WordPress website security 2026: 30 essential points checklist

WordPress security: 43 % of all websites, 96 % of CMS attacks

WordPress powers about 43 % of all websites worldwide in 2026, and concentrates 96 % of attacks targeting open source CMS. Not because WordPress is bad — it's very solid at the core — but because its 60,000 free plugin ecosystem creates a massive attack surface, and because most admins never configure the security basics.

90 % of WordPress compromises in 2026 are due to 5 simple causes: outdated plugin, weak password, no 2FA, poorly protected wp-config.php, and nulled (pirated) theme. The 30-point checklist below covers what to verify on any production WordPress site.

Category 1 — Authentication (critical priority)

• Admin password: minimum 16 characters, mixed alphanumeric + symbols, never reused from another service.
• 2FA enabled on all admin and editor accounts (plugins: Wordfence Login Security, WP 2FA, miniOrange 2FA).
• Limit login attempts: 5 max before 30-min IP block (Limit Login Attempts Reloaded).
• Rename login page: /wp-admin becomes /secure-login-xyz (plugin WPS Hide Login).
• Delete the default "admin" account: create an admin account with another name and remove "admin".
• Strong password policy mandatory for all users (iThemes Security plugin or equivalent).

Category 2 — Updates (critical priority)

• WordPress core up to date: minimum 6.5 in 2026, ideally latest stable.
• Plugins updated monthly minimum: remove unused plugins (they remain an entry point even when deactivated).
• Theme updated + use a child theme so you don't lose your changes.
• Uninstall nulled plugins: any "premium for free" plugin downloaded outside the official source = guaranteed backdoor.

Category 3 — wp-config hardening (high priority)

• Disable the WP-admin file editor: add define('DISALLOW_FILE_EDIT', true); to wp-config.php.
• Non-standard DB table prefix: change wp_ to wp_xyz123_ (at creation or via migration plugin).
• Unique security keys: regenerate via https://api.wordpress.org/secret-key/1.1/salt/ and paste into wp-config.
• Disable xmlrpc.php if unused: add a rule in .htaccess or nginx to block access.
• Block direct access to wp-config.php via .htaccess: Order Deny,Allow Deny from all .

Category 4 — Permissions and files (high priority)

• File permissions: 644 for files, 755 for folders, 600 for wp-config.php.
• Disable directory indexing: Options -Indexes in .htaccess.
• Block PHP execution in /uploads/: .htaccess or nginx rule to prevent uploaded scripts from executing.
• Disable PHP error reports in production: define('WP_DEBUG', false); and display_errors = Off in php.ini.

Category 5 — Security headers (high priority)

• HTTPS forced everywhere: Let's Encrypt minimum, automatic HTTP → HTTPS redirect.
• HSTS (Strict-Transport-Security): max-age=31536000; includeSubDomains; preload.
• CSP (Content-Security-Policy): restrict script, style, image sources.
• X-Frame-Options: SAMEORIGIN to avoid clickjacking.
• X-Content-Type-Options: nosniff + Referrer-Policy + Permissions-Policy.

Category 6 — Monitoring and active defense (medium priority)

• Security plugin installed: Wordfence (free + premium 119 USD / year), Sucuri Security, iThemes Security, MalCare, or All-In-One WP Security.
• WAF enabled: Cloudflare WAF (free basic), Sucuri Firewall, Wordfence Premium WAF — blocks 80 % of bots before they reach WP.
• Regular malware scan: MalCare daily automatic scan, or Wordfence weekly scan.
• Access logs analyzed: review monthly failed login attempts, suspicious IPs.

Category 7 — Backup and recovery (critical priority)

• Daily offsite backup: not only on the server. Destinations: S3, Google Drive, Dropbox, Backblaze B2. See our 3-2-1 backup guide.
• Quarterly restoration test: restore a copy on a staging environment — verify it actually works before D-day.

Prioritized recap table

Recommended tools in 2026

• Wordfence: firewall + malware scan, free version sufficient for most cases
• Sucuri Security: scan + monitoring + premium firewall (199-499 USD / year)
• iThemes Security: all-in-one hardening, very complete free version
• MalCare: light cloud-side scan (doesn't weigh down the server)
• Cloudflare WAF: free WAF rules + Pro plan 20 USD / month for advanced rules
• Maldet / ClamAV: server-side CLI scan for dedicated server audit

At Kolonell, the standard maintenance plan systematically includes Wordfence + Cloudflare WAF + daily offsite backup on Backblaze B2.

FAQ

How long does a complete security hardening take?

For an average WordPress site: 4 to 8 h of work to apply the 30 points if nothing is in place. Count 200,000 to 500,000 FCFA on agency rates.

Should I pay for Wordfence Premium?

For a personal site or small showcase: no, free version is enough. For an e-commerce or high-traffic site: yes (119 USD / year), especially for real-time WAF and firewall rules access.

What if my site is already compromised?

See our hacked site recovery guide. Steps: 1) isolate, 2) identify, 3) clean or restore a clean backup, 4) patch, 5) reset all credentials.

Doesn't my host secure all this?

No. The host manages the server layer (OS, PHP, MySQL). The WordPress layer (CMS, plugins, theme, content) is your responsibility. Even OVH, Hostinger or GoDaddy state this in their ToS.

What annual security budget for a WordPress site?

Showcase: 0-50,000 FCFA / year (free + annual audit). E-commerce: 150,000-500,000 FCFA / year (Wordfence Premium + Cloudflare Pro + regular scan). Critical site: 500,000-2,000,000 FCFA / year (managed WAF + pen-test + SOC).

Let's talk about your security

If you want a WordPress security audit or a maintenance plan including security, contact us. WhatsApp +221 77 596 93 33.