WordPress Security Checklist 2026: 20 Essential Points

# WordPress Security Checklist 2026: 20 Essential Points

This checklist guides you step by step to **secure** your WordPress site. Check each point as you go for complete protection.

## Base Configuration

- [ ] **1. Update WordPress** – The core must be on the latest version to benefit from security patches.

- [ ] **2. Update plugins** – Outdated plugins are the leading cause of hacking. Remove those no longer maintained.

- [ ] **3. Update themes** – Active and inactive themes must be up to date. Remove unused themes.

- [ ] **4. Use strong passwords** – Minimum 12 characters, with uppercase, lowercase, numbers, and symbols. Use a password manager.

- [ ] **5. Change database prefix** – If your table still uses `wp_`, consider changing it (do with care, via migration).

## Authentication and Access

- [ ] **6. Enable 2FA** – Two-factor authentication protects admin accounts even if the password is compromised.

- [ ] **7. Limit login attempts** – A WAF or plugin limits brute force on wp-login.php.

- [ ] **8. Rename or protect wp-login.php** – Reduces attack surface (optional, may complicate some integrations).

- [ ] **9. Disable XML-RPC** – If you don't need it, disable it to avoid abuse.

- [ ] **10. Remove unnecessary accounts** – Each account is a potential entry point. Keep only active users.

## Application Protection

- [ ] **11. Install a WAF** – A Web Application Firewall blocks SQL injections, XSS, and brute force attacks.

- [ ] **12. Configure anti-malware scan** – Regular scans detect malware and backdoors.

- [ ] **13. Verify file permissions** – 755 for directories, 644 for files. `wp-config.php` must not be publicly accessible.

- [ ] **14. Enable HTTPS** – Valid SSL certificate and HTTP to HTTPS redirect.

- [ ] **15. Configure security headers** – HSTS, X-Frame-Options, X-Content-Type-Options, CSP as needed.

## Backups and Monitoring

- [ ] **16. Set up automatic backups** – Daily minimum, stored off the server.

- [ ] **17. Test restoration** – An unusable backup is useless. Regularly verify you can restore.

- [ ] **18. Enable uptime monitoring** – Get alerted in case of outage to react quickly.

- [ ] **19. Monitor vulnerabilities** – Use a tool that alerts when an installed plugin or theme is vulnerable.

- [ ] **20. Document and review** – Note your security procedures and review this checklist at least twice a year.

## Summary

These 20 points cover the **fundamentals** of WordPress security: updates, authentication, WAF, scans, backups, and monitoring. By applying them, you significantly reduce risks.

**V-Shield** groups most of these protections: scan, WAF, cleanup, backups, monitoring, and security score. [Discover our features](/features) and [check our pricing](/pricing) to secure your site in a few clicks.