WordPress Hardening Checklist (2025)

Last updated: 19 Aug 2025

This is a practical hardening baseline for small/medium sites running WordPress on Apache. Focus: reduce attack surface, keep patching predictable, and prove restores. Adjust to your stack.

1) Accounts & Authentication

Remove or rename the default admin user; unique admin usernames only.
Enforce 2FA for all admins/editors (TOTP). No SMS.
Limit admin access to HTTPS only; avoid shared logins. Use least privilege roles.
Disable XML-RPC unless you explicitly need it (Jetpack/remote publishing).

<Files xmlrpc.php>
  Require all denied
</Files>

2) Updates & Plugin Hygiene

Enable automatic core minor updates; major updates via staging first.
Keep plugin count low. Remove anything unused or unmaintained (>12 months without updates).
Pin update windows monthly; record versions post-update.

# wp-cli examples (cron or manual)
wp core update --minor
wp plugin update --all
wp theme update --all
wp core verify-checksums

3) Backups & Restore Testing

Back up database daily, files weekly; keep at least one offsite copy.
Do a quarterly restore test to a staging URL; document the steps.

4) Server & File Permissions (Apache 2.4)

Separate system user for the vhost. Webroot owned by that user; PHP runs as that user.
Typical perms: files 640, dirs 750. No write access to wp-includes and wp-admin.

# Example (adjust user/group)
chown -R webuser:www-data /var/www/html
find /var/www/html -type d -exec chmod 750 {} \;
find /var/www/html -type f -exec chmod 640 {} \;

5) wp-config.php Hygiene

Move wp-config.php one level above webroot if possible.
Disable the theme/plugin editors; force SSL for admin.

define('DISALLOW_FILE_EDIT', true);
define('FORCE_SSL_ADMIN', true);

6) Hardening with .htaccess

Place these near the top of your site’s .htaccess, above the WordPress block.

# Deny access to sensitive files
<FilesMatch "(^\.|wp-config\.php|readme\.html|license\.txt|composer\.(json|lock))">
  Require all denied
</FilesMatch>

# Basic security headers (safe defaults)
<IfModule mod_headers.c>
  Header always set X-Content-Type-Options "nosniff"
  Header always set X-Frame-Options "SAMEORIGIN"
  Header always set Referrer-Policy "strict-origin-when-cross-origin"
  Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
</IfModule>

# Block access to /wp-content/uploads PHP execution
<Directory "/var/www/html/wp-content/uploads">
  php_admin_flag engine off
</Directory>

Note: Content-Security-Policy is powerful but site-specific; add later after testing.

7) Login Abuse & Spam Mitigation

Add lightweight bot protection to login/contact (e.g., Cloudflare Turnstile).
Rate-limit wp-login.php and xmlrpc.php at the reverse proxy/firewall if available.

8) Monitoring & Logs

Keep access/error logs; alert on spikes of 401/403/404 to wp-login.php and xmlrpc.php.
Uptime monitoring from two regions; alert within 60 seconds.

9) Content & Admin Practices

No plugin/theme installs on production without staging tests.
Remove demo content, unused themes (keep one default as fallback).
Document: who can deploy, how to roll back, and where backups live.

Security gaps in Linux and cloud systems risk downtime, data compromise, lost business — and compliance failures.

With 20+ years’ experience and active UK Security Check (SC) clearance, I harden Linux and cloud platforms for government, corporate, and academic sectors — ensuring secure, compliant, and resilient infrastructure.

Contact for Contract Assignments