WordPress powers 43% of all websites on the internet — which also makes it the most attacked platform in the world. Hackers do not target you specifically; they run automated scanners looking for sites with known vulnerabilities. If your site has unpatched plugins, a weak admin password, or a guessable login URL, it will be found and exploited — often within weeks of going live.
This checklist covers the 15 security steps that should be completed before any WordPress site goes live. If you already have a live site, run through this list now.
Admin & Login Security
- 1. Change the default admin username. Never use "admin" as a username. It is the first thing attackers try. Create a new administrator account with a unique username and delete the default admin account.
- 2. Use a strong, unique password. Minimum 16 characters, mixed case, numbers, and symbols. Use a password manager (Bitwarden is free). Never reuse passwords.
- 3. Enable Two-Factor Authentication (2FA). Install WP 2FA or Wordfence and enable 2FA for all administrator accounts. This alone prevents 99% of credential-based attacks.
- 4. Change the login URL. The default WordPress login is /wp-admin or /wp-login.php. Change it using WPS Hide Login — bots scanning for WordPress logins will not find it.
- 5. Limit login attempts. Install Limit Login Attempts Reloaded. After 3-5 failed login attempts, lock the IP for 30+ minutes. This stops brute-force attacks cold.
Files & Server Security
- 6. Set correct file permissions. Directories: 755. Files: 644. wp-config.php: 600. Your developer should set these — wrong permissions are a common entry point.
- 7. Protect wp-config.php. Add this to your .htaccess:
<files wp-config.php> order allow,deny deny from all </files> - 8. Disable file editing in the dashboard. Add to wp-config.php: define('DISALLOW_FILE_EDIT', true); This prevents attackers who gain dashboard access from modifying theme/plugin files directly.
- 9. Remove unused themes and plugins. Every inactive plugin is a potential vulnerability. Delete — not just deactivate — anything not in active use.
Updates & Monitoring
- 10. Update everything before launch. WordPress core, all plugins, all themes. Outdated software is the leading cause of WordPress hacks.
- 11. Set up automatic minor updates. Add to wp-config.php: define('WP_AUTO_UPDATE_CORE', true); For plugins, enable auto-updates in the plugins dashboard.
- 12. Install a security plugin. Wordfence (free tier is excellent) provides a firewall, malware scanner, and login security. Configure it and review its alerts weekly.
Backups & Recovery
- 13. Set up daily automated backups. Use UpdraftPlus to back up daily to Google Drive or Dropbox. Test the restore process — a backup you cannot restore is worthless.
- 14. Keep backups offsite. Never store backups only on the same server as your site. If the server is compromised, your backups are too.
SSL & Database
- 15. Change the database table prefix. The default WordPress database prefix is wp_ — every attacker knows this. During installation (or with a plugin like Brozzme DB Prefix), change it to something unique like xk7mf_.
SSL Is Non-Negotiable
If your site does not have an SSL certificate (HTTPS), fix this before anything else. Most hosting providers offer free SSL via Let's Encrypt. Without SSL, data transmitted between your site and visitors is unencrypted, and Google marks your site as "Not Secure."
Related Reading
- My Website Was Hacked — What to Do — if it is already too late, start here
- cPanel vs VPS Hosting — server-level security starts with the right hosting choice
Need a Security Audit or Hardening?
NextCode Solutions performs WordPress security audits and full hardening for new and existing sites. We implement all 15 points above plus advanced server-level protections.
Request a Security Audit