The majority of WordPress hacks are not the result of sophisticated zero-day exploits. They happen because site owners miss basic security hygiene: outdated plugins, exposed version numbers, weak passwords, and open XMLRPC endpoints. This checklist walks you through every essential hardening step.

Warning: Always back up your WordPress site before making configuration changes. Test changes on a staging environment first if possible.

Server & hosting

1. Enable HTTPS / SSL

Every WordPress site must use HTTPS. Free SSL certificates are available via Let's Encrypt through most hosting providers. Redirect all HTTP traffic to HTTPS via your .htaccess or server config. WPStats flags sites without HTTPS with a major security deduction.

2. Keep PHP up to date

Old PHP versions have known vulnerabilities. Use PHP 8.1 or newer. Check your version in WordPress Admin → Tools → Site Health.

3. Use a reputable host

Your hosting environment is your first line of defense. Choose a host with server-level firewalls, malware scanning, and automatic backups. Managed WordPress hosts like Kinsta, WP Engine, or Cloudways offer additional security layers.

WordPress configuration

4. Disable XMLRPC

XMLRPC is enabled by default and allows password brute-force attacks. Disable it by adding to your .htaccess:

<Files xmlrpc.php>
  Order Deny,Allow
  Deny from all
</Files>

5. Hide your WordPress version

Exposing your WP version helps attackers target specific vulnerabilities. Add to functions.php:

remove_action('wp_head', 'wp_generator');

Also remove the version from script and style URLs by filtering script_loader_src and style_loader_src.

6. Change the default admin username

Never use "admin" as your username. If you do, create a new admin user, transfer content ownership, and delete the "admin" account.

7. Use strong, unique passwords

Use a password manager to generate 20+ character random passwords for all WordPress accounts. Enable two-factor authentication with a plugin like WP 2FA or Google Authenticator.

8. Limit login attempts

Brute-force attacks try thousands of password combinations. Limit failed login attempts using a plugin like Limit Login Attempts Reloaded or via your security plugin.

9. Move the login URL

Changing /wp-login.php to a custom URL significantly reduces bot traffic. Use WPS Hide Login or a security suite plugin.

10. Disable file editing from admin

If an attacker gains admin access, they can edit theme files directly. Disable this in wp-config.php:

define('DISALLOW_FILE_EDIT', true);

REST API & user exposure

11. Restrict REST API user enumeration

By default, /wp-json/wp/v2/users exposes all usernames publicly. WPStats detects this. Fix it by adding to functions.php:

add_filter('rest_endpoints', function($endpoints) {
  if (isset($endpoints['/wp/v2/users'])) {
    unset($endpoints['/wp/v2/users']);
  }
  return $endpoints;
});

12. Disable REST API for non-logged-in users (if not needed)

If your site doesn't use the REST API publicly, restrict it to authenticated users only.

Files & permissions

13. Set correct file permissions

WordPress recommends: directories at 755, files at 644, and wp-config.php at 440 or 400. Never use 777 permissions.

14. Protect wp-config.php

Add to .htaccess:

<files wp-config.php>
  order allow,deny
  deny from all
</files>

15. Disable directory browsing

Prevent visitors from seeing your directory contents: Options -Indexes in .htaccess.

Plugins & themes

16. Keep everything updated

Enable automatic background updates for WordPress core minor releases. Review plugin updates weekly. Outdated plugins are the #1 source of WordPress hacks.

17. Remove unused plugins and themes

Every inactive plugin is a potential attack vector. Delete (not just deactivate) plugins and themes you don't use, including bundled themes like Twenty Twenty-One.

18. Use a Web Application Firewall (WAF)

A WAF blocks malicious requests before they reach WordPress. Options: Cloudflare (free tier), Wordfence (plugin-level), or Sucuri.

Monitoring & backup

19. Set up automated backups

Back up daily (or on every change) to an off-site location. UpdraftPlus, BlogVault, and ManageWP are excellent options. Test your backups periodically by doing a test restore.

20. Enable security scanning and alerts

Use Wordfence, Sucuri, or MalCare to scan for malware, changed files, and suspicious activity. Set up email alerts for failed logins and plugin changes.

Quick win: Use WPStats right now to check your site's security score and see exactly which of these issues affect your site. It's free and takes 30 seconds.

Scan your WordPress security score

WPStats checks XMLRPC, version exposure, user enumeration, HTTPS and more — instantly and free.

Check security now