Skip to content
Switch branches/tags
Go to file
Cannot retrieve contributors at this time
layout title permalink language subset

Most of the time a website running WordPress is hacked the culprit is not WordPress, but of any silly misconfiguration that could be avoided during its development. That's the idea of this project: Being a checklist of actions that you should take to increase the security of your website.


Login Page

  • Lockdown the login page for repetitive failed login (Login Lockdown{:target="_blank"} or iThemes Security{:target="_blank"} )
  • Activate 2 factor authentication (Google Authenticator{:target="_blank"})
  • Use email address to login instead of username (Force Login With Email{:target="_blank"})
  • Rename the URL of your login page (iThemes Security{:target="_blank"} or directly on .htaccess)
  • Remove login links from the theme (if there's any)
  • Use a strong password contaning uppercase, lowercase, numbers, and special characters on all accounts (Passwords Generator{:target="_blank"} or Password Meter{:target="_blank"})
  • Change the passwords regularly
  • Make the login error messages more generical (user/pass) (tutorial{:target="_blank"})
  • Disable the WP REST API, if you aren't using it. (Disable REST API{:target="_blank"})

Administrative Panel

  • Password protect the folder wp-admin (unblock only the needed files{:target="_blank"})
  • Keep WordPress up-to-date
  • Do not create an account with username admin. If there is any, create a new Administrator account and delete the old one
  • Create an Editor account and use it solely to publish content
  • Implement SSL for the WordPress admin section
  • Install any plugins to check file changes (WP Security Scan{:target="_blank"}, Wordfence{:target="_blank"} or iThemes Security{:target="_blank"})
  • Scan the website for viruses, malware, and security breaches


  • Keep the theme up-to-date
  • Delete and remove unused themes
  • Download and use themes only from reputable sources
  • Remove the WordPress version from the theme (tutorial{:target="_blank"})


  • Keep all plugins up-to-date
  • Delete and remove unused plugins
  • Download and use plugins only from reputable sources
  • Replace outdated plugins for alternative newer plugins
  • Think twice before installing a ton of plugins


  • Change the default table prefix (tutorial{:target="_blank"})
  • Schedule weekly backup of the database (Backup WP{:target="_blank"}, WP DB Backup{:target="_blank"} etc. )
  • Use a strong password contaning uppercase, lowercase, numbers, and special characters for the database user (password generator{:target="_blank"})

Hosting provider

  • Hire a reliable hosting provider
  • Connect to your server only through SFTP or SSH
  • Set all folder permission to 755 and files to 644 (accourding to the Codex{:target="_blank"})
  • Make sure the wp-config.php file is not accessible by others
  • Remove or block via .htaccess the files license.txt, wp-config-sample.php, and readme.html
  • Disable file edit via wp-config.php by adding the following code: define('DISALLOW_FILE_EDIT',true);
  • Prevent directory listing via .htaccess by adding the following code: Options All -Indexes