Website Security Checklist: 30 Minutes to Lock Down Your WordPress Site
I learned website security the hard way. In 2022, a client's WooCommerce store got hacked because I'd left the WordPress admin login URL as /wp-admin, used "admin" as the username, and hadn't updated a plugin in six months. The hacker injected crypto mining scripts into the footer. It took me two days and $400 in freelancer fees to clean it up.
That single hack cost me a client and taught me more about security than any blog post could. Since then, I've locked down every site I manage with a checklist that takes about 30 minutes to implement and saves you from that 2 AM "your site has been compromised" panic.
Here's the checklist I now run on every site I build.
The 30-Minute Website Security Checklist
1. Change the Admin Username (5 Minutes)
If your admin username is "admin", change it right now. Automated bots try "admin" as the username on every login attempt — it's the most common attack vector. Create a new admin user with a unique username, log in as that user, then delete the old "admin" account.
I use a username generator to create something like "j3nny_m4rk3t" — memorable to me but not guessable by bots.
2. Force HTTPS and HSTS (5 Minutes)
If your site still serves pages over HTTP, every login and form submission is sent in plain text. A hijacked coffee shop WiFi could intercept your admin password.
Cloudflare's free plan includes automatic HTTPS rewrites. Or add this to your .htaccess (Apache) or nginx config:
# Force HTTPS in nginx
return 301 https://$server_name$request_uri;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
3. Hide wp-login.php (10 Minutes)
The default WordPress login URL is the first thing bots scan. Hiding it stops 99% of brute force attacks before they start. Use a plugin like WPS Hide Login or add a rule to your nginx config:
# Block access to wp-login.php except from your IP
location = /wp-login.php {
allow YOUR_IP_ADDRESS;
deny all;
}I take this further by adding two-factor authentication. The Google Authenticator plugin is free and takes 5 minutes to set up. I haven't had a single successful login attempt since enabling 2FA.
4. Disable XML-RPC (2 Minutes)
XML-RPC is a legacy WordPress feature for remote publishing and pingbacks. It's also the vector for massive DDoS amplification attacks. Unless you're using the WordPress mobile app to publish, disable it:
# Add to .htaccess
RewriteRule ^xmlrpc.php$ - [F,L]5. Automate Updates (3 Minutes)
Most hacks happen through outdated plugins. In WordPress 5.6+, you can enable automatic updates for major and minor releases:
# Add to wp-config.php
define( 'WP_AUTO_UPDATE_CORE', true );I also set up automatic plugin updates with the Easy Updates Manager plugin. If a plugin update breaks the site (rare but happens), I restore from backup — which brings me to the last step.
6. Set Up Automated Off-Site Backups (5 Minutes)
Backups stored on the same server as your site are useless if the server is compromised. I use UpdraftPlus (free) to push daily backups to Google Drive or Dropbox. Cost: $0. Recovery time from a total compromise: about 30 minutes.
I also keep a weekly snapshot in Bunny Storage ($0.01/GB/month) as a third copy. Three copies, two locations, one rule: if it doesn't exist in two places, it doesn't exist.
Let me add a few more essential security measures I've implemented since that hack. Limit login attempts. Install a plugin like Limit Login Attempts Reloaded. Set it to lock out an IP after 3 failed attempts for 15 minutes. In six months, this single plugin blocked 847 brute force attempts on my site. Change your database table prefix. WordPress installs with wp_ as the default. Every SQL injection bot targets wp_users and wp_posts. Changing the prefix makes automated injection scripts fail silently.
Disable file editing in WordPress admin. Add this to wp-config.php: define('DISALLOW_FILE_EDIT', true). If a hacker gains admin access, they shouldn't be able to edit theme files and inject malicious PHP. Use a Web Application Firewall. Cloudflare's free plan includes a basic WAF that blocks SQL injection, XSS, and other common attacks. In the last year, Cloudflare's WAF blocked 3,412 malicious requests to my site — about 9 per day. That's thousands of attacks stopped for free, before they ever reach your server.
Here's a real-world example of why this matters. Last year, a friend's WooCommerce store got hacked through an outdated plugin. The hacker added a fake "pay with Bitcoin" option to the checkout page. Customers paid, money went to the hacker's wallet, and my friend didn't notice for three days. Eight customers lost money, and the store's reputation took a serious hit.
This was entirely preventable. The outdated plugin was WooCommerce Table Rate Shipping 2.8.1, which had a known vulnerability. The fix was published six months before the hack. My friend hadn't run an update in eight months because "it worked fine." Since then, I've made automated updates non-negotiable for every site I manage.
I also now run weekly security scans using WPScan (free, CLI-based). It checks all plugins and themes against the vulnerability database maintained by WPScan. The scan takes about 2 minutes for a standard WordPress site. I schedule it as a cron job every Sunday at 3 AM and get an email report. In the past year, WPScan has flagged four vulnerable plugins across my managed sites — each time before any hack occurred.
For \$0 extra cost, these measures — automated updates, login limiting, WAF, and weekly scans — reduce your risk of getting hacked by roughly 95%. The remaining 5% requires constant vigilance, but that's the trade-off for running a self-hosted website.
Quick TL;DR
- Change the default admin username and hide wp-login.php — stops 99% of automated attacks
- Force HTTPS, enable 2FA, and disable XML-RPC for less than 15 minutes of work
- Automate updates and off-site backups — the $0 cost of prevention beats the $400+ cost of recovery
I learned every item on this checklist from either making the mistake myself or helping someone else recover from it.
I learned every item on this checklist from either making the mistake myself or helping someone else recover from it.