Building a Secure WordPress Site in 2025: A Developer’s Checklist

WordPress powers over 43% of the internet – and that popularity makes it a prime target for hackers. With approximately 13,000 WordPress websites getting hacked each day and a WordPress site being attacked every 22 minutes on average, the threat landscape has never been more dangerous.

As cyber threats evolve in 2025, securing your WordPress site isn’t optional – it’s foundational. Recent data shows that 7,966 vulnerabilities were registered in WordPress in 2024, representing a 34% increase from the 5,947 recorded in 2023. Hackers are using automation, machine learning, and increasingly sophisticated techniques to find and exploit vulnerable WordPress sites at scale.

Here’s a practical, developer-grade checklist for securing WordPress from the ground up, backed by the latest security research and real-world threat intelligence.

1. Keep Core, Themes, and Plugins Updated

Outdated software is the #1 cause of WordPress security breaches. The statistics paint a sobering picture: 39% of hacked WordPress websites were found to be using an outdated version of the WordPress software, and 92% of WordPress vulnerability reports stem from outdated plugins.

The Plugin Vulnerability Crisis: Research from Patchstack reveals that 97% of WordPress security problems are caused by plugins, with 1,659 out of 1,779 disclosed vulnerabilities in 2022 originating from plugins (93.25%). Even more concerning, only 30% of WordPress users have auto-updates activated on their websites.

Implementation Strategy:

• Enable auto-updates for minor releases: Configure automatic updates for WordPress core security patches and minor plugin updates
• Review changelogs for security patches: Before major updates, examine release notes for security fixes and breaking changes
• Remove inactive themes and plugins: 345 new plugin and theme vulnerabilities emerged in just one week in February 2025, with 197 remaining unpatched
• Use staging environments: Test updates in a staging environment before applying to production sites

Weekly Update Protocol:

1. Monday: Check for WordPress core updates
2. Tuesday: Review and update security-critical plugins
3. Wednesday: Update remaining plugins and themes
4. Thursday: Test site functionality post-updates
5. Friday: Document any issues and plan fixes

The cost of negligence is severe: recent high-profile cases include plugins like WPGateway, where Wordfence blocked over 4 million attacks aimed at 280,000 sites due to a vulnerability that allowed hackers to add malicious admin accounts.

2. Choose Trusted Plugins and Themes

The WordPress plugin ecosystem is vast but dangerous. With over 59,000 free plugins available, not all are created equal. Abandoned plugins are particularly vulnerable because developers no longer patch known vulnerabilities.

Red Flags to Avoid:

• Nulled or pirated themes and plugins
• Plugins with no updates in 12+ months
• Extensions with poor ratings or suspicious reviews
• Plugins from unknown developers with limited support history

Verification Checklist:

• Stick to official sources: Use WordPress.org repository or reputable vendors (Gravity Forms, WP Rocket, Elementor)
• Check installation numbers: Look for plugins with high active install counts and recent updates
• Review user feedback: Read recent reviews for red flags about security issues or poor support
• Verify developer reputation: Research the plugin developer’s track record and update frequency

Supply Chain Attack Awareness: Recent incidents highlight new risks. In June 2024, the plugin Social Warfare was injected with malicious code, along with several others like Blaze Widget and Contact Form 7 Multi-Step Addon. These plugins were compromised to create unauthorized admin accounts and inject SEO spam.

Best Practices:

• Maintain an inventory of all installed plugins and themes
• Subscribe to security advisories from plugin developers
• Use tools like WP Vulnerability Scanner to check for known issues
• Implement a plugin approval process for team environments

3. Limit Login Exposure

The WordPress login page is a favorite target for brute-force attacks. With Wordfence blocking over 100 billion credential-stuffing attacks from over 74 million unique IP addresses in 2023, protecting login access is critical.

Advanced Login Security:

Change Default Login URL: Move /wp-login.php to a custom URL to reduce automated attack attempts. Use plugins like WPS Hide Login or All In One WP Security.

