BlogResourcesLocking Down Your WordPress Website: The Must-Do 5-Step Security Checklist

Locking Down Your WordPress Website: The Must-Do 5-Step Security Checklist

Table of Contents


Locking down a WordPress website is a labor of love. Without careful safeguarding, there are numerous access points for cybercriminals to exploit – from uploading malicious code to exploiting vulnerabilities in plugins.

Your website is a valuable asset and needs to be protected. Don’t become one of the many small business or website owners who falls foul of cybercrime every year – follow the steps below to ensure your WordPress site is secure.

The time for action is always now. Let’s get your website protected.

1. Disable File Uploads 

The single most powerful way to secure a WordPress website is to disable file uploads. This prevents malicious individuals and software from uploading anything to your website directly via the web.

Ask yourself – how often does your business need to upload files? If it can be handled in one batch weekly, you may wish to keep uploads disabled until a set point each week. Then you can securely upload your own files without worrying about malicious parties exploiting this vulnerability.


This works perfectly if you have a small team of just a couple of people who create website content.

The most severe website hacks come in the form of uploading a tiny bit of code to your website and executing that code, which could then do a lot of other damage. Examples include:

  • Unzipping files
  • Downloading files from another website
  • Subsequently, changing login permissions & holding the site to ransom

The bottom line: if you stop file uploads, then you can stop malware before it can even infect your website.


Disabling file uploads will also disallow you (or your team) from uploading images and other files via WordPress Media.

If you’re regularly creating new content, then this will be a slight annoyance, because you have to go into your web hosting’s control panel and enable file uploads each time you upload files, and then disable them back again.

However, if you’re not uploading content every single day but only a couple of times a week, then the annoyance is definitely worth the increased website security.

2. Installing & Configuring WordFence

One of the problems with WordPress is that the core foundation just doesn’t perform as well as you need it to. It can also be difficult to use – and offers plenty of opportunities for unsuspecting users to make their security problems worse.

Much of the time, there’s no function that allows the site to warn users if they’re making common security errors. Here are some examples of mistakes WordPress won’t prevent you from making:

  • Choosing “admin” as the username (or something similar). It’s best to avoid a common, default username that makes your site an easy target for hackers who can attempt to gain unauthorized access to your website by guessing a username and password, but WordPress is happy for you to use default usernames.
  • Having a weak, highly “guessable” or “hackable” password – there are some password strength suggestions, but they’re not as stringent as they should be.
  • Prevent PHP files from being run inside certain folders. Uploading and running these files is how hackers upload malware which then allows them to gain control of your website.
  • Not using a firewall that monitors and filters incoming web traffic.
  • Not using malware scanning software that can scan the WordPress core files, themes, and plugins for infected files.
  • Not using basic, up-to-date login security measures like two-factor authentication, password strength enforcement, and login limiting to help prevent brute-force attacks.

The list just keeps going. That’s why you need to install WordFence, the best security plugin for WordPress.

And it’s free. Go through the settings carefully and turn on at least all of the recommended ones. Learn more about its additional features to understand how to lock down your website and why WordFence is so effective.

You can use it to secure your website using features like your:

  • Firewall
  • Malware Scanner
  • Real-time Threat Intelligence
  • Rate Limiter
  • Preventing PHP Execution in your uploads folder
  • Brute Force Protection
  • Login Security
  • 2Factor Authentication (2FA)

This is the tool that WordPress should have built-in – but it doesn’t. That’s why installing WordFence today is a no-brainer.

3. Disable PHP Error Reporting & File Editing

PHP’s built-in error reporting shows details about file structure and file paths, which is great if you’re a developer and are trying to troubleshoot issues. But it can be a serious security flaw as it can expose information that can help in hacking your website.

You can add the following code to your website to ensure that errors in any wp-config.php file are accurately reported.


@ini_set(‘display_errors’, 0);

WordPress comes with a built-in file editor for editing files directly on your server without having to do it on a local computer and then upload it using a tool like FileZilla.

However, that opens up a security hole on your website, as hackers can use this file editing capability to create and edit malicious files on your server. This can be disabled by adding the following to your wp-config. php file.

define( ‘DISALLOW_FILE_EDIT’, true );

4. Themes and Plugins

Themes and plugins need to be kept up-to-date to prevent hackers from exploiting holes in outdated software. However, there’s much more.

Here’s how to take care of your themes and plugins to ensure your WordPress website is properly locked down.

  1. Use only the absolute minimum and must-have plugins on your website. If it looks good, that’s great – but aesthetics alone aren’t a good enough reason to add a plugin. The more you have, the less secure you are.
  2. Sign up for WordFence’s email list. They’ll notify you regularly of vulnerabilities found in leading plugins. If you’re using any that are listed on a security report, take action immediately as per the recommendations.
  3. Turn OFF auto-updates for plugins. While it may seem like a good thing for security on the surface, in reality, auto-updates can sometimes break your website if you let all your plugins update themselves on their own. Plugin updates must be planned in advance and performed intentionally after making a backup of your website. And never do them on the weekends – you’re far less likely to be able to access help if it’s needed.
  4. Use paid versions of plugins that are mission-critical. This includes your eCommerce payment interface, shopping cart, membership plugin, or main theme that creates the look and feel of your website. Paid plugins typically come with timely support and customer service, and you can always pay the developers extra to offer premium support when your site is having issues.

5. Protect Your Premium Content

Did you know that Google has been inadvertently helping pirates steal your content? Shocking, I know. You can’t trust anyone these days.

Here’s a simple search that will shock you (do a Google search with this example below):

Seth Godin Bootstrap filetype:pdf

The first result you’ll see is the PDF of the free eBook The Bootstrapper’s Bible by Seth Godin. Notice that it’s a direct link to the PDF uploaded to WordPress Media. 

Now here’s an even scarier search: filetype:pdf

Google now shows you every single PDF from Seth’s entire website!

Seth Godin’s eBook is free, and he has freely published the download link on his website, so it’s probably not a problem for him. But that’s almost certainly not good for your website.

Your premium PDFs are probably just as exposed right now, and you don’t even know it. Not just PDFs but also videos, audio, XLS, zips & docs, and pretty much any file you’ve ever uploaded to your WP Media Library.

Use plugins like Prevent Direct Access and Password Protect WordPress to secure your WordPress files from both Google and other unauthorized users.


A simple Google search for WordPress security measures will yield thousands of articles with numerous ways to secure your website. But they may not offer tried-and-tested solutions with proven track records like WordFence – these are what you need to lock down your website.

Starting with the list provided here will immediately put you ahead of many others who are still neglecting basic security practices.

Make these changes now. As we said – now is always the best time to take action.

Agreed? Good.

Start with a review of the weakest parts of your website (e.g., having “admin” as your username) and work from there. Be thorough, be cautious, be safe!

Leave a Reply

  • Services
  • Resources
  • Cart
  • Checkout

Free Guest Post Database

1,500+ Sites

Sign up to receive our free guest post database list where you can start your link building campaign for free !