WordPress is the most popular website platform in the world. It also gets attacked more than any other platform for exactly that reason.

Over 90,000 WordPress sites are attacked every single minute. Most of them are not targeted specifically. They are caught by automated tools that scan millions of sites looking for easy vulnerabilities to exploit.

The good news is that most attacks target the basics. And if you cover the basics you remove yourself from the majority of risk.

Here is a checklist of 10 things every WordPress site needs before it goes live.

1. Use a Strong Username and Password

The first thing automated attack tools try is the username admin with common passwords. If you are still using admin as your WordPress username, change it right now.

Use a strong password that is long and includes a mix of letters, numbers and symbols. And never reuse a password from another account.

2. Enable Two-Factor Authentication

Two-factor authentication means that even if someone gets hold of your password they still cannot log in without a second code that is sent to your phone or email.

Plugins like WP 2FA make this very easy to set up. It takes about five minutes and it dramatically improves your login security.

3. Change Your Login URL

By default every WordPress site has its login page at /wp-admin or /wp-login.php. Every automated attack tool knows this and targets it constantly.

Changing your login URL to something custom immediately removes you from most automated scans. The plugin WPS Hide Login does this in about 30 seconds.

4. Limit Login Attempts

WordPress allows unlimited login attempts by default. This means an automated tool can try thousands of password combinations without ever being stopped.

Install a plugin like Limit Login Attempts Reloaded. Set it to block an IP address after three failed login attempts. Simple and very effective.

5. Install a Security Plugin

A good security plugin acts as a firewall and monitoring system for your site. Wordfence and Sucuri are both solid options.

They block suspicious traffic before it reaches your site, scan your files for malware and alert you if anything unusual happens.

6. Keep Everything Updated

The majority of successful WordPress attacks exploit vulnerabilities that have already been patched. The sites that get hit are simply the ones that never updated.

Keep your WordPress version, your themes and your plugins updated. Delete anything you are not actively using. An inactive plugin is still a security risk even if it is not turned on.

7. Make Sure Your Site Uses HTTPS

If your site is still loading over HTTP your visitors are not secure and Google is penalising you in search rankings.

Most hosting providers give you a free SSL certificate through Let’s Encrypt. Install it, make sure all pages redirect to HTTPS and check for any mixed content issues where some resources are still loading over HTTP.

8. Disable File Editing in the Dashboard

WordPress has a built-in code editor that lets you edit theme and plugin files directly from the admin. If an attacker ever gets into your admin area this gives them direct access to your server files.

Disable it by adding this line to your wp-config.php file.

define(‘DISALLOW_FILE_EDIT’, true);

9. Set Up Automatic Backups

A backup will not stop an attack but it will save you if one succeeds. Set up daily automatic backups stored somewhere separate from your hosting account.

UpdraftPlus is a free plugin that does this well. Configure it to back up to Google Drive or Dropbox. Then test your backup by actually restoring it. A backup you have never tested is one you cannot rely on.

10. Use a Web Application Firewall

A web application firewall sits between your site and incoming traffic and filters out malicious requests before they ever reach your server.

Cloudflare offers a free plan that includes basic firewall functionality. Set it up on every site you build. It takes about 15 minutes and it adds a meaningful layer of protection.

Do This Before You Launch, Not After

Security problems are much harder to fix after a site has been compromised than before. Work through this checklist on every site you build or manage. It takes a couple of hours the first time and becomes second nature after that.

Building a WordPress site and want someone to handle the security properly? CodingBrackets builds security-first on every project we deliver.