Implement Login Attempt Limiting: WordPress allows unlimited login attempts by default, making brute force attacks trivial. Deploy solutions like:

• Login Lockdown
• Limit Login Attempts Reloaded
• Wordfence Security (includes login security)

Enforce Strong Authentication:

• Complex Passwords: Research shows that 8% of attacks succeed due to sites having very weak passwords. A study from Melapress found that 41% of WordPress users are not using two-factor authentication (2FA) or strong enough passwords.
• Two-Factor Authentication (2FA): Implement 2FA using Google Authenticator, Authy, or hardware tokens
• Unique Usernames: Avoid “admin” or predictable usernames that facilitate targeted attacks

User Account Hygiene:

• Regularly audit user accounts and remove inactive users
• Implement proper user role management
• Monitor for suspicious login activity
• Use strong, unique passwords for all accounts

Statistics Impact: The effectiveness of these measures is proven – sites with proper login security see dramatically reduced successful breach attempts.

4. Harden File Permissions

Incorrect file permissions are a common vulnerability that grants attackers inappropriate access to sensitive files. Setting proper CHMOD permissions is essential for WordPress security.

Critical File Permission Settings:

• wp-config.php: Set to 400 or 440 (read-only for owner)
• wp-content directory: Set to 755 (owner can read/write/execute, group and others can read/execute)
• Regular files: Set to 644 (owner can read/write, group and others can read)
• Folders: Generally 755, never 777

Security Implementation:

# Set correct permissions via SSH find /path/to/wordpress/ -type d -exec chmod 755 {} \; find /path/to/wordpress/ -type f -exec chmod 644 {} \; chmod 400 wp-config.php

Never Use 777 Permissions: This setting grants full access to everyone and is a major security vulnerability. While it might seem to “fix” permission issues, it creates massive attack vectors.

Additional File Security:

• Move wp-config.php above the web root directory
• Create proper .htaccess rules to protect sensitive directories
• Disable directory browsing to prevent file structure exposure
• Set up proper server-level security configurations

5. Disable XML-RPC When Not Needed

XML-RPC is a legacy WordPress feature that has become a significant security liability. XML-RPC can significantly amplify brute-force attacks, allowing attackers to try hundreds of thousands of username and password combinations with few requests.

The XML-RPC Threat: Attackers exploit the system.multicall method to make hundreds and even thousands of login attempts with just a handful of HTTP requests. This technique bypasses traditional brute-force detection systems.

Historical Context: In July 2014, Sucuri reported up to 200,000 daily attempts to brute-force WordPress credentials using XML-RPC methods. The attacks have only become more sophisticated since then.

Disable XML-RPC Methods:

Option 1: Complete Disable via Functions.php:

// Add to theme's functions.php add_filter('xmlrpc_enabled', '__return_false');

Option 2: Server-Level Blocking via .htaccess:

# Block access to xmlrpc.php      Order Deny,Allow     Deny from all 

Option 3: NGINX Configuration:

location = /xmlrpc.php {     deny all;     access_log off;     log_not_found off; }

Before Disabling: Verify you don’t need XML-RPC for:

• Jetpack functionality
• Mobile app publishing
• Pingbacks and trackbacks
• Third-party integrations

6. Set Security Headers

HTTP security headers provide crucial protection against browser-based attacks and should be implemented on every WordPress site. These headers mitigate threats like XSS attacks, clickjacking, and data injection.

Essential Security Headers:

Content-Security-Policy (CSP):

Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data: https:;

X-Frame-Options:

X-Frame-Options: SAMEORIGIN

X-Content-Type-Options:

X-Content-Type-Options: nosniff

Referrer-Policy:

Referrer-Policy: strict-origin-when-cross-origin

Permissions-Policy:

Permissions-Policy: geolocation=(), microphone=(), camera=()

Implementation Methods:

• Server Configuration: Add headers via Apache/NGINX configuration
• WordPress Plugins: Use HTTP Headers plugin or security plugins like Wordfence
• Theme Functions: Add headers programmatically via wp_headers action

Verification: Use tools like securityheaders.com to verify proper header implementation and identify missing security headers.

7. Deploy a Web Application Firewall (WAF)

A WAF acts as the first line of defense, blocking malicious traffic before it reaches your WordPress site. Given that WordPress faces over 90,000 attacks per minute, a robust WAF is essential.

