WordPress security checklist

//WordPress security checklist

WordPress security checklist

It is important to make your recently installed (or old) WordPress installation secure. The basics are not very complicated, but they are very important.

The Basics

These are things you should really really  do.

 Make sure you have the most recent version of WordPress
 Enable automatic backups (for example to Dropbox)
 Enable automatic updates for WordPress (for example in installatron in your cPanel)
 Enable automatic updates for Plugins (for example in installatron in your cPanel)
 Use strong passwords only
 Enable CloudFlare in your cPanel
 Do not use paid themes  you downloaded from free websites, they are often compromised
Make sure there is no account called ‘admin’ in your installation

Must have plugins

These are easy to install plugins that raise your security.

 Use 2nd factor authentication through the automatic installation process or install this plugin
 Use a brute force protection plugin like Bruteprotect
 Make sure the permissions on your files are correct with this plugin


In your web root (folder with the WordPress files in your ftp or file manager) there is a file called .htaccess. Add these things before the ‘#BEGIN WordPress’ line.

 Protect wp-includes by adding the following:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

 Protect your wp-config.php by adding

<files wp-config.php>
order allow,deny
deny from all

 Protect /wp-content/ by adding a .htaccess inside the /wp-content/ folder containing

Order deny,allow
Deny from all
<Files ~ “.(xml|css|jpe?g|png|gif|js)$”>
Allow from all


These are good to implement, but a bit more difficult. The above actions will already greatly protect your WordPress.

 Do not use the default wp_ database prefix
 Do not develop over an insecure channel like plain ftp (use SSL/TLS)
 Make sure your database user has as little permissions as possible
 When you are done developing, add the following to your wp-config.php to block php file editing through the dashboard

define(‘DISALLOW_FILE_EDIT’, true);

 Use an SSL certificate

By | 2018-07-24T15:39:00+00:00 March 20th, 2015|0 Comments