WordPress still remains the king of content management systems in 2025. Even with the arrival of competitors like Shopify, Squarespace and Wix, WordPress still powers nearly half of all websites on the web. This is certainly a testament to the global support behind this open-source platform. But there is also a cautionary tale to be told given its massive rate of adoption. In general, technology that is widely adopted tends to be more highly targeted by cyber criminals. So, getting educated on your company’s exposure to certain WordPress-related risks is essential to protecting your company…as well as your own job.
For those managing WordPress sites, we’ve created the ultimate WordPress security checklist for 2025. Our checklist is built on decades of real-life experience—seeing and stopping WordPress cyber threats firsthand.
Hosting and DNS
Choosing the right hosting provider is like building your house on solid ground—it sets the foundation for everything else. So, you need to be on the lookout for a few key elements when choosing a WordPress host.
First off, pay attention to how server resources are allocated. The bargain-basement hosts will try to cram as many websites as possible onto a single server, leading to slow load times and increased security risks. You always want to choose a host that provides ample disk space, resources and bandwidth, giving your website room to breathe and grow.
You also need to make sure your domain is secure. An unsecure domain makes it very easy for hackers to take complete control of your entire online presence. Once that happens, there’s little you can do. Our advice: always use two-factor authentication, try keeping access to the domain and WordPress site to a minimum, and try to make your domain’s registration information private so that cyber criminals can’t see your name and contact information publicly using a whois lookup.
Also, don’t underestimate the value of good customer support. Issues can pop up at the most inconvenient times, and knowing you can reach out to a knowledgeable support team 24/7 is a huge relief. It’s like having a trusted mechanic you can call when your car makes that weird noise.
Encryption and Privacy
SSL encryption is a non-negotiable. You’ve probably noticed some website URLs start with “https://” instead of “http://”. That little “s” means your connection to the site is secure, thanks to SSL (Secure Sockets Layer) or TLS (Transport Layer Security) encryption.
Having SSL encryption isn’t just about keeping things secure. Google actually gives a ranking boost to sites using SSL encryption. So not only are you protecting your users, but you’re also making Uncle Google happy—which can help more people find you in search results. It’s a win-win.
Now, let’s talk privacy. Theft of personally identifiable information (PII) is rampant these days. Cybercriminals are lurking, waiting to snatch up any unprotected data they can find. If you’re collecting info from your visitors—names, emails, phone numbers—you’ve got a responsibility to keep that data safe.
One big mistake that companies inadvertently make is storing form submissions directly in their WordPress site’s MySQL database. Many form plugins do this by default. And while it may be convenient to have all that info in one spot, it’s a HUGE risk. God forbid, if your site got breached, theft of that PII could result in huge fines and lawsuits. It’s always better to securely submit that data into a CRM or ERP vs keeping it inside of WordPress.
Firewall and CDN
A good web application firewall (WAF) is like your website’s personal bouncer. It’s there to keep out the riff-raff—malicious bots, hackers, and any unwanted guests trying to sneak in through the back door. It’s designed to differentiate “good” traffic from “bad” traffic and keep out the latter. Not all firewalls are created equal, and that’s okay because different sites have different needs – Cloud-Based vs Plugin-Based
Cloud-Based Firewalls
These are like having security patrols around your neighborhood. Cloud-based firewalls, like Cloudflare, sit between your site and the rest of the internet. They block bad traffic before it even reaches your server. The best part? They can speed up your site too, thanks to their global networks.
Plugin-Based Firewalls
These are more like having a security system installed in your house. Plugin-based firewalls work within your WordPress site. They offer deep customization and keep an eye on everything happening inside. Firewall plugins like Wordfence or Sucuri are popular choices.
Why Not Both?
Using both gives you layered security—a bit like locking your doors and windows while also having a neighborhood watch. One stops threats at the gate, the other keeps an eye on things inside.
When picking a firewall, here are some good features to look for:
- Easy Setup with Smart Defaults: You want protection right away without needing a PhD in cybersecurity.
- Brute Force Attack Prevention: Blocks those sneaky attempts to guess your passwords.
- Regular Updates: The internet’s a wild place; your firewall should keep up.
- Custom Rules: Flexibility to set your own security rules.
- Alerts and Monitoring: Get a heads-up when something fishy is going on.
- Minimal Impact on Site Speed: Security is great, but not if it slows your site to a crawl.
WordPress Core
A WordPress site is not something you set and forget. It needs constant care and updating. Some website owners and admins neglect this very crucial part in their website management. Failing to update your WordPress site when one is available leaves your site vulnerable to hackers because the updates are published – in other words, bad guys can read what was fixed and build spiders that crawl the web looking for that exact vulnerability on neglected websites. It’s one of the tried and true methods used by cyber criminals.
WordPress core files are the building blocks upon which your WordPress site is built and installed. It’s extremely important to keep these up to date. Developers release updates to fix bugs and close security gaps, so don’t leave it alone. Make it a habit to regularly update your WordPress core, plugins, and themes as soon as updates are released.
