LiteScaler Blog  |  Security  |  10 min read

The Complete WordPress Security Checklist for 2026

WordPress powers over 40% of the internet. That is an extraordinary statistic — and it is also exactly why WordPress sites are the most targeted websites on the planet. When attackers build automated tools to scan for vulnerabilities, they build them for WordPress first, because that is where the volume is.

The good news is that the vast majority of WordPress hacks are not sophisticated targeted attacks. They are opportunistic — automated bots scanning thousands of sites per hour, looking for the same handful of known vulnerabilities: outdated plugins, weak passwords, exposed login pages, missing SSL certificates, no two-factor authentication. Sites that have addressed these basics are skipped in favour of easier targets.

Security is not about being impenetrable. It is about not being the easiest target in the room.

This checklist covers every meaningful WordPress security measure you should have in place in 2026 — organised by category, explained in plain language, and actionable without requiring a security engineering background. Work through it once, and you will have addressed the vulnerabilities that account for the overwhelming majority of WordPress compromises.

90% Of WordPress hacks are caused by outdated plugins, themes, or weak passwords 13,000+ WordPress vulnerabilities discovered in plugins and themes in 2024 alone 30s How often a WordPress site is attacked somewhere on the internet

Category 1 — Updates and Software Hygiene

Outdated software is the single largest source of WordPress vulnerabilities. When a security researcher discovers a flaw in a plugin or theme, they disclose it — which means the vulnerability becomes public knowledge. Sites still running the old version become immediate targets. Most WordPress compromises happen within days of a vulnerability being publicly disclosed, because attackers scan for the vulnerable version at scale.

The fix is boringly simple: keep everything updated.

✅ Updates Checklist

  • WordPress core is updated to the latest version — check Dashboard → Updates
  • All active plugins are updated — Updates page shows pending plugin updates
  • Your active theme and any parent themes are updated
  • Automatic background updates are enabled for minor WordPress core releases (security patches)
  • You have a staging environment to test major updates before applying them to your live site
  • All inactive plugins are deleted — not just deactivated. Inactive plugins can still be exploited if they contain vulnerabilities.
  • All inactive themes are deleted — same reason. Keep only your active theme and its parent theme if applicable.
  • PHP version is current — PHP 8.2 or 8.3 in 2026. Older PHP versions no longer receive security patches. Check your version in cPanel → PHP Version Selector.

The inactive plugin problem: A plugin you deactivated two years ago but never deleted is still sitting in your file system. If it contains a known vulnerability, it can be exploited regardless of whether it is active. Deactivated does not mean safe. Delete what you do not use.

Category 2 — Login Security

The WordPress login page at /wp-admin is the front door of your site — and it is the most attacked surface on any WordPress installation. Brute force attacks — automated bots trying thousands of username and password combinations — run constantly against WordPress login pages across the internet. Most of them succeed because the target site is using “admin” as a username and a weak password.

Login security requires almost no technical knowledge to implement and eliminates one of the most common attack vectors entirely.

✅ Login Security Checklist

  • The admin username is NOT “admin” — this is the first thing brute force tools try. If your username is admin, create a new administrator account with a different username, transfer all content to it, and delete the old admin account.
  • All user passwords are strong — minimum 16 characters, mix of uppercase, lowercase, numbers, and symbols. Use a password manager. Do not reuse passwords from other services.
  • Two-factor authentication (2FA) is enabled for all administrator accounts — use a plugin like WP 2FA or the authenticator built into your security plugin. This alone makes brute force attacks virtually useless.
  • Login attempts are limited — a security plugin or server-level rule should block IP addresses after a defined number of failed login attempts (typically 5). Without this, brute force tools can try unlimited combinations.
  • The wp-admin login URL has been changed or protected — moving /wp-login.php to a custom URL removes it from automated scanners that look for the default path. Plugins like WPS Hide Login handle this in one step.
  • XML-RPC is disabled if you do not use it — XML-RPC is a legacy API that allows remote WordPress access and is commonly exploited for brute force attacks. If you are not using a mobile app or remote publishing tool that requires it, disable it.
  • Inactive user accounts are deleted or demoted — every administrator account is a potential attack surface. Users who no longer need access should be removed or have their role reduced.

Two-factor authentication is the single highest-impact security measure you can add to a WordPress site. It does not matter how good or bad your password is if an attacker also needs physical access to your phone to log in. Enable it on every administrator account today.