Leading WAF Solutions:

Cloudflare:

• Free tier available with basic DDoS protection
• Advanced threat intelligence and machine learning
• Global CDN with performance benefits
• Real-time threat analysis

Sucuri:

• Specialized WordPress security focus
• 72.7% of site infections were caused by malware according to their research
• Professional incident response services
• Regular security monitoring

Wordfence:

• WordPress-specific firewall rules
• Real-time threat defense feed
• Successfully blocked over 6.4 billion brute-force attacks
• Local firewall installation option

WAF Configuration Best Practices:

• Enable real-time threat intelligence feeds
• Configure IP reputation blocking
• Set up country-based blocking if appropriate
• Monitor false positive rates and adjust rules
• Implement rate limiting for login attempts

Performance Considerations: Modern WAFs improve site performance through caching and content optimization while providing security benefits.

8. Perform Regular Backups

Even with perfect security, breaches can occur. Regular backups provide the ultimate safety net for recovery. The statistics on backup failures are alarming – many hosting providers’ backup claims don’t hold up under scrutiny.

Backup Strategy Requirements:

• Automate daily backups: Never rely on manual backup processes
• Store offsite: Use cloud storage (Amazon S3, Google Drive, Dropbox)
• Test restoration quarterly: Verify backups actually work
• Include complete sites: Database, files, themes, plugins, uploads
• Maintain multiple restore points: Keep at least 30 days of backup history

Professional Backup Solutions:

• UpdraftPlus: Most popular WordPress backup plugin
• BlogVault: Real-time backup with staging capabilities
• BackWPup: Free option with comprehensive features
• Jetpack Backup: Integrated with WordPress.com infrastructure

Backup Verification Process:

1. Download backup files monthly
2. Restore to staging environment
3. Test all site functionality
4. Document any restoration issues
5. Update backup procedures based on findings

Recovery Time Objectives: Plan for different recovery scenarios with target restoration times based on business requirements.

9. Monitor File Integrity

File integrity monitoring detects unauthorized changes to your WordPress core files, themes, and plugins. This early warning system can identify breaches before significant damage occurs.

What to Monitor:

• WordPress core files
• Active theme files
• Plugin files
• Configuration files (wp-config.php)
• .htaccess changes

Monitoring Solutions:

• Wordfence: Built-in file change detection
• iThemes Security: Comprehensive file monitoring
• Sucuri: Cloud-based monitoring service
• Custom Git Repository: Version control for change tracking

Alert Configuration:

• Immediate alerts for core file changes
• Daily digest of theme/plugin modifications
• Whitelist legitimate changes during updates
• Escalation procedures for suspicious modifications

Response Procedures: Develop incident response plans for when unauthorized file changes are detected, including isolation steps and recovery processes.

10. Disable Directory Browsing

Directory browsing allows visitors to view file listings when no index file exists in a directory. This exposure can reveal sensitive information about your site structure and files.

Implementation via .htaccess:

# Disable directory browsing Options -Indexes

Server-Level Configuration: For NGINX servers:

location / {     autoindex off; }

What This Protects:

• Prevents exposure of file structure
• Hides backup files and logs
• Conceals plugin and theme directories
• Protects uploaded files directory

Additional Directory Security:

• Remove default readme.html and license.txt files
• Hide wp-config.php backup files
• Secure wp-content/uploads directory
• Block access to log files and temporary files

11. Move wp-config.php Above Web Root

The wp-config.php file contains your database credentials and security keys. Moving it outside the publicly accessible web directory adds an extra layer of protection.

Implementation Steps:

1. Move wp-config.php one directory above your WordPress installation
2. WordPress automatically detects and uses the file in the parent directory
3. Verify site functionality after moving
4. Update file permissions to 400 or 440

Benefits:

• Database credentials protected from web access
• Security keys hidden from potential attackers
• Reduced attack surface for configuration file exploits
• Compliance with security best practices

Verification: Ensure the moved configuration file is not accessible via web browser by attempting to visit the old location.

12. Disable PHP Execution in Uploads Directory

The wp-content/uploads directory should only contain media files, not executable code. Preventing PHP execution in this directory blocks a common malware infection vector.

