WordPress security checklist 2026 — 12 things every site should have | Scanthra

Scanthra · 9 min read · Updated May 2026

1. Keep core, themes and plugins on auto-update

WordPress 6.5+ supports auto-updates for core, plugins and themes. Enable all three. In wp-config.php set:

define('WP_AUTO_UPDATE_CORE', true);

Then under Plugins, click "Enable auto-updates" for every active plugin. Yes, even the premium ones. An hour of regression risk per quarter beats a week of cleaning up an injected redirect.

2. Delete every theme and plugin you don't use

Inactive plugins are still on disk and still get parsed by attackers fingerprinting your site. The classic "TimThumb" vector lived for years in deactivated themes. If you're not using it, remove the directory entirely from wp-content/plugins and wp-content/themes.

3. Move wp-admin behind something

Two effective options:

• IP allow-list. If you log in from a fixed office or VPN, restrict /wp-admin and /wp-login.php to those IPs at the web server level. Five lines of nginx config.
• Rename or add a second factor. Plugins like WPS Hide Login change the URL; Two-Factor (by the WordPress core team) adds TOTP. Both are free.

4. Enforce strong passwords and disable XML-RPC if unused

WordPress allows password reuse by default. Install Password Policy Manager or similar to enforce length + rotation. Then disable xmlrpc.php unless you specifically need it (e.g. for the Jetpack app):

location = /xmlrpc.php { deny all; return 403; }

5. Add the six standard security headers

HSTS, CSP, X-Frame-Options, X-Content-Type-Options, Referrer-Policy and Permissions-Policy. Every Scanthra report flags missing ones. The fastest way: a free Cloudflare plan + their Security Headers managed transform rule, or a plugin like HTTP Headers.

6. Lock down file editing inside wp-admin

In wp-config.php:

define('DISALLOW_FILE_EDIT', true);
define('DISALLOW_FILE_MODS', true);

This prevents an attacker who steals an admin cookie from editing a theme file and dropping a webshell.

7. Block PHP execution in uploads

An .htaccess in wp-content/uploads:

<FilesMatch "\.(php|phtml|phar)$">
  Require all denied
</FilesMatch>

Or the nginx equivalent. Most "upload your photo" exploits drop a PHP file disguised as an image. This single rule kills that class entirely.

8. Use a malware scanner that runs on a schedule

Wordfence free, Sucuri SiteCheck, or open-source WPScan via the WP-CLI. Schedule a weekly scan and send the output to your email. You want to find out about a backdoor before Google does.

9. Set up off-site, automated backups

An on-server backup is worthless after a full compromise. Use UpdraftPlus, BackWPup or your host's snapshot service to push backups to S3, Google Drive or BackBlaze daily. Test the restore at least once per quarter — most "I had backups" stories end with "but I never tried restoring them".

10. Configure SPF, DKIM and DMARC on your domain

If your domain has no SPF/DKIM/DMARC, scammers can spoof emails as billing@yoursite.com. Add the three DNS records (we have a separate explainer for this) and watch your phishing complaints drop and your transactional email deliverability go up.

11. Audit your admins quarterly

Under Users → All Users, sort by role. Any Administrator account that hasn't logged in for 90 days is a liability — old contractor, ex-employee, demo account. Demote to Subscriber or delete. This is the single most common cause of "we don't know how they got in" WordPress incidents.

12. Plan for NIS2 if you handle EU customer data

The EU NIS2 Directive is now in force across all 27 Member States via national transpositions (Poland's amendment in force since 3 April 2026, Germany's NIS2UmsuCG, France's transposition law, etc.). Even if you're below the "essential entity" threshold, your larger customers may pass NIS2 obligations to you contractually — and this applies whether you operate inside the EU or sell into it from abroad. WordPress sites that handle EU personal data should keep an incident log, document patching cadence, and run periodic security checks. A free monthly Scanthra scan is a reasonable starting point — our NIS2 readiness guide walks through the rest.

The "Sunday afternoon" version of this list

If you have two hours and want maximum return: do items 1, 2, 5, 7 and 10. Those five alone push your site from "easily compromised" to "annoying enough that attackers move on."

How Scanthra helps with this checklist

A Scanthra scan covers items 2 (exposed plugin remnants), 5 (security headers), 7 (PHP files in uploads), 10 (SPF/DKIM/DMARC) and several others automatically. The PDF report tells you which boxes you're already ticking — and which need attention.