Category 3 — SSL and HTTPS

An SSL certificate encrypts the connection between your visitors’ browsers and your server, ensuring that data transmitted — form submissions, login credentials, payment information — cannot be intercepted in transit. In 2026, operating a website without HTTPS is not just a security failure — it is a ranking signal problem, a trust signal problem, and in some jurisdictions a legal compliance problem.

✅ SSL and HTTPS Checklist

  • An SSL certificate is installed and active — your site loads at https:// without any browser warnings. In LiteScaler’s cPanel, SSL certificates can be issued and installed in one click via AutoSSL.
  • HTTP traffic is redirected to HTTPS — visiting http://yourdomain.com should automatically redirect to https://yourdomain.com. This is typically handled via a rule in your .htaccess file or cPanel’s Force HTTPS feature.
  • There are no mixed content warnings — all resources on your pages (images, scripts, stylesheets) are loaded over HTTPS, not HTTP. Chrome DevTools console will show mixed content warnings if any resources are still loading over HTTP.
  • Your SSL certificate is set to auto-renew — Let’s Encrypt certificates expire every 90 days. AutoSSL on LiteScaler renews them automatically. Verify auto-renewal is configured so an expired certificate does not take your site offline unexpectedly.
  • HSTS (HTTP Strict Transport Security) is enabled — this tells browsers to always use HTTPS for your domain, even if a user types the HTTP version manually. Can be added via .htaccess or your security plugin.

Category 4 — Backups

Backups are not a security measure in the traditional sense — they do not prevent attacks. They are a recovery measure, and they are what determines whether a security incident is a temporary setback or a catastrophic loss. A site that gets hacked and has a clean backup from yesterday recovers in hours. A site that gets hacked with no backup may never fully recover.

The rule in security is simple: your backup is only as good as your last test restore. A backup you have never tested may not actually work when you need it.

✅ Backup Checklist

  • Automated daily backups are configured and running — manual backups are not a backup strategy. They happen once and are never updated. Automated backups run whether you remember to or not.
  • Backups include both files AND database — a files-only backup cannot restore your content. A database-only backup cannot restore your theme or media. Both are required for a complete restore.
  • Backups are stored off-server — a backup sitting on the same server as your site is destroyed in the same incident that destroys your site. Backups should be stored in a separate location: cloud storage, a different server, or downloaded locally.
  • Backup retention covers at least 30 days — malware infections are sometimes not discovered immediately. A 7-day backup window may not go back far enough to find a clean restore point. 30 days is the practical minimum for business sites.
  • You have tested a restore — pick a non-critical moment, take a recent backup, and restore it to a staging environment. Verify the site works correctly from the restored backup. This is the only way to know your backup process actually works.

On LiteScaler: Daily automated backups run on all hosting plans as standard — not as a paid add-on. Backups cover both files and databases, and the backup system is active from the day your account is created. You can also trigger manual backups before major updates directly from cPanel.

Category 5 — Malware Scanning and Monitoring

Malware on a WordPress site does not always announce itself. Sophisticated infections are designed to be invisible to the site owner — running malicious scripts in the background, redirecting visitors to spam sites only when they arrive from Google, or harvesting form submission data silently. You can have a compromised site that looks and functions completely normally from your perspective.

The only way to catch these infections is active scanning.

✅ Malware and Monitoring Checklist

  • A security plugin with malware scanning is installed and active — Wordfence (free tier) and Sucuri Security are the two most widely used options. Both scan your WordPress files and database for known malware signatures and suspicious code.
  • Scheduled automatic scans are configured — manual scans only catch what you remember to look for. Set up weekly or daily automated scans so infections are detected promptly.
  • File change monitoring is enabled — this alerts you when core WordPress files are modified unexpectedly, which is a reliable early indicator of a compromise.
  • Google Search Console is set up and connected — Google will alert you if it detects malware or deceptive content on your site through Search Console. This is often the fastest way to learn about an infection that affects search visitors specifically.
  • Your site is not flagged in Google Safe Browsing — check your domain at safebrowsing.google.com/safebrowsing/report_overview. A flagged site displays warnings in Chrome and loses search visibility immediately.
  • Server-level malware scanning is active — on LiteScaler, proactive malware scanning runs at the server level, independent of any WordPress plugin. This catches infections that disable or bypass WordPress-level security tools.

