How to Secure a WordPress Site: The Complete Checklist
10 min read · AstraLoop Studio
WordPress runs over 40% of the websites on the planet. That's also exactly why it's the preferred target of automated attacks: if you write a bot that can attack WordPress, you've already guaranteed yourself a massive pool of potential victims. Nobody needs to have it in for you specifically. Your site just needs to exist and be reachable.
The numbers make it clear. Industry estimates put the average website under attack every 32 minutes, and AI-powered botnets have grown roughly 45% over the past year. In plain terms: the automated scanners hunting for outdated plugin versions, weak passwords, and exposed config files are faster, more thorough, and harder to tell apart from legitimate traffic. The 2026 Clusit Report confirms the trend: in Italy, vulnerability exploitation has grown about 65% compared to 2024, and SMEs account for 72% of the targets.
The good news is that most of these attacks aren't sophisticated. They're bots trying the same ten things across millions of sites. Close off those ten things and you drop off the radar of nearly every opportunistic attack out there. This guide is the checklist for doing exactly that, with an honest look at where a security plugin has you covered and where you need something more.

Why WordPress gets attacked so often
WordPress core, the part developed and maintained by the official project, is one of the most heavily scrutinized open-source codebases in the world. Serious flaws in core are rare and get patched fast. WordPress itself is almost never the problem. The problem is everything you bolt on top of it.
A typical install runs a theme plus ten to thirty plugins, each written by a different author, with different quality standards and different update cadences. Every plugin is code running on your server with elevated permissions. If even one of them has a vulnerability and you haven't updated it, you have an open door. Industry statistics attribute the vast majority of compromised WordPress sites to outdated, vulnerable, or abandoned plugins. For a deeper look at this mechanic, we've written a dedicated piece on WordPress plugin vulnerabilities and how to spot them before attackers do.
The other two classic attack vectors are weak credentials (brute-force and credential-stuffing attacks against the login page) and misconfigured hosting (wrong file permissions, outdated PHP versions, no isolation between sites on the same server). Three fronts, all closable with a bit of discipline.
The checklist for securing WordPress
Follow these points in order. The first ones cost nothing and cover most of the risk. The last ones require more attention or specialized skills.
1. Update everything, always, and fast
Core, theme, and plugins. Security updates patch flaws that are already public, and therefore already known to attackers. The most dangerous moment is the window between when a vulnerability is disclosed and when you update. Turn on automatic updates at least for core and security plugins. For critical plugins that might break your site, update manually but within 24-48 hours of release, testing first on a staging copy.
2. Delete what you don't use
Every deactivated plugin and theme still installed remains code sitting on your server, exploitable even while inactive. Delete (not just deactivate) anything you don't need. A plugin abandoned by its author, with no updates in over a year, needs to be replaced: it's a ticking time bomb.
3. Strong passwords and two-factor authentication
Long, unique passwords generated by a password manager. Turn on two-factor authentication (2FA) for every admin account. It's the single measure that neutralizes most credential attacks. An attacker can guess or steal a password, but without the second factor they're not getting in.
4. Change the "admin" username and limit login attempts
The "admin" username is the first thing every bot tries. Use unpredictable usernames. Then limit login attempts (temporary IP block after N failures) to stop brute-force attacks. Many security plugins do this out of the box.
5. Protect and relocate the login page
Changing the login URL from /wp-admin to a custom path drastically cuts down automated traffic hitting that page. It's not real security, it's obscurity, but it trims the background noise from scanners. Even better: protect /wp-admin with server-level HTTP authentication, or restrict access to known IPs if you always work from the same network.
6. HTTPS everywhere, no exceptions
An active SSL/TLS certificate and forced HTTPS traffic. Without it, credentials travel in plain text and anyone on the same network can intercept them. It's free today (Let's Encrypt) and almost every host offers it with one click. There's no excuse not to have it.