Themes and Plugins
Speaking of plugins and themes…this is where most WordPress breaches happen. Plugins and themes are developed by 3rd parties to enhance and extend the features, functions and user-experience of WordPress. There are now over 59,000 plugins in the WordPress plugins directory. But, not all of them are created equal, as not every 3rd party developer has the same level of competency with programming and security. So, you need to do your due diligence before installing ANY WordPress plugins.
Support can also be hit or miss. You might find a developer who responds to questions faster than you can say “WordPress,” or you might hear crickets. That’s why it’s super important to be picky. If a plugin or theme hasn’t been updated in ages or has been officially abandoned, it’s time to show it the door.
Outdated or deprecated plugins aren’t just clutter—they’re potential security hazards waiting to happen. So, keep your site lean and mean by ditching the dead weight.
Files and Folders
Every WordPress site is built on three core areas:
wp-admin: This is like the control room of your site.
wp-content: Here you’ll find all your themes, plugins, and uploads—the stuff that makes your site unique.
wp-includes: Contains essential files that help WordPress run smoothly.
Leaving your files and folders unprotected is like leaving your car unlocked with the keys inside. Hackers and malicious bots love to exploit unsecured files to gain access to sensitive data or inject harmful code. Not cool.
How to Secure Your Files and Folders
First up, set the right permissions. This controls who can read, write, or execute files on your server. It’s a bit technical, but essentially, you’re telling your server, “Only I can touch this stuff.”
Next, regular monitoring is key. Keep an eye on any changes to your core files. If something changes and it wasn’t you, that’s a red flag. There are tools and plugins that can alert you when files are modified, so you can act fast if something looks off.
Remember, the wp-admin and wp-includes folders should never change. If they do, it might mean someone is messing around where they shouldn’t be.
Database
To ensure a secure database for your WordPress site, your login credentials need to be rock-solid. We cringe when we see usernames like “admin” and passwords like “12345”. Hackers love easy targets. So, make sure you’re using a unique username and a complex password packed with a mix of letters, numbers, and symbols. And change them regularly to help mitigate the risk of old logins floating around in cyberspace.
Remove Unused Tables
Over time, your database can get cluttered with leftover tables from plugins or themes you’ve ditched ages ago. It’s like your attic filled with stuff you don’t need—just taking up space and collecting dust. Cleaning out these unused tables helps streamline your database, making your site run smoother and faster. Less bloat equals better performance.
Ensure Form Submissions Are Not Stored in the Database
We’ve said this before, and we’ll say it again…storing form submissions directly in your database might seem convenient, but it’s a risky move. Personal data sitting in there is a goldmine for data thieves. Instead, consider sending form entries directly to a secure email or using a dedicated CRM system that handles sensitive info properly. This way, you’re not hoarding personal data you don’t need.
Backups
Even the best technology can fail. I’m sure you can recall a time when a major tech company had an outage or “unscheduled maintenance.” If you don’t have an exact copy of your website saved somewhere, then you could be setting yourself up for a really bad day at work (or worse, losing your job).
Whether it’s a hack, a server meltdown, or an update that didn’t play nice, having a recent backup means you can restore your site without a substantial loss of data (perhaps just the loss of what was added to the site since the last backup was taken). The key is to back up your site frequently and keep those backups somewhere safe and separate from your main server.
Here are some best practices with regards to WordPress backups and recovery.
Errors and Broken Links
Because WordPress is an open-source product with a range of 3rd party themes and plugins, WordPress website errors can happen. In most cases, it’s not your fault. The code in one plugin may conflict with the code in another plugin that serves a similar function. Or the theme’s design may break following a core update. Many of these kinds of issues will be resolved by the original developers. But, some issues persist and require the skills of an experienced WordPress technician.
It’s important for you to know and understand why your site isn’t working the way it should so that it can be properly fixed. A low-cost, band-aid solution may fail following the next update. So, it’s always better in these cases to put aside any DIY attempts and get some expert input to ensure it is properly fixed.
Spam and Plagiarism
If you run a WordPress site, you’re probably familiar with spam comments on your blog and/or product pages. Annoying. Seemingly harmless. But in fact, they can pose security risks. Cyber criminals have gotten very clever at injecting links and other code into comments and form submissions to trick admins into clicking on them. It’s the same as clicking on a malicious link in an email to trigger some malware on your computer. It’s just a different mode of delivery.
So how do you minimize spam on your WordPress site? Unfortunately, it’s never 100%. You can use firewalls to filter out potential trolls, bots and spammers. If someone happens to get past that, you can use spam filters. At Wordzite, we use a plugin like Akismet and reCAPTCHA to analyze the user and what they are inputting to flag, filter and quarantine suspicious entries. The best solutions in this space will continually evolve as they analyze and report on user inputs across hundreds of thousands of websites globally.
