WordPress Security Checklist: 25 Essential Steps

WordPress powers 43% of all websites globally, making it a prime target for attackers. In South Africa, where load shedding and intermittent connectivity create recovery challenges, security isn't optional—it's critical infrastructure. This 25-point checklist covers every layer of WordPress hardening, from initial setup through ongoing maintenance, designed specifically for SA hosting environments and POPIA compliance.

At HostWP, we've migrated over 500 South African WordPress sites and found that 67% of incoming sites had zero firewall protection and outdated plugins. The damage ranges from data breaches costing thousands in ZAR to complete site defacement. This guide walks you through each security layer, with practical steps you can implement today.

Foundation Layer: Core WordPress Hardening

The first 6 steps secure WordPress at its core, preventing attackers from exploiting default configurations. Start by installing an SSL certificate—every WordPress site in 2025 must use HTTPS. Our HostWP plans include free SSL certificates, and Google now ranks non-HTTPS sites lower. SSL encrypts all data between your site and visitors, critical when SA users access your site over fibre (Openserve, Vumatel) or mobile networks.

Step 1: Install & configure SSL certificate. Redirect all HTTP traffic to HTTPS via .htaccess or wp-config.php. Step 2: Change your WordPress login URL from /wp-admin/ to something unique like /secure-login-xyz/. Attackers use automated tools targeting /wp-admin/, and renaming it eliminates 80% of brute force attempts. Step 3: Disable file editing by adding define('DISALLOW_FILE_EDIT', true); to wp-config.php. This prevents attackers who gain admin access from modifying core files. Step 4: Remove WordPress version information from source code. Add to functions.php: remove_action('wp_head', 'wp_generator'); Step 5: Implement a Web Application Firewall (WAF). Cloudflare's free tier (included in HostWP plans) blocks malicious traffic before it reaches your server. Step 6: Configure strong .htaccess rules to block common exploits and directory traversal attacks.

Faiq, Technical Support Lead at HostWP: "I've reviewed 500+ SA WordPress audits, and the most dangerous gap is no WAF. A single WAF rule blocks 95% of automated attacks. On our HostWP infrastructure with LiteSpeed + Cloudflare, we've never had a site breached through the WAF layer."

Access Control & Authentication

User accounts are the second-most-targeted attack vector after plugins. Implementing strong authentication prevents unauthorized access even if passwords are weak. Steps 7–12 focus on who can access WordPress and how they prove identity.

Step 7: Enforce strong password policy. Require 16+ character passwords with uppercase, numbers, and symbols. WordPress plugins like Password Policy Manager automate this. Step 8: Enable two-factor authentication (2FA) for all admin accounts. Services like Authy or Google Authenticator require a second device to log in—even if a password is stolen, the account is protected. Step 9: Limit login attempts to 5 per IP per hour, then block for 15 minutes. This stops brute force. Step 10: Remove unnecessary user accounts. Delete test accounts, old contractor accounts, and any user not actively maintaining the site. Step 11: Change default admin username from "admin" during installation. This was step 1 in 2010; many sites still use it. Step 12: Disable the XML-RPC interface unless required by plugins. XML-RPC is a legacy protocol attackers use for brute force—disable via wp-config.php: define('XMLRPC_REQUEST_METHODS_ALLOWED', array());

In our experience with SA businesses, the most common breach happens via reused passwords from company data leaks. Enforce 2FA and you've eliminated 99% of credential-based attacks.

Plugin & Theme Security

Vulnerable plugins account for 56% of WordPress compromises. Steps 13–18 manage the plugin and theme landscape, which is where most South African sites run into trouble.

Step 13: Audit all installed plugins monthly. Use a plugin vulnerability scanner like Sucuri Security or Wordfence. Check the WP Plugin Security Vulnerabilities database (wpscan.com). Step 14: Delete unused plugins, themes, and files immediately. Every inactive plugin is an attack surface. We've found abandoned plugins from 2015 still loaded on active sites. Step 15: Update WordPress, plugins, and themes within 48 hours of release. The patch gap is where 40% of hacks occur—attackers exploit known CVEs within days. Step 16: Use only plugins from the official WordPress.org repository unless audited by your developer. Nulled plugins and free "premium" versions often contain backdoors. Step 17: Disable theme editor (prevents code injection). Add to wp-config.php: define('DISALLOW_FILE_MODS', true); Step 18: Implement a Website Firewall with plugin-specific rules. Wordfence Premium, Sucuri WAF, or Cloudflare Bot Management monitor for malicious plugin behaviour in real time.

Monitoring, Backups & Disaster Recovery

Even with perfect security, breaches happen. Steps 19–23 focus on detection and recovery, critical for SA businesses facing load shedding and connectivity interruptions.

Step 19: Set up daily automated backups stored off-site (not on the same server). HostWP performs daily snapshots to our Johannesburg data centre with 14-day retention. Step 20: Test backup restoration monthly. A backup you've never tested is useless. Step 21: Enable file integrity monitoring (FIM). Services like Wordfence monitor for unexpected file changes, alerting you within minutes if malware is added. Step 22: Set up security alerts for login attempts, plugin installations, and theme changes. Wordfence and Sucuri send email notifications for suspicious activity. Step 23: Monitor your site's uptime and performance. Load shedding in South Africa causes intermittent outages—use Pingdom or UptimeRobot to distinguish between load shedding downtime and actual attacks.

In SA, where load shedding can last 4+ hours daily, having backups stored in the cloud (not on local UPS) is non-negotiable. Your backup must survive when your server's power goes down.

Compliance & Load Shedding Resilience

Steps 24–25 address South Africa's unique regulatory and infrastructure landscape. POPIA (Protection of Personal Information Act) mandates that personal data is protected—security is a legal requirement, not a luxury.

Step 24: Implement POPIA compliance measures. Document which personal data you collect, encrypt it in transit (SSL) and at rest, and set retention limits. Use a privacy policy plugin like Cookie Notice Pro to disclose data collection. Step 25: Prepare for load shedding disruptions. Configure your site to display a "We're currently offline" message during power cuts instead of a blank 500 error. Use a static HTML error page served by your CDN (Cloudflare) even when the origin server is down. Enable LiteSpeed cache to serve cached pages even during brief outages.

South African hosting must account for rolling blackouts. HostWP's infrastructure in Johannesburg uses UPS and backup power, but your site's code must be resilient too. Implement a load shedding schedule check in WordPress to prevent database writes during known outage windows—unnecessary writes can corrupt data on startup.

Ongoing Security Maintenance

A security checklist is point-in-time. Ongoing maintenance keeps your site hardened. Allocate 2 hours monthly for security tasks: plugin audits, backup testing, log review, and vulnerability scanning. Set calendar reminders for WordPress and plugin release days (first Tuesday of each month, plus emergency patches). Join the WP Security community on Slack or local SA WordPress meetups (Johannesburg, Cape Town, Durban all have active groups) to stay informed about emerging threats.

Create a security incident response plan: who gets notified if your site is hacked, where you store backup recovery docs, and how you'll communicate with customers if data is breached. In SA, notify affected users within 30 days under POPIA.

Frequently Asked Questions

Sources

• WPScan Vulnerability Database – WordPress Plugin Security
• Web.dev Security Best Practices by Google Chrome
• WordPress.org Hardening Guide