WordPress Security Checklist: What to Do Before You Launch

WordPress powers 43% of all websites (W3Techs). That market dominance makes it the single largest target for automated attacks. In 2024 alone, security researchers discovered 7,966 new vulnerabilities in the WordPress ecosystem - a 34% increase over the previous year (Patchstack).

Here’s what most guides won’t tell you: the security decisions you make during setup compound over time. Get them right now, and you’ve built on solid ground. Get them wrong, and you’re retrofitting security onto a foundation that was never designed for it.

This checklist covers what to do before your WordPress site goes live. Not generic advice you’ll find everywhere. Specific actions, in the right order, based on where vulnerabilities actually come from.

Hosting: The Foundation You Can’t Easily Change

Your hosting environment is the one decision that’s hardest to undo later. No security plugin can compensate for a fundamentally insecure server.

The official WordPress.org hardening guide is clear on this point: a secure server protects privacy, integrity, and availability. But here’s what it also says - web hosts are responsible for infrastructure, not the application you install. That’s on you.

What to look for in a host:

• Site isolation. On shared hosting, if another site on the same server gets compromised, yours can be too. Ask whether accounts are isolated from each other.
• Automatic WordPress updates. Managed WordPress hosts handle core updates automatically. This matters because delays in updating create windows for attackers.
• Server-level firewall. A Web Application Firewall (WAF) at the server level blocks malicious requests before they reach your site.
• Backup frequency and retention. Daily backups stored off-server are the minimum. Ask how long backups are retained and how restoration works.

Think of it this way: your host secures the building. You secure your flat. Both matter, but you can’t fix a building with a better front door lock.

Admin Account Setup: Your Front Door

After hosting, user access is the next foundational layer. This is where brute force attacks target first.

Never use “admin” as your username. WordPress.org explicitly warns against this: easily guessed terms like “admin” or “webmaster” are typically subject to attacks first. Automated scripts try these by default. Pick something unique.

Strong passwords aren’t optional. WordPress includes a built-in password strength meter. Use it. Avoid dictionary words, your company name, your website name, or anything that could be guessed. Mix numbers, letters, and special characters. Length matters more than complexity.

Enable two-factor authentication from day one. This is no longer optional for serious WordPress users. In October 2024, WordPress.org made 2FA mandatory for all plugin and theme developers with commit access. That’s a signal of how important the WordPress security team considers this measure.

2FA means that even if someone obtains your password, they still can’t access your admin area without a second verification step. The small inconvenience of entering a code is worth the massive protection gain.

Apply the principle of least privilege. WordPress has five default user roles: Administrator, Editor, Author, Contributor, and Subscriber. Don’t give everyone admin access. Your content writer doesn’t need the ability to install plugins. Match permissions to responsibilities.

Plugin Selection: Where 96% of Vulnerabilities Live

This is where most business owners make costly mistakes without realising it.

96% of WordPress vulnerabilities come from plugins and themes, not WordPress core (Patchstack, 2024). The core software is maintained by a dedicated security team. Plugins and themes? Quality varies wildly.

How to evaluate a plugin before installing:

• Last updated date. WordPress.org shows when each plugin was last updated. If it hasn’t been touched in over a year, that’s a warning sign. Abandoned plugins don’t get security patches.
• “Tested up to” version. Check whether the plugin has been tested with recent WordPress versions. Incompatibility can create security gaps.
• Active installations and ratings. Not a guarantee of security, but plugins with thousands of active installs and positive reviews have been battle-tested.
• Developer reputation. Check the developer’s other plugins. Do they maintain their work? Do they respond to support requests?

Avoid the plugin bloat trap. Every plugin is code running on your site. More plugins means more potential entry points for attackers. Before installing anything, ask: do I actually need this, or is it just nice to have?

Never use nulled or pirated plugins. These “free” premium plugins often contain backdoors and malware. WordPress.org warns explicitly against getting plugins and themes from untrusted sources. The money you save isn’t worth the risk of complete site compromise.

Keep plugins updated. Security patches are often released before vulnerabilities become publicly known. Every day you delay an update is a day your site remains exposed to a known vulnerability.

Theme Security: The Overlooked Risk

Themes aren’t just design. They’re code that runs on every page load.

Apply the same vetting process as plugins. Check the source, last update, and reviews. Stick to the WordPress.org repository or reputable theme developers with established track records.

Nulled themes are even more dangerous than nulled plugins. Because themes affect every page, malicious code injected into a theme has broad reach. One compromised theme file can affect your entire site.

Use child themes for customisation. If you need to modify your theme, create a child theme rather than editing parent theme files directly. When the parent theme updates, your changes won’t be overwritten - and you won’t be tempted to skip updates to preserve your customisations.

