WordPress powers 43% of all websites on the internet. That makes it the most widely deployed CMS on the planet — and the most targeted. Every freelancer managing client WordPress sites carries this reality: your sites are in the crosshairs not because anyone specifically wants to hack them, but because automated scanners run 24/7 looking for the same vulnerabilities across millions of WordPress installations simultaneously.
The good news: WordPress security isn't神秘. It's systematic. Most compromises follow patterns that checklist-driven maintenance prevents. This guide gives you that checklist — the 12 steps that cover the most ground with the least effort.
Note: The first article in this series covers the economics of the patch gap in detail. This checklist picks up where that leaves off — the operational steps you can act on starting today.
The 12-point security checklist
-
Keep core, plugins, and themes updated — always
Every unpatched plugin is an open door. WordPress core updates are critical, but plugins account for the vast majority of exploited vulnerabilities. Set a recurring weekly review; don't let updates accumulate. If you're managing more than a few sites, automation is the only viable path — see the patch gap article for the full case.
-
Enforce strong passwords and two-factor authentication
Weak credentials are the second most common WordPress breach vector after unpatched software. Enforce minimum 16-character passwords with a password manager. Enable 2FA for all admin accounts — the WordPress Security Keys plugin or a dedicated solution like WPScan / iThemes Security makes this straightforward across a fleet.
-
Remove unused plugins and themes
Every active (and inactive) plugin is code that runs on your server and carries a CVE surface. Deactivated plugins still get updated requests and can be exploited. Audit your installs: if a plugin isn't doing anything, delete it. Fewer moving parts means fewer vulnerabilities.
-
Monitor for known CVEs affecting your stack
Sign up for the WPScan free API tier or use a monitoring service that tracks the specific plugins and themes in your client sites. When a CVE drops for a plugin you run, you need to know within hours — not weeks. Subscribe to plugin-specific changelogs or use a vulnerability feed aggregator.
-
Maintain regular, tested backups
A backup you can't restore is not a backup. Verify your backup process end-to-end: does it actually run? Can you restore to a clean state? Keep at least 30 days of daily backups and test restore procedures quarterly. Plugins like UpdraftPlus or Jetpack Backup handle this; just confirm they're actually running on schedule.
-
Enforce SSL sitewide (HTTPS)
There's no reason to run a non-HTTPS WordPress site in 2026. Let's Encrypt provides free certificates, and most hosts automate renewal. Beyond the security benefit, HTTPS is a ranking signal and browsers now flag non-HTTPS sites as insecure — it's an trust issue, not just a security one. Enable HSTS after migrating to force HTTPS everywhere.
-
Harden file permissions
WordPress file permissions follow a clear pattern: directories at 755, files at 644, wp-config.php at 600 or 640. A misconfigured permission on wp-config.php exposes database credentials to the world. Audit file ownership and permissions across your client sites, especially after migrations or new developer handoffs.
-
Disable XML-RPC if you're not using it
XML-RPC is a WordPress API endpoint that's useful for mobile apps and pingbacks — but it's also a popular attack vector for credential stuffing and DDoS amplification. If your client sites don't use the Jetpack mobile app or other services that require it, disable XML-RPC via your .htaccess file or a security plugin. The xmlrpc.php endpoint is one of the first things scanners probe.
-
Limit login attempts
Brute force attacks against wp-login.php run continuously across the WordPress ecosystem. The fix is simple: lock out IPs after 3-5 failed attempts for 15-30 minutes. Most security plugins (Wordfence, iThemes Security, WPScan) handle this by default. Don't skip this — it's one of the most effective low-effort hardening steps available.
-
Change the WordPress database prefix from wp_
SQL injection attacks that succeed often rely on the predictability of default table names. Changing the database prefix (e.g., to
pp_orclientname_) forces attackers to guess table names, adding a layer that's bypassable but raises the cost of an attack. This is a one-time config change; do it on new installs and migrate existing sites when possible. -
Add security headers via .htaccess or a plugin
Security headers tell browsers how to behave with your site and can block common attack classes. At minimum, enable: Content-Security-Policy (CSP), X-Content-Type-Options: nosniff, X-Frame-Options: SAMEORIGIN, and Strict-Transport-Security (HSTS). The free Security Headers plugin by Scott Petty does this without a paid plugin.
-
Audit admin accounts quarterly
Client sites accumulate accounts. Former employees, old agency contacts, test accounts — they all persist. Do a quarterly audit: remove accounts that don't need access, enforce 2FA on any remaining admin-level accounts, and review which accounts have active sessions. One stale admin account is all it takes.
Before you print this out: The checklist above is actionable right now. But checklist management at scale — across 10, 20, or 50+ client sites — is where it stops working manually. That's the real problem.
Automate the hard parts
The 12 steps above are mostly one-time configurations and recurring habits. But three of them — keeping plugins updated, monitoring for new CVEs, and maintaining verified backups — are ongoing, daily work. And that's where manual processes break down.
Here's what that looks like at scale: a freelancer managing 25 client sites is tracking 375+ plugin instances across their portfolio, checking for updates across all of them every week, monitoring CVE feeds for each one, and verifying backups are running across all 25. That's a full-time job embedded inside a freelance practice.
PatchPilot handles the ongoing items automatically:
- Plugin and theme updates are applied as they release, with pre-update backups and automated rollback if anything breaks. You review the report, not the process.
- CVE monitoring runs continuously against your connected sites — when a vulnerability drops for a plugin you run, you get alerted with a remediation path, not just a raw CVE ID.
- Verified backups run on schedule and are tested automatically. You get a status report; you don't have to wonder if the last backup actually worked.
The checklist above is worth keeping. But the point isn't to follow it perfectly — it's to not get compromised. Automation that enforces the checklist continuously is more reliable than a document you review once a quarter.
Let PatchPilot enforce the checklist for you.
Connect your WordPress sites in minutes. We handle updates, CVE monitoring, and verified backups — so the checklist takes care of itself.
Start Free — No Credit Card