WordPress Security Checklist: Backups, Firewalls, Updates, and Hardening

Overview

This article gives you a reusable framework for securing WordPress without turning routine maintenance into guesswork. The goal is not to make a site “perfectly secure,” which is not a realistic standard for any internet-connected system. The goal is to lower risk, limit blast radius, and shorten recovery time if something goes wrong.

A useful WordPress security checklist covers four layers:

• Recovery: backups you can restore quickly
• Prevention: updates, firewalls, malware scanning, SSL, and secure configuration
• Access control: strong authentication, least privilege, and login protection
• Hardening: reducing exposed surfaces and removing default weaknesses

If you are still choosing infrastructure, your hosting plan matters too. Managed WordPress hosting often includes some combination of automatic updates, daily backups, malware scanning, staging, and web application firewall features. Shared hosting can be perfectly workable for smaller sites, but security responsibilities often fall more heavily on the site owner. If you need help evaluating that tradeoff, see Best WordPress Hosting for Beginners: What Actually Matters and Shared Hosting vs VPS vs Cloud Hosting: Which Should You Choose?.

For everyday use, think in terms of baseline security first:

1. Back up the site automatically and test restores.
2. Keep WordPress core, themes, plugins, and server software current.
3. Protect login access with strong passwords and multi-factor authentication where possible.
4. Run a firewall and monitor for suspicious activity.
5. Use HTTPS everywhere and keep certificates valid.
6. Remove unused plugins, themes, users, and old admin paths where possible.
7. Document your setup so the next update or migration does not introduce avoidable mistakes.

That baseline covers most of the practical work behind a secure WordPress site. The rest of this guide breaks it into scenarios you can apply before launch, during normal operations, and after major changes.

Checklist by scenario

Use these lists based on where your site is right now. You do not need to tackle everything at once, but you should avoid leaving major gaps in backups, updates, and access control.

1. Before launching a new WordPress site

This is the best time to set a clean security baseline, because fewer moving parts means fewer surprises.

• Choose hosting with a clear security model. Check whether backups, staging, SSL, malware scanning, server patching, and firewall features are included or left to you.
• Install WordPress from a trusted source only. Avoid pre-packaged installs from unknown marketplaces or bundled themes with extra code you do not need.
• Force HTTPS from day one. Install an SSL certificate, update the WordPress and Site Address settings, and redirect HTTP to HTTPS. If needed, follow How to Install an SSL Certificate and Force HTTPS on Your Site.
• Create separate admin accounts. Avoid sharing one administrator login across multiple people. Each user should have their own account.
• Use strong passwords and enable MFA if available. Do this for WordPress admin, hosting control panel, database access, registrar account, and email inboxes tied to password resets.
• Limit plugins to what you actually need. Fewer plugins usually means less maintenance and a smaller attack surface.
• Delete unused themes and plugins. Deactivated is not the same as removed.
• Set up automated backups before publishing. Include files and database, choose an off-site destination, and define retention rules.
• Check default settings. Review comments, user registration, file editing in the dashboard, permalink structure, and basic privacy settings.
• Confirm domain and DNS control. Make sure you can access the registrar account and DNS zone. For related setup, see How to Connect a Domain to Web Hosting: Step-by-Step for Any Provider.

2. For an active site in routine operation

Once a site is live, security becomes a maintenance process. Most incidents are made worse by neglect rather than by advanced attacks.

