WordPress can be a very secure platform to build and maintain a powerful website with, but it can also be insecure if you don’t take proper precautions. As much as it’s about securing against possible attacks, it’s also about knowing what to do when security does fail and you have a compromised WordPress website. Use this free checklist to take a holistic evaluation of any WordPress website’s security setup.
Each checklist item is numbered in correspondence with the Master Checklist with a short summary and a link to more detailed information if available.
Master Checklist Table of Contents
- WordPress Website Analytics Setup Checklist
- WordPress Website Security Audit Checklist [you are here]
- WordPress Performance Site Speed Optimization Audit Checklist
- WordPress SEO Audit Checklist
WordPress Security Checklist
2.1 You have automated daily backups of your WordPress Directories & Files.
The best way to secure a WordPress website, is to be prepared for when it gets compromised. Make sure you are keeping regular backups of your WordPress directories & files, perhaps with some redundancy or a couple different backup sources. Having reliable and current backups when you need them is critical for WordPress website security.
2.2 You have automated daily backups of your WordPress Database.
Do not overlook backing up the WordPress Website Database(s). A full backup of WordPress contains not just the directories and files, but also the database(s). Again having some redundancy or multiple backup sources/destinations is smart when backing up your WordPress databases.
2.3 You know, or know someone who knows how to restore from your backup files if needed.
Having recent backups when you need them is only helpful if you know how to restore them into place to get your site running again after it’s compromised. Ensure you have a process for how to restore your site when you need to and that the appropriate people can follow those procedures. Some hosting service providers can help with this, but it’s nice to be self-sufficient as well when it comes to restoring a WordPress website.
2.4 You’ve automated restorations with a service that allows you to one-click rollback to any day in the past.
Elaborating on the previous item, there are solutions for backup restoration that allow easy one-click rollback restorations for WordPress sites. If you are less technical this is extremely useful so that when things go wrong you can correct them without needing to call or hire a developer for advanced help restoring a site and getting it working again.
2.5 You periodically take an additional manual ‘local’ backup so that you have a recent backup in more than one place.
Cloud backups are great, but it does not hurt to have a recent “local” backup of a WordPress website saved on your computer as well. As sort of a worse case backup when your cloud backup fails or you can’t access it – Any WordPress developer will tell you this has saved them countless times taking this extra step.
2.6 Your backups are also being backed up. (Via cloud ect..)
If you keep your backups on the same server as your WordPress website, you could lose both at the same time. Create redundancy in backing up your website and as crazy as it sounds, backup your backups. There are many unexpected scenarios where the backup you need was also lost and you are out of luck.
2.7 You have no Administrator users with the default username ‘Admin’
This is the most classic WordPress security hardening item. WordPress site health check feature now checks for this so make sure you mind those items as well. Many WordPress sites are hacked because if the default admin username is used, then all a hacker has to do is guess the password correctly. Make sure you also limit login attempts to prevent this type of password guessing.
2.8 You’ve reviewed the active FTP accounts on your server to ensure there are no rogue accounts.
Most WordPress hosts allow you FTP or sFTP access to manage the files on your server, ensure you know who has access. Sometimes an old website manager or no longer authorized colleagues still have FTP accounts that should have been deleted. FTP accounts should only be held by trusted individuals as they have the potential to compromise a WordPress website rather easily.
2.9 You’ve updated your passwords for your WordPress database lately.
Unauthorized database access is a quick way to have a WordPress website compromised. It’s easy to update your database password and should be done periodically to ensure only those individuals and application that are authorized have access to your WordPress mySQL databases.
2.10 You’ve reviewed the current Administrator Users are all required.
Many WordPress installation have many Users setup with Administrator privileges and often go disregarded after the user is setup. Take periodic crawls through your WordPress users and ensure your user roles are properly set and lowest level access only is implemented.
2.11 You use a plugin to stop ‘brute force’ attacks.
There are many solutions for stopping “brute force attacks” on WordPress websites. Jetpack has this built in, or any plugin that limits the login attempts. Brute force attacks are simple when trail and error guessing of login/password can be done without limit. This can strain a server and crash your site or worse allow an unauthorized application or individual to gain access to your site’s backend.
