WordPress powers roughly 40% of the entire web, which makes it the single most targeted CMS on the planet. Attackers don't need to find your site specifically — they scan millions of domains automatically, looking for any WordPress installation with a known-vulnerable plugin, a weak admin password or missing authentication records. If your site is on WordPress, it's being probed right now.
The good news: most WordPress breaches are preventable. They exploit known, fixable weaknesses — not exotic zero-days. This checklist covers the steps that close the gaps attackers actually use.
1. Keep WordPress, themes and plugins updated
Outdated software is the single biggest WordPress attack vector. Plugin vulnerabilities are disclosed publicly — attackers immediately scan for sites running the old version. Enable automatic updates for WordPress core, and update plugins and themes as soon as patches drop. Delete plugins you don't use; inactive plugins still expose vulnerable code.
2. Use HTTPS with a valid certificate
Every WordPress site in 2026 should be on HTTPS. It encrypts traffic between your visitors and server (protecting login credentials, form submissions and cookies from interception), and it's a ranking signal for Google. Most hosts offer free certificates via Let's Encrypt. After enabling HTTPS, force it site-wide in your WordPress settings and consider adding HSTS to prevent downgrade attacks.
3. Enable two-factor authentication on admin accounts
WordPress admin credentials are a prime target for brute force and credential-stuffing attacks. 2FA means a stolen password alone isn't enough to get in. Plugins like WP 2FA or Wordfence add authenticator-app support in minutes. At a minimum, enable 2FA for all accounts with editor role or above.
4. Harden your login page
- Change the default login URL —
/wp-adminand/wp-login.phpare hit by automated bots constantly. Moving them to a custom path reduces noise immediately. - Limit login attempts — lock out IPs after 5–10 failed attempts to stop brute force. Plugins like Limit Login Attempts Reloaded do this for free.
- Restrict admin access by IP — if you access your admin from a predictable IP range, whitelist it and block everything else at the server level.
- Disable XML-RPC if you don't need remote publishing — it's a common brute-force vector and rarely needed by modern sites.
5. Set strong file permissions
WordPress files should not be world-writable. Standard permissions:
- Files:
644(owner can write; group and others read only) - Directories:
755 wp-config.php:600or640(no public read)
Also block direct access to wp-config.php and .htaccess at the server level.
Your host's security scanner or a plugin like iThemes Security will flag permission problems.
6. Add HTTP security headers
Security headers like
Content-Security-Policy, X-Frame-Options,
X-Content-Type-Options and Referrer-Policy protect visitors from XSS, clickjacking
and other client-side attacks. Add them via your server config, a caching plugin (WP Rocket, W3 Total Cache)
or the Cloudflare dashboard if your site is behind their CDN. The Headers Security plugin for WordPress
can set them without touching server files.
7. Set up email authentication (SPF, DKIM, DMARC)
If your WordPress site sends transactional email — receipts, password resets, contact-form notifications — your domain needs SPF, DKIM and DMARC records. Without them, anyone can send email pretending to come from your domain, and your legitimate emails are more likely to land in spam. This is a DNS configuration, not a WordPress one — check and fix it at your DNS provider.
8. Use a security plugin or WAF
A WordPress security plugin (Wordfence, Sucuri, iThemes Security) adds a firewall, malware scanning, login hardening and file-integrity monitoring in a single install. Wordfence's free tier is sufficient for most small sites. Alternatively, routing your site through Cloudflare gives you a WAF with managed WordPress rules at the network level, before traffic even reaches your server.
9. Back up regularly and test restoration
Backups don't prevent attacks, but they're the only reliable recovery path when something goes wrong. Keep daily backups offsite (not just on the same server) — plugins like UpdraftPlus can send them to Google Drive, Dropbox or S3 automatically. Critically: test that you can actually restore from a backup. An untested backup is just a hope.
10. Run a passive security scan on your domain
Many WordPress security gaps aren't in your code — they're in your DNS and email configuration: a missing DMARC policy, DNSSEC disabled, no security headers, an expired certificate. These are invisible to most WordPress security plugins because they operate at the application layer, not the network layer.
A passive scan checks your domain's public security posture — HTTPS, SPF, DKIM, DMARC, DNSSEC, CAA, security headers — and gives you a grade and a list of exactly what to fix. It's the fastest way to close the gaps that WordPress plugins miss. Scan your domain free at Kalenfy — no account needed to see your grade.
Quick-reference checklist
| Step | Done? |
|---|---|
| WordPress core, plugins and themes up to date | ☐ |
| HTTPS enabled and forced site-wide | ☐ |
| 2FA on all admin accounts | ☐ |
| Login URL changed + attempt limits set | ☐ |
| File permissions correct (644/755, wp-config 600) | ☐ |
| Security headers configured | ☐ |
| SPF, DKIM and DMARC records in DNS | ☐ |
| Security plugin or WAF active | ☐ |
| Daily offsite backups + tested restore | ☐ |
| Passive domain scan run and issues fixed | ☐ |