The 2024 Complete WordPress Security Checklist

Updated on By

When we talk about website security we mean continuous work on protecting and improving our website. There is no way to make a website permanently secure. New threats come out every day, attackers find new ways to compromise your website. For this reason we will write the 2024 WordPress security checklist so that you know what you need to do to keep your site safe from potential attacks.

1. Choose your hosting provider carefully

We put this item first because it is certainly one of the most important when it comes to the website security. Choose hosting providers that have good services, are stable and have a good reputation. Many good hosting providers will provide additional protection for your websites and have hosting packages made specifically for WordPress.

All good hosting providers within their hosting packages offer daily backup, DDoS protection, Web Application Firewall and many other tools to protect your website and prevent you from spending extra money to buy each of these services separately. Never regret paying a few dollars more for quality hosting if it will improve security and give you the ability to quickly get your website back up and running.

2. Update WordPress, themes and plugins

Make it a habit to regularly update your website’s theme and plugins. If you do not update your files, there is a huge chance that your website will be attacked by hackers. Attackers do a lot of research and find various vulnerabilities in WordPress files, themes and plugins. When the new updates are released, the developers might have included security patches fixed the known vulnerabilities from the previous version. If you haven’t updated your files and they still contain bugs, it’s only a matter of time before attackers notice them and use them to attack your website and thus put your business in question.

Be sure to do a WordPress update, and after your plugins and themes have been tested on the latest version of WordPress and have an update, then update them as well. Before starting the update be sure to make a backup of your website.

3. Only use popular security plugins

Use popular security plugins to protect your WordPress website. One of the most effective ways to protect yourself from online threats is to hide the fact that you are using a WordPress CMS. If the attacker does not know which CMS it is, then he will not know how to look for vulnerabilities and how to attack. There are many plugins for this purpose, and the best one on the market is the Hide My WP plugin, which will completely hide the fact that you are using a WordPress CMS. No CMS and theme detector will be able to detect which CMS your website is based on.

In addition, this great plugin will change folder names from themes and plugins, change link structure and hide your wp-admin. All wording in the WP files that could reveal which CMS you are using will be deleted. In this way your website is almost completely secure.

4. Limit login attempts

There is no login attempt limit on WordPress by default. This allows attackers to use password dictionaries and attempt brute force attacks to gain access to your admin panel. To prevent this attack you have to install some of the plugins for this purpose. There are a lot of them inside the WordPress repository, and one of the best is Limit Login Attempts Reloaded.

This plugin lets you set the maximum number of login attempts. If there are so many failed logins access to wp-admin will be disabled for a certain time that you define. This is a great way to keep attackers and bots away from your website.

5. Use two-factor authentication

One of the best ways to protect access to your dashboard is to use two-factor authentication (2FA). This protection works in such a way that after you enter your credentials, you receive a security code on your mobile phone, e-mail, tablet or any other device. Only after you confirm that code access will be granted.

This method is very effective because if the attacker knows your username and password, he must also have access to your mobile phone in order to log in to your site.

There are many plugins for this purpose, one of the most famous is Shield Security and the Wordfence plugin also comes with (2FA) options that you can activate if you have installed the plugin.

6. Remove themes and plugins you don’t use

Even if you don’t use some plugins and themes they can still be a threat to your website. If they have known bugs and are on your server, attackers can use them to take control of your website or destroy it permanently.

Therefore, it is best to delete all themes and plugins that are not in use. Remember that you must deactivate them in order to have the option to delete them.

7. Change credentials at regular intervals

This is a very important task that every WordPress admin should adhere to. By default, WordPress does not require you to change your credentials after a certain amount of time. Maybe you are responsible and change your password after a while, but are the other administrators like you?

To solve this problem install one of the plugins for this purpose, and one of the best is the WP Force Password WordPress plugin.

Your task is only to choose which user roles must change their password and to define the time interval. Everything else will be done by the plugin. In this way you have made it difficult for attackers to use credentials from an administrator that they have hacked or stolen.

8. Do not ever use nulled themes and plugins

You can find themes or plugins that are offered for free download, even though they are commercial products. Never ever even consider using an illegal copy of a them or plugin. You will be asking for your website to be hacked if you use illegal copies of any theme or plugin. Attackers write malicious code in such themes and plugins and they can use them to take control of your website or to use your website for spreading SPAM messages, advertising or to take over the control of your website. Only use themes and plugins only from verified sources, and if you like some commercial product then buy it.

9. Change database prefix

When you install WordPress the default database prefix is ​​wp_. Attackers can use this information to locate your files, and then use various attacks such as SQL injections to cause damage and bring your website into a non-functional state. This is why it is very important to change the default database prefix.

If you are just going to install WordPress, then before installation you can specify the database prefix. However, if you have a website that is online and in production, then this task is a little more difficult to do manually. Install Brozzme DB Prefix & Tools Addons and change your database prefix in just a few clicks.

After you set a hard-to-guess database prefix, if attackers try to attack your website via SQL injection they will get an error.

10. Use strong admin credentials

Never use “admin” or “administrator” for the first administrator account  with (ID1) when you create when installing WordPress. Use a hard-to-guess name instead. When it comes to passwords, never use your name, the name of your relatives, dates of birth, etc. This is information that someone other than you knows. Instead, use a generic password that you can create within the WordPress admin dashboard in your profile settings.

In order to remember the password you generated, we advise you to use one of the tools for storing sensitive data.

11. Implement an SSL certificate

This is one of the most important safety tasks. Using an SSL certificate will encrypt the traffic between your website and your visitor`s browser. This way, even if an attacker intercepts the information they will have no use for it. This type of protection is especially important for online stores where online payment is possible. You need to be sure that credit card numbers will not be intercepted and misused.

We will return to the first item from this article – the hosting provider. All good hosting providers offer a free SSL certificate as part of their hosting packages. In this way you will save a certain amount on an annual basis. Using an SSL certificate is also very important from the aspect of SEO ranking because Google ranks websites that use an SSL certificate much better.

12. Divide users by user roles

It is very important that all users who log in to your website do not have the same roles. If you have many administrators, there is a greater chance that someone will find out the credentials of one of them and do damage to your website. This is why dividing users by roles is something every administrator must do.

When you install WordPress there are 6 predefined user roles. If these WP default user roles are not enough for you, then install one of the plugins for this purpose. One of the best on the market is the User Role Editor which allows you to create a completely new user role and add any permissions you want. The number of user roles and options within them is not limited, you can have them infinitely.



Considering that the number of threats on the Internet is increasing every day, you must continuously work to keep your website safe. There is no such thing as an absolutely secure website, but there is a way to make the website secure enough and resistant to most known attacks. In today’s article we created a WordPress security checklist and we briefly described how to additionally protect your website.

You might also like

8 Great Free Ways To Secure WordPress Websites

10 Great Free Ways To Secure WordPress Websites


Share This Post:
Disclosure: This page contains external affiliate links that may result in us receiving a commission if you choose to purchase mentioned product. The opinions on this page are our own and we don't receive additional bonus for positive reviews.