10 Best WordPress Security checklist that works – [2017]

So! you got your new blog/website LIVE. Great! welcome to the family of millions of WordPress website CMS users.

It’s no wonder that over 20% of world’s websites are using WordPress and with that kind of popularity it’s always a favorite target.

Hackers !!! What? I am just a small local small business owner and my website is just got a few hundred visitors. Why would a hacker target my website? I am sure they won’t be able to find my website. I am just a drop in an ocean of WordPress sites.

Well !! If you are thinking the same then you are terribly wrong my friend. Securing WordPress website is as important as securing your business. If 50,000 WordPress websites are created daily then at least 20,000 WordPress websites are getting blacklisted weekly by Google due to malware attack.

And if you think hackers can’t find you then, well they of course not going to search you manually. There are various evil scripts and bots that constantly searching for vulnerable websites. And if your WordPress website is not secured then you gonna have a real hard time.

So, Instead of investing time and money in recovering website after getting hacked. It’s better to secure your WordPress website in advance.

Practically no website is 100% hack proof, but surely you can avoid most of the attacks on your website.

There are various WordPress hacks and WordPress security plugins available but today I will only the cover the ways that actually worked for my clients. Some of them you can do it yourself but mostly need to be done under the guidance of your trusted web developer.

So here is the checklist for you to secure your WordPress website:

1- Local PC security


It all starts from your own computer or from your developer’s computer. While you upload the code/files/ new data to your website server, you need to make sure you have a strong local security. All WordPress security measures gonna fail if your local computer is not secure. If you have hired a freelancer or an outsourcing firm then make sure you know about the local security measures they have. For your own computer make sure you have a strong Antivirus program installed.

I personally recommend Bitdefender. It’s light and one the most popular and award-wining an antivirus program. It’s been 5 years that I am using it and going great. I personally know various hospitals and educational institutes using it. So, I really recommend you to use one or any other that you think works well for you.

Even for your developer/freelancer make sure either they have strong antivirus installed or they are working on LINUX.

Along with that make sure you never access your web server or website admin section from a cafe or any public Wifi network. That’s an open invitation to a malware attack on your personal computer and then your website.

So, once you are sure about the local computer security lets what are the things you should check during and after installing WordPress

2- WordPress database table prefix

When you are installing WordPress make sure you change the default WordPress table prefix to something else. By default its “wp_“. Most of the developers skip this part during WordPress installation but this small change can prevent various SQL injections(database attack in general) which normally consider database table prefix as “wp_”.


In case you or your developer have missed that, You can still change the WordPress table prefix prefix manually or by using various plugins available.

3- Separate Database


It’s not very common but I have seen some developers use a common database for two websites or using a common database username for two different websites database. One should never do that. It’s a big risk and obvious that if one website got attacked other one will also get affected and above that will be a big headache to separate them later on.

It’s always recommended to use a separate database and a separate database user for very new website.

4- Unique admin username

This is another step where we all get lazy. but we cannot miss using a unique WordPress admin name. People tend to use very basic and easy to guess usernames of WordPress admin sites and that a huge mistake. Usernames like ‘admin’, ‘administrator’ etc are very easy to crack by brute force attacks.

So make sure you use something unique for your username. To change a username for a LIVE website, all you have to do is:

Create a new administrator user


and delete the old one.


Don’t forget to assign the posts the new user before deleting the old one.

5 – WordPress Secret Authentication Keys

If you are families with WordPress file structure you probably have seen this piece of code at the bottom of your wp-config.php file in the root folder of your WordPress website.


These keys are actually encryption keys that help to store user data and password in an encrypted format. You can imagine that it’s easy to crack a password like ‘password123‘ or ‘admin123‘ instead of encrypted passwords like ‘awdjawld09a80aw9d8awd09awd809djaw’. So make sure you have these keys added to your wp-config file.

If it’s not you can easily get these from this link: https://api.wordpress.org/secret-key/1.1/salt/. You can also update them once in a month as you update your admin password.

6- Disable Theme Editor in admin

If you wish to edit any code in the theme there are two ways to do that. Either you use FTP to edit the LIVE code or you can use the WordPress theme editor. This is located under ‘Appearance — ‘Editor’.


It is highly advisable to disable this feature because of two reasons:

(a) – If someone hacks your WordPress admin section then he will get a full access to the theme PHP files which could be very dangerous.

(b) – It not a good idea to keep it open for anyone who doesn’t know how to handle code, because changes once saved here are irreversible.

You can disable that by using this command in wp-config.php

define( ‘DISALLOW_FILE_EDIT’, true );

and the editor will be no more visible to any user from the WordPress admin.

7- Use latest WordPress and Plugins


An old outdated WordPress or plugin version is very venerable to get hacked. So always make sure you update your WordPress version as soon as its released. You will automatically get a notification in your admin panel and you can do that easily. Same goes for the plugins as well, do not use any outdated plugin and make sure you update the plugins as soon as a new version is released. The best way is to set the both to auto update.

Make sure you have not edited the core WordPress files/theme files/ plugin files. 

To auto update plugins add this code to the functions.php of your theme directory.

add_filter( ‘auto_update_plugin’, ‘__return_true’ ); 

To auto update WordPress add this code in wp-config.php file.

define( ‘WP_AUTO_UPDATE_CORE’, true);

8- Delete unused themes and plugins

At the time of website development and even after the website goes LIVE there are many times that we used to try and test various themes and plugins. If they are not in use then it’s highly recommended to delete them permanently from your server because eventually they will get outdated and will become a soft target for the hackers.

9- Regular Backup

Nothing works better than taking a backup of your website regularly. If nothing works you will always have a website backup with you that you can use in case your WordPress website gets hacked or if there is any malware attack. It’s important to keep the website backup in a removable device instead of saving it on the server or on your computer.

Make sure you check with your hosting guys what backup features available with them so that you can have them as an addon.

There are various plugins available that can do the website backup for you but I would not recommend it. The best way to do this is to do it manually from your FTP and phpmyadmin once in a week.

10- Play Safe

It’s very common that you search the internet for a fancy theme and download it and use it for your website, specially from these torrents and forums. This an open invitation for hackers to get into your web server easily. Never ever use a theme or plugin from an un-trusted source.

WordPress got a huge collection of free and paid themes and plugins. You should always use them first and if you can effort, hire a WordPress developers to get it done for you from scratch.

Or your can check out marketplaces like themeforest.net they have some amazing theme and plugins available and at a very reasonable rates.


As mentioned earlier it’s not possible to make a site 100% hack proof but we can surely take care of minor things that can prevent future problems. There is a lot more to cover under WordPress security, So I highly recommend you stay connected by subscribing to our newsletters and stay updated with the latest trends in the WordPress security.

Leave a Comment

Ankit Sharma

Ankit Sharma

A Webmaster / Blogger / Entrepreneur with an experience of 8 years in the industry. I love to share my knowledge and blogging is the best way to reach every corner of the world. So here I am sharing what I have learnt from my experiences and what I came across daily in the field of web development / SEO / Social Media.