Category 6 — File and Database Security

WordPress file permissions and database security are the unglamorous backend of WordPress hardening — less visible than login security or SSL, but genuinely important for limiting the damage an attacker can do if they do gain some level of access.

✅ File and Database Security Checklist

  • File permissions are set correctly — WordPress core files should be 644, directories should be 755, and wp-config.php should be 440 or 400. Permissions set too broadly (777) allow any process on the server to modify your files.
  • wp-config.php is protected — this file contains your database credentials and security keys. Restrict direct access to it via an .htaccess rule. Most security plugins add this protection automatically.
  • The WordPress database prefix has been changed from the default “wp_” — automated SQL injection attacks target the default prefix. A custom prefix (e.g., ls7x_) means these automated attacks fail immediately.
  • Direct PHP execution is disabled in the uploads folder — attackers who successfully upload a malicious PHP file to your uploads directory should not be able to execute it. An .htaccess rule blocking PHP execution in /wp-content/uploads/ prevents this attack vector.
  • Directory browsing is disabled — without this protection, anyone can browse your site’s directory structure and see what files exist. A single line in .htaccess disables it: Options -Indexes
  • The wp-config.php database password is strong and unique — the same password hygiene that applies to user accounts applies here. A weak database password is a meaningful vulnerability.

Category 7 — Hosting-Level Security

WordPress security does not begin and end at the application layer. The server your site runs on is either a security asset or a security liability — and most website owners never think about this dimension at all.

A hosting environment with outdated server software, no DDoS protection, no firewall, and shared server space with compromised accounts creates vulnerabilities that no WordPress plugin can fully compensate for. Hosting-level security is the foundation everything else sits on.

✅ Hosting-Level Security Checklist

  • Your host runs a current, actively maintained web server — LiteSpeed Enterprise receives regular security updates. Apache versions that have not been updated in years are a known vulnerability source.
  • DDoS protection is active — a Distributed Denial of Service attack floods your server with traffic until it goes offline. Cloudflare integration (one-click on LiteScaler) provides enterprise-grade DDoS mitigation that absorbs these attacks before they reach your server.
  • A Web Application Firewall (WAF) is in place — a WAF filters malicious traffic before it reaches WordPress, blocking common attack patterns like SQL injection, cross-site scripting, and known exploit attempts. Cloudflare provides WAF functionality at the network level.
  • SSH access uses key-based authentication, not password authentication — if your hosting plan includes SSH access, disable password-based SSH login and use key pairs instead. Password-based SSH is vulnerable to brute force attacks.
  • Your host proactively scans for and removes malware — reactive malware removal (cleaning up after an infection) is the minimum. Proactive scanning catches infections before they spread or cause damage. LiteScaler’s engineering team actively scans for and patches vulnerabilities at the server level.
  • Server software versions are not publicly exposed — the Server response header should not reveal the exact software version your server runs. Attackers use this information to target known vulnerabilities in specific versions.

The hosting security advantage on LiteScaler: Server-level security — DDoS protection via one-click Cloudflare, proactive malware scanning, LiteSpeed Enterprise with current security patches, and Tier-3 engineering support — is infrastructure that operates independently of your WordPress installation. Even if your WordPress layer is temporarily compromised, the server layer provides a containment boundary that limits the damage.

Category 8 — Email Security (SPF, DKIM, DMARC)

Email security is the dimension of WordPress security that most checklists skip entirely — and it is a meaningful gap. If your domain does not have proper email authentication configured, attackers can send emails that appear to come from your domain. This is called domain spoofing, and it damages your domain reputation, gets your legitimate emails filtered to spam, and can be used to defraud your customers.

✅ Email Security Checklist

  • SPF record is configured — Sender Policy Framework specifies which servers are authorised to send email from your domain. Without it, anyone can send email claiming to be from your domain.
  • DKIM is set up — DomainKeys Identified Mail adds a cryptographic signature to outgoing emails that receiving servers can verify. It confirms the email genuinely came from your server and has not been tampered with in transit.
  • DMARC policy is in place — Domain-based Message Authentication tells receiving servers what to do with emails that fail SPF or DKIM checks. A DMARC policy of p=quarantine or p=reject actively protects your domain from spoofing.
  • You are using a professional email address — sending WordPress notifications and contact form emails from a @gmail.com address means they arrive without DKIM authentication and are more likely to be filtered as spam. Use a domain-based email address for all site communications.

