Blog
WordPress

Practical WordPress Security Checklist

Andy Forsberg
11 Jan 2022
5 min read

Force Two-Factor Authentication on your WordPress login screen

Enable Two-Factor Authentication on your web hosting account

Google the followingto see how to enable it if your host offers it:site:yourhost.com two factorFor example if your host is SiteGroundyou would Google the following:site:siteground.com two factor

Enable Two-Factor Authentication on your domain registrar account

...or wherever your domain's nameservers are pointed to and your DNS records are managed.

Google the followingto see how to enable it if your registrar offers it:site:yourregistrar.com two factorFor exampleif your registrar is GoDaddy you should switch to Namecheap, but you would Google the following for now:site:godaddy.com two factor

 Install SSL Certificate and redirect all HTTP traffic to HTTPS

 Use a secure managed WordPress host

You need to make sure everything is up-to-date, especially plugins or themes with security exploits identified. Managed hosts will help automate updates and patch security holes. They also achieve better performance as they're optimized specifically for WordPress hosting.[qcopd-directory mode="one" list_id="18216" style="style-1" column="3" upvote="off" search="false" item_count="false" orderby="date" filterorderby="date" order="ASC" filterorder="ASC" paginate_items="false" favorite="disable" tooltip="false" list_title_font_size="" item_orderby="title" list_title_line_height="" title_font_size="" subtitle_font_size="" title_line_height="" subtitle_line_height="" filter_area="normal" topspacing=""]

Install and use established security plugin(s)

iThemes Security Pro + Sucuri Security = Best Combo

[qcopd-directory mode="one" list_id="18218" style="style-1" column="4" upvote="off" search="false" item_count="false" orderby="date" filterorderby="date" order="ASC" filterorder="ASC" paginate_items="false" favorite="disable" tooltip="false" list_title_font_size="" item_orderby="title" list_title_line_height="" title_font_size="" subtitle_font_size="" title_line_height="" subtitle_line_height="" filter_area="normal" topspacing=""]

Use a trusted password manager and make unique passwords for all your accounts

[qcopd-directory mode="one" list_id="17211" style="style-1" column="3" upvote="off" search="false" item_count="false" orderby="date" filterorderby="date" order="ASC" filterorder="ASC" paginate_items="false" favorite="disable" tooltip="false" list_title_font_size="" item_orderby="title" list_title_line_height="" title_font_size="" subtitle_font_size="" title_line_height="" subtitle_line_height="" filter_area="normal" topspacing=""]

Automate full offsite WordPress backups

[qcopd-directory mode="one" list_id="18267" style="style-1" column="1" upvote="off" search="false" item_count="false" orderby="date" filterorderby="date" order="ASC" filterorder="ASC" paginate_items="false" favorite="disable" tooltip="false" list_title_font_size="" item_orderby="title" list_title_line_height="" title_font_size="" subtitle_font_size="" title_line_height="" subtitle_line_height="" filter_area="normal" topspacing=""]

Protect yourself with a Proxy or VPN

Always use a VPN when logging into your site from public wifi or your login credentials could be compromised

[qcopd-directory mode="one" list_id="17210" style="style-1" column="1" upvote="off" search="false" item_count="false" orderby="date" filterorderby="title" order="ASC" filterorder="ASC" paginate_items="false" favorite="disable" tooltip="false" list_title_font_size="" item_orderby="" list_title_line_height="" title_font_size="" subtitle_font_size="" title_line_height="" subtitle_line_height="" filter_area="normal" topspacing=""]

Add Security Header Protections and block access to wp-config in .htaccess

Add the following code to your website's .htaccess file to enable security header protections and block access to wp-config as recommended by the Sucuri Security plugin:<IfModule mod_headers.c>
Header set X-XSS-Protection "1; mode=block"
Header always append X-Frame-Options SAMEORIGIN
Header set X-Content-Type-Options nosniff
</IfModule>
<files wp-config.php>
order allow,deny
deny from all
</files>

Enable automatic updates for WordPress core

To auto-upgrade WordPress core, add the following line of code to wp-config.php:define( 'WP_AUTO_UPDATE_CORE', true );To auto-upgrade WordPress plugins, add the followingline of code to wp-config.php:add_filter( 'auto_update_plugin', '__return_true' );To auto-upgrade WordPress themes, add the following line of code to wp-config.php:add_filter( 'auto_update_theme', '__return_true' );

Scan for / fix mixed content errors

Scan your site now for free using JitBit's SSL Check

Use trusted WordPress plugins and themes

Only utilize plugins and themes that have lots of active sites, good reviews and frequent updates from trustworthy looking authors.

Delete unused WordPress themes & plugins

They're just dead weight that if compromised may still impact your security. Just delete them.

Other Practical WordPress Security tips

If you have any ideas for additional practical WordPress security tips that should be added to the checklist, please share them in the comments below! If you found this checklist useful please do me a favor and share it with your network.

Share this post
FEATURED BLog

Get the Latest Updates

Get notified via email when I post new content.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.