Table of Contents

๐Ÿ”‘

Authentication & User Management

Secure access points and enforce strong credentials to prevent unauthorized logins.

Enforce strong passwords & 2FA
Require minimum 12 characters and enable Two-Factor Authentication for all admin accounts.
High
Change default login URL
Replace `/wp-login.php` with a custom endpoint to reduce brute-force attempts.
High
Limit login attempts
Implement rate-limiting (max 5 attempts/hour) to block credential stuffing attacks.
High
Remove unused user accounts
Delete or downgrade inactive roles. Only keep active editors/admins.
Medium
๐Ÿ›ก๏ธ

Security Configuration

Harden server headers, disable exposure, and block common attack vectors.

Disable XML-RPC
Block `/xmlrpc.php` unless explicitly needed for third-party app integration.
High
Hide WordPress version
Remove version meta tags and generator tags from frontend output.
Medium
Implement Security Headers
Add CSP, X-Content-Type-Options, X-Frame-Options, and Strict-Transport-Security.
High
Enforce HTTPS everywhere
Redirect all HTTP traffic to HTTPS and fix mixed-content warnings.
High
๐Ÿ—„๏ธ

Database & File Security

Protect core files, restrict directory access, and secure database credentials.

Restrict wp-config.php access
Move config file outside webroot or use `.htaccess`/Nginx rules to block direct access.
High
Change database prefix
Replace default `wp_` prefix with a unique string during installation or via migration.
Medium
Disable directory browsing
Prevent server from listing `/wp-content/uploads/` and other directories.
Medium
Set correct file permissions
Files: `644`, Folders: `755`, `wp-config.php`: `600` or `440`.
High
๐Ÿ› ๏ธ

Performance & Maintenance

Keep your site optimized, patched, and backed up to ensure reliability and speed.

Update core, themes & plugins
Apply security patches within 48 hours. Test in staging before production.
High
Remove unused plugins/themes
Delete, don't just deactivate. Unused code increases attack surface.
Medium
Disable file editing in dashboard
Add `define('DISALLOW_FILE_EDIT', true);` to `wp-config.php`.
Medium
Implement off-site backups
Schedule daily backups stored separately from the web server (e.g., S3, Wasabi).
High

Don't want to manage this manually?

Wp Admin handles all of this automatically for you. Continuous monitoring, secure updates, backups, and 24/7 expert support.

Start Free Trial โ†’