7. Automated, tested backups
Regular backups (daily for an active site), stored off the site's server, so a compromised server doesn't take the backup down with it. And above all: verify you can actually restore them. A backup you've never tested isn't a backup, it's a hope. If you're already in trouble, our guide on what to do when a WordPress site gets hacked walks through the immediate steps.
8. Correct file permissions
Directories at 755, files at 644, wp-config.php at 600 or 640. No file or folder should be writable by everyone (777). Overly open permissions let an attacker who slips in through a flaw write malicious files and take control.
9. Disable the file editor in the dashboard
WordPress lets you edit theme and plugin files directly from the dashboard. Convenient, but it's also the first place an attacker who gains admin access injects code. Disable it by adding define('DISALLOW_FILE_EDIT', true); to wp-config.php.
10. Put a Web Application Firewall (WAF) in place
A WAF filters malicious requests before they reach WordPress: SQL injection attempts, cross-site scripting, exploitation of known vulnerabilities. It can run at the plugin level (Wordfence, Sucuri) or at the network level (Cloudflare). The latter is more robust because it blocks traffic before it even touches your server.
11. Hosting hardening
An updated, supported PHP version, isolation between sites (no shared hosting where one compromised site infects others), disabling XML-RPC if you don't need it (a classic vector for brute-force attacks and amplified DDoS). Poor hosting undermines every other measure.
12. Monitoring and logs
You need to know what's happening on your site: who's logging in, which files are changing, which login attempts are failing. A file integrity monitoring plugin alerts you if something changes without your action. Without logs, an infection can stay invisible for months.

Wordfence, Sucuri, and the limits of security plugins
Wordfence and Sucuri are excellent tools and the first ones we recommend installing. They cover most of what's in the checklist: WAF, malware scanning, login throttling, file integrity monitoring. If you have nothing in place, install one today. That said, it's important to understand what a security plugin can't do, because the marketing around these tools tends to suggest a level of total protection that doesn't exist.
| Aspect | Plugin (Wordfence / Sucuri) | Professional audit |
|---|---|---|
| Known vulnerabilities | Detects already-catalogued signatures | Also looks for misconfigurations and flaws not yet catalogued |
| Business logic | Blind to it (doesn't understand what your site does) | Tests real flows: checkout, restricted areas, forms |
| Configuration errors | Partial coverage | Analyzes server, permissions, integrations, third parties |
| False positives and negatives | Frequent, need human interpretation | Manually verified by the person running the test |
| Custom code | Doesn't examine it | Inspects custom-built plugins and proprietary integrations |
| Risk context | None | Prioritizes based on impact to your business |
The core limitation is that a plugin works off signatures: it only recognizes what's already known. It's reactive by definition. It doesn't understand your site's logic, doesn't know that the form at step three of your checkout has a validation flaw, doesn't examine the custom plugin a freelancer wrote for you three years ago, and doesn't assess whether an integration with an external service is leaking data. An automated scanner hands you a list of alerts, often full of false positives and negatives, without telling you which ones actually matter for your business. It's the difference between a metal detector at the door and a guard who knows the building.
This is also where honest positioning matters: many agencies sell cheap automated scans because they're cheap to deliver. But a scan is not an audit. A serious vulnerability assessment combines automated tools with human verification, and a penetration test goes further: it simulates a real attacker actively trying to breach the site. If you want to understand the difference between the two, we've laid it out in our article comparing vulnerability assessment and penetration testing. All of this makes sense within a bigger picture: a cybersecurity audit for SMEs looks not just at the website, but at email, endpoints, vendors, and how tools are used internally.
Want to know if your WordPress site is actually secure, or just looks that way? Request an assessment and we'll tell you exactly where the open doors are, with clear priorities instead of a list of alerts to interpret.
The AI factor: why the checklist alone isn't enough anymore
Until a few years ago, a small site could count on a degree of anonymity: few human attackers had time to waste on an SME. That era is over. AI-powered botnets attack everything, indiscriminately, at near-zero marginal cost. They generate malware variants faster, adapt brute-force attempts based on the defenses they encounter, and produce hyper-realistic phishing campaigns to steal your administrators' credentials. In Italy, audio deepfake fraud has grown roughly 300% compared to 2023.