• Update WordPress core promptly. Minor releases are often straightforward; major releases should still be tested first on staging when possible.
• Update plugins and themes on a schedule. Do not let months pass. Review changelogs when available, especially for security-related updates.
• Run automatic backups daily or more often if the site changes frequently. E-commerce, membership, and editorial sites may need more frequent backups than brochure sites.
• Test restores on a staging site. A backup that cannot be restored is not a usable backup.
• Use a web application firewall. Whether host-level or plugin-based, it should help filter malicious requests and reduce noise from common automated attacks.
• Review login attempts and suspicious traffic. Watch for brute-force patterns, unexpected admin access, or plugin file changes.
• Audit users quarterly. Remove old accounts, reduce unnecessary administrator roles, and verify who still needs access.
• Harden file permissions and configuration access. Keep permissions conservative and protect sensitive files from direct exposure.
• Disable built-in file editing from the WordPress dashboard. This reduces one common path for malicious code changes after account compromise.
• Monitor uptime and performance. Unexpected slowness can be a security clue as well as a performance issue. For broader context, see Hosting Uptime Comparison: How Popular Providers Perform Over Time.

3. Before plugin, theme, or workflow changes

Security incidents often begin during ordinary change management: adding a plugin, switching themes, moving hosts, or adjusting DNS.

• Back up before any major change. Create an on-demand backup even if daily backups already exist.
• Test on staging first. This is especially important for security plugins, cache plugins, firewall rules, membership systems, checkout flows, and custom code.
• Validate plugin reputation and maintenance. Prefer tools with a clear update history and focused feature set over bloated all-in-one additions.
• Avoid overlapping security plugins. Multiple firewalls, login limiters, scanners, or cache layers can conflict and create false confidence.
• Review file changes after deployment. Confirm that only expected files changed and that no debug settings were left enabled.
• Retest forms, logins, checkout, and redirects. Security should not quietly break core user flows.

4. During migration, domain changes, or hosting changes

Moves create temporary complexity, and complexity creates mistakes. Treat migration as a security-sensitive event, not just an infrastructure task.

• Inventory what is moving. WordPress files, database, media, cron jobs, redirects, SSL, email, DNS, and any external services.
• Take a verified backup before the move. Keep a copy independent of both old and new hosts.
• Check DNS records carefully. A secure site can still break if DNS points to the wrong server or email records are lost. If needed, review Domain Transfer Checklist: How to Move a Domain Without Downtime and Best Domain Registrars Compared: Pricing, Privacy, DNS, and Transfers.
• Reissue or reinstall SSL if required. Confirm certificate coverage after the move and retest forced HTTPS rules.
• Update firewall, CDN, or IP allowlists. New hosting often means new IPs or routing.
• Recheck file permissions and backup jobs. Migration tools do not always preserve ideal settings.
• Rotate sensitive credentials if there is any doubt. This includes database passwords, SFTP credentials, API keys, and admin passwords.

5. If you suspect compromise

If something looks off, speed matters, but so does discipline. Avoid making random changes before you understand the scope.

• Take the site out of normal editing workflow. Limit access while you investigate.
• Create a forensic backup if possible. Preserve the current state before cleaning.
• Rotate passwords immediately. Start with hosting, registrar, WordPress admins, database, and related email accounts.
• Scan files and compare against known-good copies. Look for modified core files, injected scripts, rogue admin users, scheduled tasks, or suspicious uploads.
• Update everything after cleanup. Core, themes, plugins, server packages, and security tools.
• Remove unused accounts and plugins. Compromised sites often contain stale components that made the initial intrusion easier.
• Review logs if available. Even limited logs can help identify the likely entry point.
• Restore from backup only if you can identify a clean restore point. Otherwise you may reintroduce the problem.

What to double-check

This section is for the details that are easy to assume are working when they are not. Many WordPress security gaps are not dramatic; they are simple misconfigurations left unnoticed.

Backups

• Does the backup include both files and database?
• Is at least one copy stored off the server? If the server fails or is compromised, local backups alone may not help.
• How long are backups retained? Very short retention can be a problem if malware goes unnoticed for days or weeks.
• Have you tested an actual restore? Not just file download, but a working restore into staging or a separate environment.

Firewall and monitoring

• Is the firewall actually enabled and updated?
• Are notifications going to an inbox you monitor?
• Have you reviewed blocked events for false positives? Overly aggressive rules can block legitimate users or admin sessions.

