WordPress Security Checklist 2026: 12 Steps to Lock Down Your Site

The Threat Landscape in 2026

WordPress runs 43% of all websites. That scale makes it a permanent target. Most attacks are not sophisticated — they are automated bots scanning for known vulnerabilities in outdated plugins, weak passwords, and exposed admin URLs.

The good news: basic security hygiene stops 95% of attacks. The remaining 5% requires server-level protection — which is where your hosting choice matters. This checklist covers both layers.

1. Keep Everything Updated

The single most effective security measure is also the most boring: keep WordPress core, themes, and plugins updated.

Go to Dashboard → Updates and enable automatic updates for minor core releases. For plugins and themes, enable auto-updates for items you use but don't customise. For anything you've customised, set a weekly calendar reminder to check and update manually.

Outdated plugins cause more than 50% of WordPress hacks. There is no faster win.

2. Use a Strong, Unique Admin Password

Brute-force attacks try thousands of common passwords per minute. Your admin password should be at least 16 characters and completely random — use a password manager (Bitwarden is free and excellent).

Also: change the default admin username. "admin" is the first username every bot tries. Create a new administrator account with a different username, log in with it, and delete the original "admin" account.

3. Enable Two-Factor Authentication

Even a strong password can be phished. Two-factor authentication (2FA) adds a time-sensitive code that attackers cannot use even if they have your password.

Install WP 2FA (free) or use the 2FA built into Wordfence. Require it for all administrator accounts at minimum.

4. Change Your Login URL

By default, every WordPress site is attacked at /wp-admin and /wp-login.php. Moving these to a custom URL (/enter-here, /console, anything non-obvious) eliminates the majority of brute-force traffic before it even reaches your login form.

Use the WPS Hide Login plugin — it's free, lightweight, and takes two minutes to configure. Save your new URL somewhere safe before activating.

5. Install a Web Application Firewall (WAF)

A WAF sits between your site and incoming traffic, blocking known malicious patterns before they reach WordPress.

Options:
• Cloudflare (free tier blocks most common attacks; paid adds bot protection)
• Wordfence (WordPress-level WAF; free version is effective)
• Sucuri (DNS-level firewall; strongest protection but paid)

For Hostao customers, Cloudflare integration is available from your hosting dashboard — it's one of the most effective things you can do for both security and speed.

6. Limit Login Attempts

After 3-5 failed login attempts, lock out that IP address for 30 minutes. This makes brute-force attacks impractical.

Loginizer (free) or Wordfence both handle this. Set the lockout after 3 attempts with a 30-minute lockout period.

7. Disable File Editing from WordPress Admin

By default, WordPress lets any admin user edit PHP files directly from Appearance → Editor and Plugins → Editor. If an attacker compromises an admin account, this is how they inject malicious code.

Add this line to your wp-config.php: `` define('DISALLOW_FILE_EDIT', true); `

This closes a major attack vector with zero downside for normal site management.

8. Set Correct File Permissions

Your WordPress files should be readable but not writable by attackers. The correct permissions:
• Folders: 755
• Files: 644
• wp-config.php: 600

If you're on Hostao hosting, these are set correctly by default. If you've transferred a site from elsewhere, verify via cPanel File Manager or FTP.

9. Move wp-config.php Up One Directory

WordPress can load wp-config.php from one directory above your WordPress installation. Since most attacks target the default location, moving it one level up provides an additional barrier.

This requires server access. If you're comfortable with cPanel or SSH, it's a 5-minute task. If not, it's something your hosting support can do.

10. Enable SSL — Everywhere

HTTPS is non-negotiable in 2026. It encrypts data in transit, protects login credentials, and is a ranking signal in Google Search.

All Hostao plans include free SSL via Let's Encrypt. If you're not yet on HTTPS, contact hosting support — it takes about 15 minutes to enable.

After enabling, add these lines to your wp-config.php to force HTTPS: ` define('FORCE_SSL_ADMIN', true); ` And redirect all HTTP traffic to HTTPS via your .htaccess` or Cloudflare.

11. Set Up Automated Backups

Security is about reducing risk, but backups are your recovery plan when something goes wrong. Daily automated backups, stored off-site (not on the same server), are essential.

UpdraftPlus connects to Google Drive, Dropbox, or Amazon S3. Schedule daily backups and keep 30 days of history. Test a restore every quarter — a backup you've never tested is a backup you can't trust.

Hostao Business plans and above include daily automated backups from the server side as an additional safety net.

12. Run a Security Audit

Install Wordfence or Sucuri Security and run a full site scan. These tools check for:
• Modified core files
• Known malicious code patterns
• Outdated software with known vulnerabilities
• Exposed sensitive files

Run this scan immediately if you've never done it, and schedule it monthly going forward.

Server-Level Security Matters Too

Everything above protects WordPress as an application. But your hosting environment is the foundation. A shared hosting account with weak server configuration undermines even a perfectly secured WordPress install.

Hostao's managed WordPress hosting includes server-level firewalls, malware scanning, and LiteSpeed WAF integration — security layers that operate below the WordPress application layer and cannot be replicated with plugins alone.

If you're concerned about your current security posture, start with steps 1-5 today. They take less than an hour and stop the overwhelming majority of attacks.