WordPress Security Checklist

Use this checklist to systematically secure your WordPress site. Each item links to detailed guides in our Knowledge Base where available.

SSL & HTTPS

• Install a valid SSL certificate
• Redirect all HTTP traffic to HTTPS (301 redirect)
• Fix all mixed content warnings (HTTP resources on HTTPS pages)
• Enable HSTS header to prevent downgrade attacks

Security Headers

• Add X-Frame-Options: SAMEORIGIN to prevent clickjacking
• Add X-Content-Type-Options: nosniff to prevent MIME sniffing
• Add Referrer-Policy: strict-origin-when-cross-origin
• Add Permissions-Policy to restrict browser features
• Implement Content-Security-Policy (start with report-only mode)

WordPress Hardening

• Keep WordPress core, plugins, and themes updated
• Remove unused plugins and themes
• Disable XML-RPC if not needed
• Restrict or disable the REST API user endpoint
• Block user enumeration via author archives
• Hide the WordPress version number
• Secure or remove the debug.log file
• Use strong, unique passwords for all accounts
• Limit login attempts (use a plugin or WAF)

File & Server Security

• Set correct file permissions (644 for files, 755 for directories)
• Protect wp-config.php (deny web access)
• Disable file editing in the admin: define('DISALLOW_FILE_EDIT', true);
• Block access to .htaccess, wp-config.php, and readme.html

Monitoring

• Install a security plugin (Wordfence, Sucuri, NinjaFirewall)
• Set up automated InspectWP scans to monitor security changes
• Enable email notifications for WordPress updates
• Regularly review user accounts and remove inactive ones

Verify with InspectWP

Run a comprehensive InspectWP scan to check all security-related items at once. The security section covers SSL, headers, version exposure, REST API, debug log, and more.