Updates

• Are all plugins still maintained? If a plugin has become abandoned in practice, replacing it may be safer than waiting.
• Did auto-updates get enabled intentionally? For some sites, auto-updates make sense. For others, staging-first is safer.
• Do you have a rollback path? Every update plan should include one.

Access and authentication

• How many administrators does the site have? Fewer is better.
• Are there dormant accounts from former staff, contractors, or testers?
• Are password reset emails secured? Your email account is part of your WordPress security posture. See How to Set Up Professional Email for Your Domain if you are still organizing domain-based email.

Hardening basics

• Is directory listing disabled?
• Is debug mode off in production?
• Is file editing from the admin dashboard disabled?
• Are XML-RPC, REST access, or application endpoints restricted only if you understand the impact? Hardening should be deliberate, not copied blindly from old checklists.
• Are security headers, HTTPS rules, and redirects behaving consistently?

Security and performance often overlap. For example, bloated plugins, poor caching choices, and weak hosting can make it harder to spot malicious behavior inside ordinary slowness. For a companion maintenance workflow, see WordPress Speed Optimization Checklist for Shared and Managed Hosting.

Common mistakes

Most WordPress security problems do not start with advanced exploitation. They start with ordinary shortcuts that feel harmless at the time.

• Treating backups as a box to tick. If no one has tested a restore, your recovery plan is still theoretical.
• Installing too many plugins. More code means more updates, more interactions, and more chances for something to go wrong.
• Leaving inactive themes and plugins on the server. If they are not needed, remove them.
• Using one admin account for multiple people. This weakens accountability and makes incident response harder.
• Ignoring the registrar and email side of security. Domain control and password-reset email access can be as important as WordPress admin security.
• Applying random hardening snippets without understanding them. Some tweaks break APIs, editors, forms, or legitimate integrations.
• Delaying updates for too long. Caution is sensible; indefinite delay is not.
• Running multiple overlapping security tools. Conflicting firewalls, scanners, or login restrictions often create noise rather than protection.
• Making major changes directly on production. Staging exists to reduce risk.
• Assuming hosting alone solves WordPress security. Even good managed hosting does not replace user hygiene, plugin discipline, and account review.

Another common mistake is separating security decisions from hosting decisions. Renewal pricing, feature limits, and support quality all affect whether your security process stays sustainable over time. If your current setup encourages shortcuts, compare it against your actual needs and review broader hosting guidance such as Web Hosting Renewal Prices Compared: Which Providers Stay Affordable After Year One?.

When to revisit

A good WordPress security checklist is not something you complete once and forget. Revisit it whenever the site, toolset, or operating workflow changes.

At minimum, review this checklist:

• Before seasonal planning cycles when you expect content pushes, marketing campaigns, traffic spikes, or new contributors
• When workflows or tools change such as new plugins, a different host, a new CDN, or revised deployment steps
• Before redesigns or migrations when access, DNS, redirects, and file structure often change together
• After staff changes to remove old accounts and update permissions
• After any unusual behavior such as failed logins, unexpected redirects, slow admin performance, modified files, or spam output
• On a recurring schedule monthly for active sites, quarterly at minimum for lower-change sites

If you want a practical maintenance rhythm, use this lightweight recurring routine:

1. Weekly: verify backups completed, review update queue, scan for unusual login activity, and confirm SSL is still valid.
2. Monthly: apply tested updates, audit admin users, remove unused plugins or themes, and confirm restore points exist.
3. Quarterly: test a full restore on staging, review firewall and monitoring rules, rotate sensitive credentials where appropriate, and check domain, DNS, and email account security.
4. Before major changes: create a fresh backup, document the current state, test on staging, and define rollback steps.

The most durable approach is simple: keep WordPress lean, keep access tight, keep backups restorable, and keep changes controlled. That combination will protect most sites better than a long list of disconnected tools.

Use this checklist as your baseline, then adapt it to your actual stack, hosting model, and maintenance capacity. A secure WordPress site is not the one with the most security products. It is the one with the fewest unexamined gaps.