Administrator Users
One thing that will never cease to exist is human error. It’s inevitable. In fact, it’s one of the biggest vulnerabilities within WordPress sites. So intuitively, the less people you let access your site, the less security risks.
We recommend categorizing your people. Make a list of who should have full access, selective access, and minimal access. Here are some additional tips on how to secure WordPress admin logins.
It’s all about finding that sweet spot of efficiency. You never want to have too many cooks in the kitchen. Or too many admins on your WordPress site.
Security Scans, Monitoring and Alerts
Your WordPress website is like the stock market. Things are moving fast. With every single visit comes a flurry of computations, queries, caching, uploads, downloads, submissions, clicks and an eventual exit. And you don’t have time to be sitting there and watching your website logs 24/7. That’s why you need to have WordPress security scanners and other monitoring tools.
You need to be monitoring things like how fast your website loads, instant alerts for downtime, backup logs and errors, file and folder changelogs, whether you appear on blacklists and/or spam lists, malware and virus scans and a whole lot more. This is one area of our business where we go above and beyond the majority of WordPress agencies.
Speed and Uptime
We all want our website to load in the blink of an eye. Site speed can literally make or break your user experience. If a user waits for one second too long, they’ll flip over to your competitor’s site while waiting for yours to load. Not only is a fast WordPress site great for current and future customers, it will land you in the ‘good books’ with multiple search engines. Meaning higher search engine rankings, more visitors, and higher conversions.
There are several common issues that slow down load times:
Your hosting provider: If you’re using a bargain-basement host, their servers might be slower than molasses in January. Upgrading to a reputable host can give your site the speed boost it needs.
No media compression: High-resolution photos look great but can slow things to a crawl if not optimized. Compress your images to reduce their size without losing quality.
Caching: Without it, your site has to load everything from scratch each time someone visits. Caching stores parts of your site so it loads faster for returning visitors. It’s a simple tweak that can make a big difference.
Additionally, you should be using site speed test tools and uptime monitoring plugins to understand the current state of your WordPress website. Here are some additional tips on making your website load faster.
Common WordPress Security Myths
There is a heavy price to pay if and when your organization suffers an attack on its website. Therein, IT departments often openly state that they do not handle website security (which is primarily why our company exists). There are a lot of suppliers in the WordPress ecosystem offering security services. There are a number of WordPress security myths that, supported by clever marketing, provide a false sense of security.
Myth 1: Updating Plugins Is Enough
Sure, updating plugins is essential. But that’s not all it takes. That’s like getting an oil change and thinking your car will never break down or have an accident. Updates fix known issues, but hackers are constantly on the lookout for new ways to exploit vulnerabilities.
Myth 2: Strong Passwords Are All You Need
Your passwords are only as good as the next phishing attack (which are becoming much more sophisticated). 68% of recent phishing scams have never been seen before. That’s why you should always have a second layer of defense such as 2FA.
Myth 3: Good Hosting Means Worry-Free Security
Investing in reliable hosting is wise; it lays a solid groundwork. But even the best hosts can’t protect against everything. As showcased by the latest rift between WP Engine and WordPress, where WordPress effectively shut down much of WP Engine’s ability to update sites. Granted, this wasn’t a cyber attack but more of a dispute about ownership…nonetheless, it proves the point that web hosts can only control their infrastructure.
Myth 4: A Security Plugin Is a Cure-All
Security plugins like WordFence are just tools. You still need a well-trained and experienced technician to setup, manage and monitor that tool. So, don’t install a plugin and think that your website is secure. It may be a bit more secure initially. But, if left unchecked it’s like a house that is left unmaintained…it will rot.
A Holistic Approach to Security and Performance
Good security isn’t just about defense; it’s about having documented standards that are adhered to consistently and about researching and implementing better ways to mitigate risk.
A Broader Security Perspective
Focusing only on immediate threats is shortsighted. A holistic approach means looking at every part of your site—user experience, privacy compliance, and overall resilience against evolving threats.
Pro Tips:
Privacy Protocols: Stay current with laws like GDPR and CCPA. It’s not just about avoiding fines; it’s about respecting users’ data and building trust.
Usability: A secure site should also be user-friendly. Broken links, slow load times, and clunky navigation make visitors less likely to return.
Performance Standards: Regularly test your site across different devices and browsers. A fast, accessible site not only ranks better but also reduces security risks.
Remember, a secure site runs smoothly and efficiently. It’s about offering the best experience to your users while keeping them safe.
Maintaining a WordPress site is a full-time job. That is, if you’re not well versed in the matter. There’s quite a lengthy checklist of tasks that you need to consider if you plan on handling WordPress security in house.
Keeping up with all the security demands can be overwhelming, especially when you’re juggling other responsibilities. That’s where having a dedicated WordPress security team can make a real difference. They can handle the complexities of website security, so you don’t have to.
If you have WordPress security concerns, schedule a WordPress Security and Performance audit with WordZite today to see how your site rates against 100+ industry standards.