2.12 You’ve reviewed Google Search Console for any security issues.
You should have your WordPress site configured in Google Search Console, which provides a Security Issues report. This makes you aware of any hacked content, malware or unwanted software, or social engineering issues so you can fix the problem. If issues are identified by GSC, then you can request a reconsideration review from Google which takes some time.
2.13 You invest in a premium security plugin that scans and hardens.
There are many premium (paid) security solutions available for WordPress websites that are recommended. These solution can proactively scan and harden the security points of your website. It’s important not to consider these solutions as silver bullets and also take into consideration all the items in this checklist and create some redundancy for yourself.
2.14 You are running the latest version of your theme.
Many WordPress websites run popular themes as opposed to custom made themes, and the authors of these popular themes are constantly producing updates. Keeping your theme up to date with the latest version from the author gives you all the benefits of enhancements and bug fixes to ensure you site continues secure and performing properly. You should always be running the latest version of your WordPress theme.
2.15 You are running the latest version of your plugins.
WordPress plugin authors release plugin updates all the time to address security vulnerabilities. Always run the latest versions of any and all the plugins on a WordPress website. Not only will the WordPress site be more secure but you’ll also get all the enhancements and bug fixes also included in these plugin updates.
2.16 You are running the latest version of WordPress.
Each WordPress version contains a list of security enhancements with it. WordPress also releases new version just to address a specific security vulnerability from time to time as they are identified. WordPress takes security very seriously and the whole developer community works together to ensure patches are put in place as soon as possible when a security vulnerability is found in the WordPress core.
2.17 You complete updates as soon as they are released.
Turning on auto-updates is a great idea if you don’t check your WordPress dashboard very often. You can trust most updates have been tested before they are released and the rewards of keeping your WordPress plugins, themes, and core as up to date as possible far outweigh the risks of upgrading early, when a patch might be released shortly after the update. Updates do sometimes have the capacity to break a WordPress site, but you should always be prepared with a current backup and a plan for restoration should an update break your site.
2.18 You’ve removed unused plugins & themes.
Unused and/or inactive WordPress themes & plugins present a security vulnerability that is easily avoided by removing them from a WordPress installation. Most think that by deactivating plugins/themes they’ve done all they need to do, but you need to actually follow through and delete the unused plugins & themes to prevent exploitation of their code that’s still on your server and/or in your database.
2.19 You require strong passwords.
Any WordPress users should have strong passwords set, especially administrator user roles. There are settings and plugins to ensure that any users setting passwords are required to follow strong password best practices and won’t allow them to set a weak password. This is important and you often have no idea how secure other administrators set their passwords.
2.20 You use a hosting company known for security.
Not all hosting companies are the same when it comes to hosting a WordPress site. Many hosts specialize in hosting WordPress and many of those have special safeguards in place to help with WordPress security. Managed WordPress hosting services take this even further and offer specific features on their plans to ensure security, backups, and restorations to make it easy to protect any WordPress website.
2.21 You’ve properly configured SSL (HTTPS).
SSL certificates are easy and free to implement and are an absolute must. Let’s Encrypt revolutionized this making it a no brainier to ensure any WordPress site has the little lock and is running HTTPS. SSL and HTTPS no only helps WordPress from being compromised but also help protect any visitors to your website especially if they are sending information through the site like in contact forms.
2.22 You use a unique database prefix.
The default WordPress database prefix is wp_ which you could probably have guessed. Anything that’s easy to guess or default makes a hackers life so much easier. Take the extra step of having a unique database prefix for the WordPress database and add another layer of security to any WordPress installation. Many WordPress hosts now include this as standard practice when setting up new WordPress installations.
2.23 Your file and folder permissions are properly set on the server.
If file permissions are not set correctly on your server it can compromise your WordPress website. Most WordPress specialized hosting companies have tools to reset default file permissions for WordPress installations, as this can be a tedious job to do manually. Overtime file permissions can get incorrectly set and create otherwise hidden vulerabilities.
Got a WordPress Security checklist item that we didn’t cover here? Please leave a reply in the comments below.
Make sure to download the master checklist and audit all the other areas of any WordPress website.