When you search for a WordPress security checklist, you will usually find articles detailing 50+ extreme measures. They tell you to rename the entire wp-content folder, hide your login URL, and disable database queries.
While theoretically useful, extreme security through obscurity usually just breaks plugin functionality and makes the site a nightmare for your team to use. Security should reduce risk, not productivity. Below is a practical, battle-tested security hardening checklist that stops real automated attacks without driving your editorial team crazy.
1. Implement a Web Application Firewall (WAF)
Before touching a single WordPress setting, install an endpoint or cloud-based WAF.
A WAF (like Cloudflare, Securi, or Wordfence) filters out malicious traffic before it hits the WordPress core. By the time a bot tries to execute a SQL injection attack against a vulnerable plugin, the firewall drops the request. This drastically reduces server load and handles 95% of the "script kiddie" noise automatically.
2. Enforce Two-Factor Authentication (2FA)
The vast majority of website breaches are not complex hacks; they are simple credential theft. An administrator uses a weak password, or reuses a password that was leaked in a massive corporate data breach.
- Actionable Step: Install a reliable 2FA plugin and force it for all Administrator, Editor, and Shop Manager roles.
- Why it matters: Even if an attacker uncovers an administrator’s password, they cannot bypass the secondary auth token tied to the user's mobile device.
3. Disable PHP Execution in Specific Directories
WordPress has specific folders where users are supposed to upload images and PDFs, primarily wp-content/uploads/. Unfortunately, this is also the exact folder where hackers love to upload malicious PHP backdoor scripts via vulnerable forms.
- Actionable Step: Add an
.htaccessrule (on Apache) or an Nginx configuration rule that strictly blocks the execution of any.phpfiles inside the/uploads/directory. - Why it matters: If an attacker manages to upload a shell script disguised as an image, the server will simply refuse to run it, rendering the attack useless.
4. Limit Login Attempts & Lockouts
WordPress, natively, allows infinite login attempts. This means a botnet can sit on your wp-login.php page and guess ten thousand passwords a minute until it succeeds.
- Actionable Step: Install a tool that limits login attempts. A standard, safe configuration is to lock out an IP address for 4 hours after 5 failed login attempts.
- Bonus: Pair this with Cloudflare's "Under Attack Mode" if you notice massive, sudden spikes in CPU usage from brute-force botnets.
5. Audit the Admin Users & Roles
If you look at the user list on a website that has been running for three years, you will often find ten active administrators. There is a former SEO consultant from 2022, an intern who left last year, and a rogue "test-admin" account.
- Actionable Step: Demote or delete old users. Follow the "Principle of Least Privilege." If the marketing intern only needs to publish blog posts, they should be assigned the Author or Editor role, never the Administrator role. Administrators can change themes, install plugins, and rewrite root files.
6. Automate Your Vulnerability Patching
Hackers utilize automated bots to scan the internet specifically for unpatched versions of known plugins (like a severe vulnerability announced yesterday in Elementor or WooCommerce).
If your maintenance routine consists of logging in once a month to click "Update All," you leave a 29-day window where hackers can exploit a publicly disclosed vulnerability. Rely on professional maintenance services or active monitoring endpoints that automatically roll out emergency security patches the day they are released.
Hardening a WordPress site isn’t about making it invisible. It’s about making the barrier to entry significantly more difficult than the next target on the internet, while keeping the platform accessible to the people who need to manage the business.