Configuration: One-Time Decisions That Pay Forever

These settings require slightly more technical knowledge, but they’re worth getting right during setup. The WordPress.org hardening documentation covers each of these in detail.

Change the default database prefix. WordPress uses wp_ as the default database table prefix. Attackers know this. Changing it during installation blocks certain SQL injection attacks. This is easy to do at setup, harder to change later.

Disable file editing in the dashboard. WordPress allows editing theme and plugin files directly from the admin area. If an attacker gains admin access, they can inject malicious code through this editor. Add this line to your wp-config.php file:

define('DISALLOW_FILE_EDIT', true);

WordPress.org recommends this as a first-line hardening measure.

Use SFTP, not FTP. Standard FTP sends passwords in plain text across the network. SFTP encrypts everything. Most hosts support SFTP - ask yours if you’re not sure.

SSL/HTTPS from day one. This encrypts data between your visitors and your site. Most hosts offer free SSL certificates through Let’s Encrypt. There’s no reason not to use HTTPS in 2025. Google also ranks HTTPS sites higher in search results.

Set correct file permissions. WordPress.org recommends files set to 644 and directories to 755. Your wp-config.php file should be more restrictive - 400 or 440. Incorrect permissions can allow attackers to modify files they shouldn’t be able to touch.

Backup Strategy: Your Insurance Policy

Backups won’t prevent an attack, but they’re what saves you when prevention fails.

WordPress.org puts it bluntly: backups are your first defence against any WordPress attack. Nothing is 100% secure. Government websites get hacked. So can yours. The question is whether you can recover quickly.

Set up backups before adding content. Don’t wait until you have something worth losing. The time to establish your backup routine is during initial setup.

Back up everything. That means files AND database. Your WordPress installation, themes, plugins, uploads folder, and the MySQL database that stores your content. Miss any piece and your restoration will be incomplete.

Store backups off-server. If your server is compromised, backups stored on the same server are useless. Use cloud storage - Google Drive, Dropbox, Amazon S3, or similar. Somewhere separate from your hosting environment.

Test your backups. A backup you’ve never tested is not a backup. Know how to restore before you need to. The middle of a crisis is the wrong time to learn your restoration process.

Match backup frequency to content changes. A blog updated weekly needs weekly backups. An e-commerce store processing daily orders needs daily or real-time backups.

One more thing worth mentioning: phishing attacks that compromise your hosting or domain registrar account can wipe everything. Backups stored in a completely separate account - not connected to your hosting login - provide an additional layer of protection against account-level compromises.

When DIY Security Isn’t Enough

This checklist covers the fundamentals. For many business owners, implementing these measures is straightforward. For others, the technical details are outside their expertise or time constraints.

Signs you might need professional help:

• You’re handling payments or sensitive customer data. E-commerce sites have additional considerations around PCI compliance that go beyond basic WordPress security.
• Your site has already been compromised once. If the root cause wasn’t identified and addressed, it will happen again. A security audit can help identify what was missed.
• You’re managing multiple WordPress sites. Security across a portfolio requires systematic approaches.
• You don’t have time to maintain it properly. Security isn’t a one-time setup. It requires ongoing attention.

What a security-focused developer does differently:

Security gets built into the foundation, not bolted on afterwards. Ongoing monitoring catches issues before they become breaches. And perhaps most importantly, they know what to look for that automated tools miss.

Start With the Foundation

The decisions you make during WordPress setup determine whether your site becomes a target or stays protected. Get the foundation right - hosting, user access, plugins, configuration, backups - and you’ve eliminated the vast majority of common attack vectors.

For a deeper understanding of why WordPress sites get targeted and what vulnerabilities look like, see our comprehensive guide to WordPress security issues. If you suspect your site has already been compromised, our WordPress hack recovery guide covers immediate steps.

Not sure where to start with your specific situation? Three Lions Technology offers a free consultation to assess your security needs. No sales pitch - just an honest conversation about your business and what it actually needs.

Book a consultation →

---

Key Resources:

• WordPress Hardening Guide - Official WordPress.org documentation
• Patchstack Annual Security Report - WordPress vulnerability statistics
• WordPress Security FAQ - Official WordPress security information

References:

• W3Techs (2025). “Usage Statistics of Content Management Systems.” Web technology surveys.
• Patchstack (2024). “State of WordPress Security in 2024.” Analysis of WordPress ecosystem vulnerabilities.
• WordPress.org (2024). “Upcoming Security Changes for Plugin and Theme Authors.” Make WordPress Plugins blog, September 2024.
• WordPress.org. “Hardening WordPress.” Advanced Administration Handbook.