This changes the picture: the website is just one of the doors. A modern attacker often doesn't need to breach WordPress if they can convince one of your team members, with a convincing email, to hand over credentials instead. Website security therefore needs to sit inside a bigger framework, one that includes how your team handles email, passwords, and AI tools. For the full picture for an Italian business, start with our cybersecurity guide for SMEs updated for 2026, and if you run an online store, our deep dive on e-commerce cybersecurity covers the specific risks of handling payments and customer data.
It's not just technical: there's GDPR too
If your site collects data (contact forms, newsletter, customer accounts, orders), security isn't optional: it's a legal obligation. GDPR requires appropriate technical and organizational measures to protect personal data, and in the event of a breach you're required to notify the Italian Data Protection Authority (Garante Privacy) within 72 hours. A breached site that exposes your customers' details isn't just a technical problem: it's a data breach with legal and reputational consequences. The checklist in this guide is also the first step toward demonstrating you've adopted those appropriate measures. This isn't legal advice, but the message is clear: neglecting website security carries a cost that goes well beyond downtime.
What to do right now, in practice
If you have a WordPress site and so far you've relied on just a plugin (or nothing at all), here's the order of priority:
- Turn on 2FA immediately for all admin accounts and update core, themes, and plugins.
- Delete unused or abandoned plugins and themes.
- Install a security plugin (Wordfence or Sucuri) and set up tested, automated off-site backups.
- Check HTTPS, file permissions, and PHP version with your host.
- If the site handles payments, sensitive data, or is central to your business, have the security assessed by a professional with an audit, not a simple scan.
You can cover the first four points yourself in an afternoon, and they'll take you off the radar of most automated attacks. The fifth is what makes the difference between "looks fine" and "has been verified." A list of alerts generated by a plugin isn't a risk assessment: it's raw material someone still needs to interpret. If you need to understand what this kind of check costs, we've written a transparent guide on the cost of a website security audit.
Frequently asked questions
Is installing Wordfence enough to secure WordPress?
It's a great first step and covers WAF, malware scanning, and login throttling, but it's not enough on its own. Wordfence works off known threat signatures and doesn't examine your site's logic, custom code, or server misconfigurations. Pair it with the base checklist and, for critical sites, an audit with human verification.
How often should I update WordPress plugins and themes?
As soon as possible after release, ideally within 24-48 hours for security updates. The window between a vulnerability being disclosed and you updating is the most dangerous moment. Turn on automatic updates for core and test critical plugins on a staging copy before pushing to production.
Are plugins really the main cause of WordPress hacks?
Yes. WordPress core is one of the most heavily scrutinized open-source codebases in the world, and serious flaws are rare. The vast majority of compromised sites are compromised because of outdated, vulnerable, or abandoned plugins. Delete what you don't use and update the rest fast.
Does changing the login URL from wp-admin actually help?
It significantly cuts down automated scanner traffic on that page, but it's obscurity, not real security. On its own it doesn't protect anything: pair it with strong passwords, 2FA, and login attempt limits. Better still, protect the admin area at the server level or restrict it to known IPs.
What's the difference between an automated scan and a security audit?
An automated scan checks your site against a database of known vulnerabilities and produces a list of alerts, often with false positives and negatives. An audit combines automated tools with human verification: it tests the site's real flows, examines custom code, evaluates configurations, and prioritizes risks based on impact to your business.
Is a small site with little traffic still at risk?
Yes, possibly more than a large one. Modern attacks are automated and AI-powered: they hit millions of sites indiscriminately at near-zero cost, hunting for outdated plugin versions and weak passwords. Nobody needs to be targeting you specifically. SMEs make up 72% of targets precisely because they're often less protected.
A plugin gives you alerts, not answers. Talk to us: we assess the security of your site and your business with an audit that separates real risk from background noise.