Most of the time, when a WordPress site is hacked, the culprit is not WordPress itself, but rather a silly misconfiguration that could have been avoided during development. That is what this project is for: a checklist of actions you should take to increase the security of your website.

wp-config

• Change Security Key (Generator provided by WordPress.org)
• Disable theme and plugin file editor by adding define('DISALLOW_FILE_EDIT', true); to wp-config.php
• Force SSL for admin logins with define('FORCE_SSL_ADMIN', true); (when HTTPS is available)
• Set WP_DEBUG to false in production and never expose debug output publicly

Login Page

• Add brute-force protection and rate limiting for repetitive failed logins
• Enable multi-factor authentication for all administrator accounts (passkeys/WebAuthn preferred, TOTP as fallback)
• Use unique usernames (never admin) and avoid shared accounts
• Remove login links from the theme (if there are any)
• Use strong unique passwords on every account (prefer password manager-generated credentials)
• Revoke old sessions and rotate passwords after incidents or team changes
• Make login error messages generic (user/pass) (tutorial)

Administrative Panel

• Password protect the folder wp-admin (unblock only the needed files)
• Keep WordPress core, themes, and plugins updated (enable auto-updates where appropriate)
• Use least privilege: keep daily publishing accounts as Editor/Author and reserve Administrator only when needed
• Review administrator accounts quarterly and remove stale users immediately
• Scan for malware and unexpected file changes on a schedule
• Keep an incident response checklist with steps for containment, recovery, and password/API key rotation

Themes

• Keep the theme up-to-date
• Delete unused themes
• Download and use themes only from reputable sources
• Prefer themes with active maintenance, clear changelogs, and recent security fixes

Plugins

• Keep all plugins up-to-date
• Delete unused plugins
• Download and use plugins only from reputable sources
• Replace abandoned plugins with actively maintained alternatives
• Think twice before installing a ton of plugins
• Audit plugin permissions and remove plugins that require capabilities you do not need

Database

• Use strong unique credentials for the database user and limit its privileges to the minimum needed
• Schedule automated backups and store copies offsite
• Test backup restores regularly (a backup is only useful if the restore works)
• Encrypt backups at rest and in transit

Hosting provider

• Hire a reliable hosting provider
• Connect to your server only through SFTP or SSH
• Set all folder permissions to 755 and files to 644 (WordPress security hardening)
• Make sure the wp-config.php file is not accessible by others
• Remove or block via .htaccess the files license.txt, wp-config-sample.php, and readme.html
• Prevent directory listing via .htaccess by adding the following code: Options All -Indexes
• Put your site behind a WAF/CDN and enable DDoS/bot protection when possible
• Enable uptime and security alerting (certificate expiry, file changes, login spikes, malware findings)
• Keep XML-RPC disabled unless you explicitly need it
• Block username enumeration from public requests (for example ?author= queries that expose valid accounts): use web server rules (Apache .htaccess or nginx), a security plugin, or disable public author archives if you do not need them (WordPress security hardening).
  Show Apache .htaccess example

  # Block numeric author=… probes (redirect drops the query string)
  RewriteEngine On
  RewriteCond %{QUERY_STRING} ^author=\d [NC]
  RewriteRule ^ %{REQUEST_URI}? [L,R=301]