Limit access to wp-admin by IP.” Works until your ISP rotates your IP, you travel, or your one contractor needs access. The failure mode is “admin locks self out at 2am.” Not worth the operational cost for the marginal benefit.

“Disable PHP execution in uploads directory.” Worth doing, but if you got to the point where an attacker wrote a PHP file into uploads, they already bypassed something more important. It’s a safety net, not a primary control.

“Install 7 security plugins.” One quality security plugin plus one malware scanner is enough. Seven of them means conflicts, performance drag, and redundant detections. More plugins equals more code equals more attack surface.

“Block all traffic from China and Russia.” Attacker infrastructure is global. The IPs hitting your login endpoint live in AWS, Digital Ocean, OVH, and residential proxies in Brazil. A single geo filter won’t stop the volume. And you lose legitimate international readers.

“Scan daily.” Malware scans take resources and clutter your inbox with false positives. Weekly is fine for most sites. Continuous file-change monitoring is better than frequent full scans anyway.

“Disable REST API for non-authenticated users.” Breaks more plugins than you’d expect. Gutenberg, some caching plugins, and block editor metadata all rely on REST. The real answer is to audit which endpoints are exposed, not to kill the whole surface.

“Use a WAF from [vendor].” A WAF is a real answer for enterprise. For most WordPress sites, the WAF’s value is negated by the fact that an unpatched plugin will be exploited before any WAF signature covers the CVE. Patch cadence beats WAF every time.

The Real Ranking

If I could only recommend three things to a new WordPress site owner, they’d be these, in this order: 2FA on all admins, auto-updates for minor core and plugins, and backups to a location outside your host.

Those three stop 85% of what happens to WordPress sites. Every additional item on the 15-list closes a specific edge case. Every item on the 12-list steals attention from the real defenses.

Checklists are a credibility game for the writer.

Nova Heaven Security

Checklists are a credibility game for the writer. The value for you is in knowing which items actually move the dial, and which items a padding-for-length piece put in front of you to look thorough.

Every item on the 12-list steals attention from the real defenses.

---

Nova Scan handles items 13 and 14 from the real list, which are integrity-based malware scanning and new-admin alerts, without needing a paid tier. nova scan overview.

~ SephX, Nova Heaven. Three real defenses beat fifteen checkboxes every time.