The Secure WordPress Website Checklist

As explained in my previous post, WordPress is as safe as it gets but that won’t prevent hackers from trying, particularly if your website is popular. So let’s make their work more difficult and our WordPress website more secure. Here are my recommendations to achieve this:

During the installation of WordPress

Some of these things can be done after the website is installed but they get more tricky then.

  • Do not use a one-click install, install WordPress manually,
  • Make sure you are using the latest version of WordPress,
  • Install the WordPress files in a sub-directory (instructions here:,
  • Choose a database name, username and password that are elaborate enough,
  • Choose your own table prefix for the database tables (not the default ‘wp_’ , but a  ‘kdjh2384792_’ type of prefix),
  • Choose your own user name (not ‘admin’ !! )

During setup

  • Make sure you are using a theme that is up-to-date and actively maintained,
  • Make sure all the plugins you are using are up-to-date and actively maintained,
  • I recommend installing the Sucuri Free plugin; use their ‘1-click hardening’ section to complete securing your WordPress installation

Good passwords

Make sure passwords for the following are complex enough (see the ‘Choosing a Strong Password’ section of this page:

  • Database password,
  • WordPress user password – the administrator password in particular,
  • FTP password; and use SFTP if your web host allows

On the server

  • Check the permissions for your WordPress files and directories; these should be set as 644 for files and 755 for directories,
  • Make sure other websites hosted on your hosting account are secure and up-to-date

Security maintenance

  • Update your admin password on a regular basis,
  • Update WordPress, plugins and themes when new versions are released,
  • Update WordPress, plugins and themes of other websites hosed on the same server,
  • Back up your WordPress database and files as often as you can so you can revert back to a previous version if your website does get hacked

Extra layers of security

  • Password-protect the ‘wp-admin’ directory,
  • Prevent direct PHP access to the ‘wp-include’ and ‘wp-content’ directories (The Sucuri Free plugin can do that in one click)

Like that blog post? Get more straight to your inbox PLUS... your FREE checklist to ensure your websites are developed on budget and on time.

Leave a Comment

Your email address will not be published. Required fields are marked *