More than 30 percent of all websites on the internet use WordPress. Because this CMS is so widely used, there are many hackers who try to hack into WordPress websites. A hacked WordPress website is no fun for anyone. This checklist helps you to check whether your website is properly secured.

Choose a reliable hosting party

One of the most important factors for the security of your WordPress website is choosing a reliable hosting provider. A good hosting party ensures that servers are safe and cannot be hacked. In addition, good hosting parties such as Planethoster and Hostgator proactively monitor whether leaks or security problems occur.

Make sure your website is only accessible via HTTPS

SSL certificate is nowadays a “must have” for every (WordPress) website. All traffic on your website is encrypted if you use an SSL certificate and force HTTPS.

Check user accounts and their permissions

Each user role in WordPress has different rights. Make sure your users don’t get more rights than they actually need! Also read our article User roles and rights in WordPress. In addition to checking the rights of each user, it is also advisable to delete unused accounts or change their role to “Subscriber” – a role that an attacker cannot do any harm to.

Make sure all users have a strong password

Force Strong Passwords You can use a plugin such as Force Strong Passwords to force users on your WordPress website to use a strong password. This ensures that there are no people with the password “123456”.

Make sure the username of the administrator is not an “admin”

In the past, the default username of the “Administrator” of every WordPress website was “admin“. This is no longer the case, but for older WordPress websites it is often the case that they still have a user called “admin”. This is really not possible! Turn it into something less obvious as soon as possible.

Update plugins, themes and WordPress itself regularly

Make sure that your plugins, themes and WordPress themselves are regularly updated to the latest version. Themes, plugins and WordPress are often updated to solve security problems. It is therefore very important that you install these updates.


Make regular (automatic) backups of your WordPress website

If your website is still hacked once, it is nice if you have a (recent) backup that you can restore. Make sure that your website is automatically backed up on a regular basis. Many hosting parties do this by default, but it is also nice to have a backup somewhere else. For example in Google Drive.


Salts and Keys

The wp-config.php file includes “salts and keys“. These are a few lines of code that you should replace with new salts and keys from time to time. Clicking here will automatically give you a new random set of characters that can be used.


Delete the readme.html file

By default, WordPress contains a readme.html file. This file will often show hackers which version of WordPress you are using and therefore what vulnerabilities your website may contain. Delete this file to make it a little less easy to see which version of WordPress you are using.


Remove inactive plugins and themes

Make sure you completely remove themes and plugins from your WordPress website that you are not using. Do not only deactivate them, but also completely remove them from your website.


Limit the number of login attempts (Limit Login Attempts)

Limit Login Attempts indicates that I have three more attempts to log in. After that my account will be blocked for 20 minutes.
Make sure someone can’t try to log in indefinitely. With a plugin like Limit Login Attempts you make sure that someone will be blocked from the WordPress address for at least 15 minutes after three incorrect login attempts.


Use a strong password for your MySQL database

To prevent anyone from hacking into your MySQL database, it is important that you use a strong password for the user of your database. Often the password is the same as the username. This is very predictable and should not be done!


Enable email notifications in Google Search Console

Link your website to Google Search Console so that Google keeps you informed about any security issues on your website. Google is very proactive in recognizing malwares and will send you as a website owner a message if any problems are found.


Change your database table prefix

The default “prefix” for tables in your WordPress database is “wp_“. This is very predictable and it is better to change it to any set of numbers and letters. You can set this up when installing WordPress but you can also change it later.


Change your WordPress password regularly

Nowadays, almost everyone uses a program like LastPass to remember passwords. So there’s no excuse anymore for not changing your passwords regularly! Do the same with the password of your WordPress account. You may want to use a plugin like Force Password Change to “force” other users to change their passwords regularly.


Change the password of your FTP account regularly

Another way for hackers to break in is via FTP. It is therefore advisable to regularly change the password of your FTP account. With some hosting providers you can also set that only certain IP addresses can log in via FTP.