WordPress powers over 43% of all websites on the internet — which also makes it the most targeted CMS by hackers and automated bots. The good news is that WordPress itself is secure; most hacks happen because of outdated plugins, weak passwords, or poor configuration choices that are completely preventable.
This comprehensive security checklist will harden your WordPress site against the most common attacks.
Why WordPress Security Cannot Be Ignored
The consequences of a hacked WordPress site are severe:
- Visitor data theft (emails, payment info if no SSL)
- Google blacklisting — your site gets flagged as dangerous and removed from search results
- Hosting suspension — providers terminate accounts running malware
- Reputation damage that can take months to recover
- Loss of SEO rankings built over months or years
1. Keep WordPress, Themes, and Plugins Updated
Over 90% of WordPress hacks exploit known vulnerabilities in outdated software. Enable automatic updates for minor WordPress core releases under Dashboard → Updates. For plugins and themes, enable auto-updates or manually update weekly. Always back up before updating.
2. Use Strong, Unique Passwords
Brute force attacks try millions of password combinations per second. Use passwords that are at least 16 characters with a mix of uppercase, lowercase, numbers, and symbols. Use a password manager like Bitwarden (free) to manage them securely. Never reuse passwords across sites.
3. Change the Default Admin Username
Never use “admin” as your WordPress username — it’s the first thing automated bots try. If your username is “admin,” create a new Administrator account with a different username, log in with it, and delete the old admin account.
4. Hide Your WordPress Login URL
The default WordPress login at /wp-admin or /wp-login.php gets thousands of brute-force attempts daily. Install WPS Hide Login (free plugin) to change it to a custom URL like /secure-login-xyz. This single step blocks 99% of automated login attacks.
5. Enable Two-Factor Authentication (2FA)
Even if someone gets your password, 2FA prevents login without a second verification code. Install WP 2FA (free plugin) and enable it for all admin accounts. Use an authenticator app like Google Authenticator or Authy.
6. Install a WordPress Firewall
A Web Application Firewall (WAF) filters malicious traffic before it reaches your site. Best options:
- Wordfence (free) — excellent firewall with malware scanner included
- Cloudflare (free plan) — CDN with built-in DDoS protection and firewall rules
- Sucuri (paid) — enterprise-grade protection for high-value sites
7. Limit Login Attempts
By default, WordPress allows unlimited login attempts — making brute force attacks easy. Install Limit Login Attempts Reloaded to block an IP after 3-5 failed attempts. Wordfence includes this feature too.
8. Disable XML-RPC If Not Needed
WordPress’s XML-RPC feature is frequently exploited for brute force attacks and DDoS amplification. Unless you use a mobile app or Jetpack that requires it, disable it. Add this to your .htaccess file:
# Disable XML-RPC
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>9. Use SSL/HTTPS
SSL encrypts data between your server and visitors’ browsers. It’s free with Let’s Encrypt (provided by most hosts), makes Google Chrome show your site as “Secure,” and is a Google ranking factor. Enable it in your hosting control panel and force HTTPS redirects.
10. Set Correct File Permissions
Incorrect file permissions can allow hackers to write malicious files. The correct settings are:
- WordPress files: 644
- WordPress directories: 755
- wp-config.php: 600 (most restricted — this file contains database credentials)
11. Disable File Editing in WordPress Dashboard
By default, WordPress lets admins edit theme and plugin files directly in the dashboard. If a hacker gains admin access, they can inject malware through the code editor. Disable it by adding this to wp-config.php:
define( 'DISALLOW_FILE_EDIT', true );12. Set Up Automated Backups
Backups are your last line of defence. If everything else fails, a clean backup lets you restore your site completely. Use UpdraftPlus to schedule daily backups stored in Google Drive or Dropbox. Keep at least 30 days of backup history.
13. Run Regular Malware Scans
Install Wordfence and run a full malware scan monthly. If your site is ever hacked, Wordfence can identify and remove infected files. Sucuri SiteCheck (free, no plugin needed) also scans for malware and blacklisting status.
14. Protect wp-config.php
Add this to your .htaccess file to prevent direct access to the most sensitive file in your WordPress installation:
<files wp-config.php>
order allow,deny
deny from all
</files>Security Audit for Existing Sites
If your site is already live, audit it now using this free checklist. Most vulnerabilities can be resolved in under an hour by a developer.
Professional WordPress Security Services
At debrajx, we offer comprehensive WordPress security hardening and malware removal services. If your site has been hacked or you want expert protection set up properly, contact us today.
Advanced WordPress Security: Server-Level Protection
Plugin-level security is important, but server-level protection is even stronger. Here’s what to implement at the server/hosting level:
Disable PHP Execution in Uploads Folder
Hackers often upload malicious PHP files disguised as images to your wp-content/uploads folder. Block PHP execution there by adding a .htaccess file in your uploads folder with this content:
<Files *.php>
deny from all
</Files>Create this file in wp-content/uploads/.htaccess via your cPanel File Manager or FTP. This prevents any PHP file uploaded through a vulnerability from executing.
Block xmlrpc.php
The XML-RPC interface (xmlrpc.php) is a legacy WordPress feature that’s frequently used for brute force attacks and DDoS amplification. Unless you specifically use apps that require it, block it:
# Block xmlrpc.php
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>Add this to your main .htaccess file, above the WordPress rules section.
What to Do When Your WordPress Site Gets Hacked
Despite best efforts, hacks happen. Here’s the immediate response protocol:
- Don’t panic — take your site offline first: Add your maintenance page via your hosting control panel to prevent visitors from being served malware.
- Change all passwords immediately: WordPress admin, hosting cPanel, FTP, and database password. Use strong unique passwords for each.
- Scan with Wordfence or Sucuri: Run a full malware scan to identify infected files.
- Restore from a clean backup: If you have a pre-hack backup (from UpdraftPlus or cPanel), restore it. This is the fastest clean recovery.
- If no backup: Manually delete infected files. Wordfence shows you exactly which files are modified. Replace WordPress core files by re-downloading WordPress and uploading fresh copies.
- Update everything: After cleaning, immediately update WordPress core, all themes, and all plugins to the latest versions.
- Request Google review: If Google flagged your site as dangerous in Search Console, go to Security Issues in Search Console and request a review after cleaning.
WordPress Security for Indian Hosting Environments
Indian hosting providers (BigRock, Hostinger India, GoDaddy India) vary in their default security configurations. Here’s what to verify with your host:
- Ask if they have server-level malware scanning (Imunify360 is common on quality Indian hosts)
- Confirm that your PHP version is 8.1 or higher (older PHP versions have known vulnerabilities)
- Enable ModSecurity Web Application Firewall if available in your cPanel
- Confirm daily automated backups are included in your plan
WordPress Security: Annual Review Checklist
Run through this list every 6–12 months:
- ✅ All plugins updated to latest versions
- ✅ Unused plugins fully deleted (not just deactivated)
- ✅ Unused themes fully deleted (keep only one backup theme)
- ✅ Admin username is NOT “admin”
- ✅ All user passwords changed to strong, unique passwords
- ✅ Two-factor authentication active on admin accounts
- ✅ Backup system tested by restoring a test copy
- ✅ Security plugin (Wordfence) showing clean scan results
- ✅ SSL certificate valid and auto-renewing
- ✅ Google Search Console checked for security issues
Security is an ongoing process, not a one-time setup. Need help with a WordPress security audit or cleaning up a hacked site? Contact us — we specialise in WordPress security for Indian businesses.