By Cavernia (Own work) [CC BY-SA 3.0 ( or GFDL (], via Wikimedia Commons

March 3, 2015: WordPress currently serves as the content management system for about 60 percent of the sites on the Web. Consequently, sites running WordPress have become a fat target for malware hackers seeking to commander such properties for nefarious purposes.

Sadly, there’s no 100 percent foolproof way to keep your site safe. Still, you can take steps to harden your WordPress installation that will maximize the chances you can deflect a hacker attack. Here are ten important steps you can take to keep your site live and uncompromised.

Checkbox by GitHub. Code License: MIT1. Check that your WordPress core files are up to date. WordPress updates its core files several times a year. These updates typically extend functionality and tighten security. Currently WordPress’ current version is 4.1.1. You can easily determine which version of WordPress your site is using by taking a look at your Dashboard; if you need to update, you’ll see a prominent notification advising you of this fact.

Download the Content Marketing CookbookCheckbox by GitHub. Code License: MIT2. Check your plugins — all of them. The availability of a wide selection of plug-ins created by an active developer community is one of the best things about WordPress. But these plug-ins can provide hackers with a backdoor through which they can enter your site and take control of it. For example, just this month the FancyBox plug in was found to provide a pathway for the insertion of malicious code. More than 500,000 people who downloaded this plug-in were affected. Even plug-ins that aren’t active can provide pathways for malware, so make sure you delete (not just deactivate) any WordPress plug-ins you are not using.

Checkbox by GitHub. Code License: MIT3. Check your user role assignments. WordPress excels as a collaborative publishing platform, but there’s no need for anyone other than you (or your designated staffer) to have godlike admin rights. It’s best to limit access rights to the roles your users will actually be performing (Author, Editor, Contributor, etc.) Doing this can help you avoid the scenario in which a well-intentioned, but fumble-fingered intern blows up your site while attempting to update a post.

Checkbox by GitHub. Code License: MIT4. Check that you’re WordPress access isn’t being intercepted. Beware unsecured Wi-Fi hotspots. Updating your WordPress site from an unencrypted Wi-Fi hotspot is asking for trouble, because sniffers can eavesdrop on everything you do.

5. Check that your local machine is clean. The nature of today’s ever-smarter malware is to cloak itself and easily move from machine to machine and host to host. Make sure your local PR or Mac is secure and uninfected; there are many commercial antivirus packages that can help you here.

Checkbox by GitHub. Code License: MIT6. Check your passwords. Best practices for passwords are well established and there’s no excuse for not implementing them. Even if your own network is well protected, leaving passwords in an unencrypted directory (or, as Sony did, in a spreadsheet called “passwords.xls”) is inviting havoc that may not be limited to your WordPress site.

Checkbox by GitHub. Code License: MIT7. Check your comments settings. Back in November, 2014, it was determined by a Finnish security firm that millions of sites whose authors elected to accept comments had made themselves — and their visitors — vulnerable to malware. Maintaining any open text entry field (such as a comments area in your blog posts) is asking for trouble. Do you really need to take comments on your site? Maybe discussions would be better served on Facebook, Twitter, or another social platform.

Checkbox by GitHub. Code License: MIT8. Check your backup schedule. Your ISP and/or your IT team may have a scheduled backup routine in place to restore your site in the event that you’re hacked. Familiarize yourself with this routine. Also, be aware that ISPs such as GoDaddy will charge extra (usually a couple of hundred dollars) to do a backup. There are a number of WordPress backup plug-ins that can make your backups easier to accomplish and manage.

Checkbox by GitHub. Code License: MIT9. Check out some WordPress security plug-ins. There are dozens of WordPress security plug-ins out there that can help lock down your site. Typical features include malware scanning, user access lockout after a specified number of log-in attempts, and other useful features, including e-mail alerts. Be aware that these plug-ins may slow down your site when they’re performing background operations. There’s a good list of current WordPress security plug-ins at

Didit Editorial
WordPress Security Checklist
Article Name
WordPress Security Checklist
You can take meaningful steps to strengthen WordPress security to maximize the chances of deflecting a hacker attack.