The majority of WordPress hacks are not the result of sophisticated zero-day exploits. They happen because site owners miss basic security hygiene: outdated plugins, exposed version numbers, weak passwords, and open XMLRPC endpoints. This checklist walks you through every essential hardening step.
Warning: Always back up your WordPress site before making configuration changes. Test changes on a staging environment first if possible.
Server & hosting
1. Enable HTTPS / SSL
Every WordPress site must use HTTPS. Free SSL certificates are available via Let's Encrypt through most hosting providers. Redirect all HTTP traffic to HTTPS via your .htaccess or server config. WPStats flags sites without HTTPS with a major security deduction.
2. Keep PHP up to date
Old PHP versions have known vulnerabilities. Use PHP 8.1 or newer. Check your version in WordPress Admin → Tools → Site Health.
3. Use a reputable host
Your hosting environment is your first line of defense. Choose a host with server-level firewalls, malware scanning, and automatic backups. Managed WordPress hosts like Kinsta, WP Engine, or Cloudways offer additional security layers.
WordPress configuration
4. Disable XMLRPC
XMLRPC is enabled by default and allows password brute-force attacks. Disable it by adding to your .htaccess:
<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>
5. Hide your WordPress version
Exposing your WP version helps attackers target specific vulnerabilities. Add to functions.php:
remove_action('wp_head', 'wp_generator');
Also remove the version from script and style URLs by filtering script_loader_src and style_loader_src.
6. Change the default admin username
Never use "admin" as your username. If you do, create a new admin user, transfer content ownership, and delete the "admin" account.
7. Use strong, unique passwords
Use a password manager to generate 20+ character random passwords for all WordPress accounts. Enable two-factor authentication with a plugin like WP 2FA or Google Authenticator.
8. Limit login attempts
Brute-force attacks try thousands of password combinations. Limit failed login attempts using a plugin like Limit Login Attempts Reloaded or via your security plugin.
9. Move the login URL
Changing /wp-login.php to a custom URL significantly reduces bot traffic. Use WPS Hide Login or a security suite plugin.
10. Disable file editing from admin
If an attacker gains admin access, they can edit theme files directly. Disable this in wp-config.php:
define('DISALLOW_FILE_EDIT', true);
REST API & user exposure
11. Restrict REST API user enumeration
By default, /wp-json/wp/v2/users exposes all usernames publicly. WPStats detects this. Fix it by adding to functions.php:
add_filter('rest_endpoints', function($endpoints) {
if (isset($endpoints['/wp/v2/users'])) {
unset($endpoints['/wp/v2/users']);
}
return $endpoints;
});
12. Disable REST API for non-logged-in users (if not needed)
If your site doesn't use the REST API publicly, restrict it to authenticated users only.
Files & permissions
13. Set correct file permissions
WordPress recommends: directories at 755, files at 644, and wp-config.php at 440 or 400. Never use 777 permissions.
14. Protect wp-config.php
Add to .htaccess:
<files wp-config.php>
order allow,deny
deny from all
</files>
15. Disable directory browsing
Prevent visitors from seeing your directory contents: Options -Indexes in .htaccess.
Plugins & themes
16. Keep everything updated
Enable automatic background updates for WordPress core minor releases. Review plugin updates weekly. Outdated plugins are the #1 source of WordPress hacks.
17. Remove unused plugins and themes
Every inactive plugin is a potential attack vector. Delete (not just deactivate) plugins and themes you don't use, including bundled themes like Twenty Twenty-One.
18. Use a Web Application Firewall (WAF)
A WAF blocks malicious requests before they reach WordPress. Options: Cloudflare (free tier), Wordfence (plugin-level), or Sucuri.
Monitoring & backup
19. Set up automated backups
Back up daily (or on every change) to an off-site location. UpdraftPlus, BlogVault, and ManageWP are excellent options. Test your backups periodically by doing a test restore.
20. Enable security scanning and alerts
Use Wordfence, Sucuri, or MalCare to scan for malware, changed files, and suspicious activity. Set up email alerts for failed logins and plugin changes.
Quick win: Use WPStats right now to check your site's security score and see exactly which of these issues affect your site. It's free and takes 30 seconds.
Scan your WordPress security score
WPStats checks XMLRPC, version exposure, user enumeration, HTTPS and more — instantly and free.
Check security now