Implementation via .htaccess:

# Create .htaccess in /wp-content/uploads/      Order Deny,Allow     Deny from all 

Server-Level Protection (NGINX):

location ~* /wp-content/uploads/.*\.php$ {     deny all; }

Additional Upload Security:

• Implement file type restrictions
• Scan uploaded files for malware
• Limit file upload sizes
• Use content type validation
• Implement virus scanning for uploads

Attack Prevention: This measure blocks attackers from uploading malicious PHP files disguised as images or other media files.

Advanced Security Measures

Implement Content Security Policy (CSP)

CSP headers prevent XSS attacks by controlling which resources browsers can load:

// Add to theme functions.php function add_csp_header() {     header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline';"); } add_action('wp_head', 'add_csp_header');

Database Security Hardening

• Change default table prefix from wp_ to something unique
• Use database user accounts with minimal required permissions
• Enable database query logging for security monitoring
• Implement database connection encryption
• Regular database security audits

Server-Level Security

• Keep server software updated (Apache/NGINX, PHP, MySQL)
• Configure proper firewall rules
• Implement intrusion detection systems
• Use SSL/TLS certificates for all connections
• Enable server-level logging and monitoring

Security Monitoring and Incident Response

Continuous Monitoring

Implement comprehensive monitoring covering:

• Real-time malware scanning: Detect infections immediately
• Login attempt monitoring: Track suspicious authentication activity
• File change detection: Monitor unauthorized modifications
• Performance monitoring: Identify attacks causing slowdowns
• Uptime monitoring: Detect availability issues

Incident Response Plan

Develop procedures for security incidents:

1. Detection and Analysis: Identify and assess threats
2. Containment: Isolate affected systems
3. Eradication: Remove malware and vulnerabilities
4. Recovery: Restore services safely
5. Lessons Learned: Improve security based on incidents

Security Reporting

Regular security reporting should include:

• Monthly vulnerability assessments
• Quarterly penetration testing
• Annual security policy reviews
• Compliance audit results
• Incident response metrics

The Cost of Security vs. The Cost of Breaches

Investment in Security:

• Quality security plugins: $50-200 annually
• Professional monitoring: $100-500 monthly
• Regular security audits: $1,000-5,000 annually
• Developer training: $500-2,000 per person

Cost of Security Breaches:

• Site cleanup and restoration: $500-5,000
• Lost revenue during downtime: Varies significantly
• SEO penalty recovery: 6-12 months
• Customer trust rebuilding: Long-term impact
• Legal compliance issues: Potentially significant

The mathematics are clear: proactive security investment is exponentially cheaper than breach recovery.

Staying Current with Threats

The WordPress security landscape evolves rapidly. Stay informed through:

• WordPress Security Team announcements
• Patchstack vulnerability database
• Wordfence threat intelligence reports
• Security plugin vendor advisories
• Professional security communities

Subscribe to security mailing lists and follow reputable security researchers to stay ahead of emerging threats.

Conclusion: Security is an Ongoing Process

WordPress security in 2025 requires a comprehensive, layered approach. With attacks occurring every 22 minutes and 97% of vulnerabilities stemming from plugins, there’s no room for complacency.

The security measures outlined in this checklist provide a strong foundation, but remember that security is not a destination – it’s an ongoing process. Threats evolve constantly, requiring continuous vigilance, regular updates, and adaptive security strategies.

Key Takeaways:

• Automate where possible: Use tools for updates, monitoring, and backups
• Layer your defenses: No single security measure is sufficient
• Stay educated: Keep current with emerging threats and best practices
• Plan for incidents: Prepare response procedures before you need them
• Regular audits: Continuously assess and improve your security posture

Every hardening step you skip is one more door left open for attackers. The choice is simple: secure your WordPress site proactively with proven methods, or pay the much higher cost of breach recovery later.

In 2025’s threat landscape, WordPress security isn’t optional – it’s the foundation upon which all other site success is built.

---

Essential Security Tools Summary:

Firewalls: Cloudflare, Sucuri, Wordfence
Backups: UpdraftPlus, BlogVault, BackWPup
Monitoring: iThemes Security, Wordfence, Jetpack Protect
Authentication: Google Authenticator, Authy, Limit Login Attempts
Malware Scanning: Sucuri SiteCheck, Wordfence, MalCare