The Complete Security Checklist — Quick Reference

Use this as your master reference. Run through it once to audit your current setup, then revisit it quarterly to catch anything that has drifted.

Updates & Software

  • WordPress core updated to latest version
  • All plugins updated
  • Theme and parent theme updated
  • Inactive plugins deleted
  • Inactive themes deleted
  • PHP version is 8.2 or 8.3
  • Auto-updates enabled for minor core releases
  • Staging environment in place for testing major updates

Login Security

  • Admin username is not “admin”
  • Strong, unique passwords on all accounts
  • Two-factor authentication enabled for all admins
  • Login attempt limits configured
  • Login URL changed or protected
  • XML-RPC disabled
  • Inactive user accounts removed

SSL and HTTPS

  • SSL certificate installed and active
  • HTTP redirects to HTTPS
  • No mixed content warnings
  • SSL auto-renewal configured
  • HSTS enabled

Backups

  • Automated daily backups running
  • Backups include files and database
  • Backups stored off-server
  • 30-day retention minimum
  • Restore tested at least once

Malware and Monitoring

  • Security plugin with malware scanning installed
  • Automated scans scheduled
  • File change monitoring enabled
  • Google Search Console connected
  • Site not flagged in Google Safe Browsing

File and Database Security

  • File permissions set correctly
  • wp-config.php access restricted
  • Database prefix changed from wp_
  • PHP execution blocked in uploads folder
  • Directory browsing disabled

Hosting Security

  • Host runs current, maintained server software
  • DDoS protection active
  • Web Application Firewall in place
  • SSH uses key-based authentication
  • Host performs proactive malware scanning

Email Security

  • SPF record configured
  • DKIM set up
  • DMARC policy in place
  • Professional domain-based email in use

Common Questions

Do I need a paid security plugin or is the free version enough?

For most WordPress sites, the free tier of Wordfence or Sucuri Security provides sufficient malware scanning, login protection, and firewall functionality. The paid versions add features like real-time threat intelligence, advanced firewall rules, and faster malware removal support — worth considering for high-traffic or e-commerce sites where a security incident has direct revenue impact. Start with the free tier and upgrade only if you identify a specific gap it cannot address.

How often should I run through this checklist?

Do a full audit quarterly. Some items — updates, backup verification — should be checked monthly. Two specific triggers should prompt an immediate full review: any WordPress core or major plugin update that introduces significant changes, and any security incident however minor. A brief security compromise that you clean up quickly is also a signal that something in your setup allowed initial access — worth identifying and closing.

My site was hacked. What do I do first?

Do not panic and do not immediately delete files. First, take a snapshot of the current state so you can analyse what happened. Then restore from your most recent clean backup. After restoring, change all passwords — WordPress admin, database, FTP, hosting cPanel. Update everything. Then work through this checklist to identify and close whatever vulnerability allowed the initial access. If you are on LiteScaler, contact support immediately — the engineering team performs proactive malware cleanup and can assist with identifying the infection vector.

Does HTTPS protect my site from being hacked?

HTTPS encrypts data in transit — it prevents eavesdropping on the connection between your visitor’s browser and your server. It does not protect your site from being hacked through application vulnerabilities like outdated plugins, weak passwords, or SQL injection. SSL is a necessary security measure but it addresses only one specific attack vector. The full checklist above covers the others.

The Bottom Line

WordPress security is not a one-time project. It is an ongoing practice — updates, monitoring, periodic audits, and an infrastructure foundation that handles the server-level threats so your WordPress-level security measures can focus on the application layer.

The checklist above addresses every meaningful vulnerability category. None of the items require advanced technical knowledge. Most of them take under ten minutes each to implement. Together, they move your site from the “easy target” category — where the overwhelming majority of WordPress hacks originate — to the category of sites that automated scanners and opportunistic attackers skip in favour of easier options.

Work through the checklist once. Set reminders for the quarterly review. And choose a hosting provider whose infrastructure handles the server-level security so you are not fighting that battle alone from inside WordPress.

Security That Starts at the Server — Before WordPress Even Loads.

LiteScaler provides proactive server-level malware scanning, one-click Cloudflare DDoS protection, automated daily backups, free SSL on all domains, and Tier-3 engineering support — the hosting security foundation your WordPress checklist sits on. Explore plans at litescaler.com/hosting.

Secure your site today  →  litescaler.com/hosting

Published on LiteScaler.comGenriva Systems
litescaler.com  |  genriva.com  |  genv.one