WordPress powers over 40% of all websites on the internet. That popularity makes it a prime target for hackers, bots, and malicious scripts. The good news is that most WordPress security breaches exploit basic vulnerabilities that are entirely preventable.

We’ve put together this 10-point checklist based on the most common weaknesses we see on the sites we’re asked to fix. Work through each item and give your site an honest assessment. Even addressing a few of these points can dramatically reduce your risk.

1. WordPress Core Is Up to Date

WordPress regularly releases updates that patch security vulnerabilities. Running an outdated version of WordPress is like leaving your front door unlocked. Check your current version under Dashboard, then Updates. If you’re more than one version behind, you should update as soon as possible. WordPress minor updates (like 6.4.1 to 6.4.2) are security patches and should be applied immediately. Major updates (like 6.4 to 6.5) are worth testing on a staging site first.

2. All Plugins Are Updated

Outdated plugins are the number one attack vector for WordPress sites. Plugin developers release updates to fix security holes, and hackers actively scan for sites running vulnerable versions. Go to Plugins in your dashboard and check for available updates. If a plugin hasn’t been updated in over a year and isn’t maintained by a reputable developer, consider replacing it with an actively maintained alternative.

3. Unused Plugins and Themes Are Removed

Deactivated plugins and themes can still be exploited. The code is still on your server, and if it contains a vulnerability, a hacker can target it directly. Don’t just deactivate what you’re not using; delete it entirely. Keep only your active theme and one default WordPress theme as a fallback. Remove everything else.

4. Strong Admin Passwords Are in Use

It seems obvious, but weak passwords remain one of the top causes of WordPress breaches. Brute force attacks try thousands of password combinations per minute, and if your admin password is something like “admin123” or your company name, it won’t hold up for long. Use a password manager to generate and store strong, unique passwords for every admin account. A strong password is at least 16 characters and includes a mix of letters, numbers, and symbols.

5. Two-Factor Authentication Is Enabled

Even a strong password can be compromised through phishing or data breaches. Two-factor authentication adds a second layer of protection by requiring a code from your phone or an authenticator app when you log in. Plugins like WP 2FA or Wordfence Login Security make this easy to set up. Every admin account on your site should have two-factor authentication enabled. No exceptions.

6. SSL Certificate Is Active and Enforced

An SSL certificate encrypts the connection between your visitors’ browsers and your server. Without it, login credentials, form submissions, and other sensitive data are sent in plain text. Check that your site loads with https:// and that there’s a padlock icon in the browser bar. Also ensure that HTTP traffic is redirected to HTTPS so that no unencrypted connections are possible. Most hosting providers now offer free SSL certificates through Let’s Encrypt.

7. Regular Backups Are Running and Tested

Backups are your safety net. If the worst happens, a recent backup means you can restore your site rather than rebuilding it from scratch. But having backups isn’t enough. You need to verify that they’re actually running and that they include everything: your database, your uploads, your theme, and your plugin files. Use a backup plugin like UpdraftPlus and store backups in a remote location like Google Drive or Dropbox, not on the same server as your site. Test a restore at least once to make sure your backups actually work.

8. File Permissions Are Correctly Set

Incorrect file permissions can allow attackers to modify your files or upload malicious code. The standard WordPress file permissions are 644 for files and 755 for directories. Your wp-config.php file should be set to 600 or 640 for extra protection. If you’re not sure what your current permissions are, your hosting provider can check for you. Avoid ever setting anything to 777, which gives everyone full read, write, and execute access.

9. Login URL Is Changed or Protected

The default WordPress login page at /wp-admin and /wp-login.php is targeted by automated brute force attacks around the clock. Changing this URL to something unique won’t stop a determined attacker, but it eliminates the vast majority of automated attacks. Plugins like WPS Hide Login make this a simple change. Alternatively, you can add server-level protections like IP whitelisting or HTTP authentication to restrict who can even access the login page.

10. A Security Plugin Is Active and Configured

A good security plugin acts as a firewall and monitoring system for your WordPress site. It blocks known malicious traffic, scans your files for changes, and alerts you to potential issues. Wordfence and Sucuri Security are two of the most respected options. Install one, configure its settings properly, and pay attention to its alerts. A security plugin that’s installed but never configured or monitored isn’t doing much for you.

How Did You Score?

If you ticked all 10 items, your site is in excellent shape. Keep up the good work and review this checklist every few months.

If you scored 7-9, you’re in decent shape but have some gaps that should be addressed soon. Prioritise the items you missed.

If you scored under 7, your site has significant vulnerabilities that need attention. The longer these remain unaddressed, the higher the risk of a breach.

We help businesses secure their WordPress sites every day. If you’d like us to run a thorough security audit and close any gaps, get in touch. It’s far less expensive to prevent a breach than to clean one up.