WordPress Doctor helps hundreds of sites a year clean up malware and create secure sites.
Based on this experience, we have created a checklist for running WordPress securely according to its level of importance.
We hope you find it helpful.


Only three of the most important aspects of WordPress security

If these three things are met, 99.9% of WordPress hacks can be prevented.

1 Is your WordPress admin password strong?

Use a password that is a meaningless string of characters, including single-byte alphanumeric symbols, and at least 12 characters long. Whenever possible, use a password automatically generated by WordPress.

2 Have you left unused plug-ins or themes installed? Are there any vulnerabilities in WordPress itself or its plug-ins?

Leaving unused themes and plugins inactive will only increase the risk of vulnerabilities, since only the program files will be present while the functionality is not used.

Please remove any plug-ins or themes that have been deactivated and check for vulnerabilities.
We also recommend that you minimize the number of plug-ins you use.

3 Are there any other sites on the server that do not meet the requirements of 1 and 2?

Even if you are careful about the security of only the sites you do not want to be hacked, if other sites on the server are vulnerable, they may be hacked or tampered with, and folders on other domains may also be tampered with via those sites.

Please make sure that the above 1 and 2 are met for all WordPress sites on the same server that share the same root folder.

Five checklists to further increase WordPress security and make it safer

4 Have you installed and properly configured security plugins?

Our recommended security plug-ins,
All In One WP Security & Firewall or [Free] WordPress: Malware Scan & Security Plugin [Malware and Virus Detection and Removal], and configure WordPress security features appropriately.

5 Login Screen Security

To prevent brute force attacks that mechanically log in to the admin screen tens of thousands of times to break through passwords, we recommend installing a captcha on the login screen or enabling the ability to change the login screen URL with a plugin such as the one in 4.

6 Prohibit Index display (function to prohibit displaying the list in a folder)

When a folder on the server is accessed, the Index output function outputs a list of files in the folder, but this function may cause search engines to display the folders of vulnerable plugins in search results.

This can be a clue for hackers to easily infiltrate your site.
Index display prohibition can be done with the plugin 4, or by writing the following string to HTACCESS.

Options -Indexes

7 Are the file write permissions set properly?

You can also inspect the 4 plugins to see if the write permissions on WordPress files are properly set.

However, if write permissions are set too tight, automatic updates of WordPress and plugins may not be applied or updates may not be possible.

Basically, you should not use the write permission of 777, but set the write permission of all files to 750 or 745 or less (more strict).

8 Update WordPress and plugins regularly

The most effective way to prevent vulnerabilities in your WordPress site is to update it regularly.
It is advisable to update WordPress and plugins every three to six months to keep them up to date.

However, since updates can cause problems with the site, it is best to make backups in advance, prepare a test site, and check that it works before updating the main site to ensure safety.