WordPress Security Checklist 2026. Keeping a WordPress site secure in 2026 isn’t about installing a single plugin and calling it done. WordPress powers over 43% of the web, making it the biggest target in town. Automated bots scan for outdated plugins, brute force login pages, and vulnerable setups around the clock.
The good news? Most WordPress hacks are preventable with straightforward, manual steps. You don’t need to be a sysadmin to lock things down. This guide walks you through 10 practical actions you can take today, with exact commands and config file edits.
WordPress security checklist 2026: 1. Keep Everything Updated
Outdated software is the #1 entry point. WordPress core, plugins, and themes all ship security patches regularly. Ignoring updates is like leaving your front door unlocked in a bad neighborhood.
How to do it: Go to Dashboard > Updates in your WordPress admin. Enable automatic updates for minor WordPress core releases by adding this line to your wp-config.php:
define('WP_AUTO_UPDATE_CORE', 'minor');For plugins and themes, you can enable auto-updates individually under Plugins and Appearance > Themes. Check for updates weekly at minimum. If you use Trusti Security, its Known Vulnerabilities module will alert you automatically when any component on your site has a known CVE – including outdated versions.
WordPress security checklist 2026: 2. Use Strong Passwords and Two-Factor Authentication
Password spraying is still one of the most effective attack methods. If your admin password is reused from another site, a single data breach elsewhere can compromise your WordPress installation.
How to do it: Use a password manager like Bitwarden, 1Password, or Apple Keychain to generate and store unique passwords. For two-factor authentication:
- Install a free 2FA plugin like Two-Factor from the WordPress plugin repository, or
- If you already use Trusti Security, its built-in 2FA module supports TOTP authentication via Google Authenticator or any compatible app
Use an authenticator app like Google Authenticator or Authy on your phone. Once set up, you’ll need both your password and a one-time code from your phone to log in – this stops attackers even if your password is stolen.
3. Change Your Login URL
By default, your WordPress login is at /wp-admin and /wp-login.php. Every bot in the world knows this and will hammer those URLs constantly. Changing the login URL eliminates the majority of automated attacks overnight.
How to do it: Install WPS Hide Login – it lets you set a custom slug with a single setting. Or, if you already have Trusti Security, its Custom Admin URL module does the same thing and secures the old login URLs to return a 404.
4. Limit Login Attempts
Even with a custom login URL, determined attackers can still find your login page. Limiting failed attempts from a single IP prevents brute force attacks from ever succeeding.
How to do it: Install a free plugin like Login Lockdown or Limit Login Attempts Reloaded. Configure it to block an IP after 3-5 failed attempts within 15 minutes. You can also do this at the server level using fail2ban if you have SSH access. Trusti Security subscribers get this built into the Brute Force Protection module with configurable thresholds and lockout durations.
5. Disable File Editing in Admin
WordPress has a built-in file editor under Appearance > Theme File Editor and Plugins > Plugin File Editor. If an attacker gains admin access, they can insert malicious PHP code through this interface. Disabling it takes one line.
How to do it: Add this to your wp-config.php, right before the line that says “That’s all, stop editing!”:
define('DISALLOW_FILE_EDIT', true);Trusti Security’s Hardening module does this along with several other hardening measures with a single click if you prefer the GUI route.
6. Set Up Security Headers
Security headers tell your visitors’ browsers how to behave when loading your site. They prevent common attacks like XSS, clickjacking, and MIME sniffing before they reach your application code.
How to do it: Open your .htaccess file (located in your WordPress root directory via FTP or cPanel File Manager) and add these lines at the top:
# Security Headers
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"For HTTPS enforcement, also add:
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"For Content-Security-Policy, start simple and expand as needed:
Header always set Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' https:; style-src 'self' 'unsafe-inline' https:; img-src 'self' data: https:;"Make sure mod_headers is enabled on your Apache server. If you’re on Nginx, add equivalent add_header directives to your server block. Or if you’d rather skip the server config, Trusti Security’s Security Headers module applies all of these with checkboxes in the WordPress admin.
7. Scan for Known Vulnerabilities
You might have a plugin installed that has a known, unpatched vulnerability. Many site owners don’t find out until their site gets defaced. Vulnerability scanning checks everything you have installed against public CVE databases.
How to do it: Use a free online scanner like WPScan or the WP Vulnerability Scanner plugin. Run a scan weekly. For automated daily scanning with email alerts, Trusti Security’s Known Vulnerabilities module does this in the background – it checks your core, plugins, themes, and PHP version against the WPVulnerability API and lets you know when something needs attention.
8. Monitor What Happens in Your Admin
If someone compromises your site, you want to know what they did and when. An activity log helps you spot suspicious behavior early – like a new admin account being created, a plugin being installed, or posts modified by an unknown user.
How to do it: Install a free activity log plugin like WP Activity Log. It tracks logins, post changes, plugin installations, and user management. Trusti Security includes its own Admin Activity Log module with configurable retention periods – handy if you already have it installed.
9. Block Known Bad Actors
Some IP addresses and user agents are known to be malicious. Blocking them at the server level reduces load and prevents attacks before they reach WordPress.
How to do it: Add to your .htaccess to block specific IPs:
order allow,deny
deny from 123.456.789.0
deny from 98.76.54.32
allow from allFor blocking malicious user agents (bots, scrapers), add:
RewriteEngine on
RewriteCond %{HTTP_USER_AGENT} (ahrefsbot|dotbot|mj12bot|semrush) [NC]
RewriteRule .* - [F]If you use Trusti Security, its IP Block List and Block User Agent modules give you a clean admin interface for this instead of editing .htaccess by hand.
10. Back Up Your Site Regularly
All the security in the world won’t save you from every possible scenario. A catastrophic vulnerability, a hosting failure, or human error can take your site down. Backups are your safety net.
How to do it: Use ManageWP for automated daily backups with off-site storage. It’s free for the first 1GB and handles both files and database. You can also use UpdraftPlus (free) with cloud storage like Dropbox or Google Drive. Schedule daily backups and keep at least 7 days of history. Test your restores every few months – a backup you can’t restore is useless.
Putting It All Together
Security isn’t a one-time setup. Run through this checklist quarterly, keep your software updated, and test your backups. Most steps take under five minutes and require nothing more than FTP access and a browser.
If you’d rather not mess with .htaccess files, wp-config edits, and juggling half a dozen plugins, a comprehensive security suite like Trusti Security bundles most of the above into a single admin panel with toggles instead of code. It’s not a replacement for knowing how these things work – but it saves time once you do.