Force Two-Factor Authentication on your WordPress login screen

Enable Two-Factor Authentication on your web hosting account

Google the following to see how to enable it if your host offers it:

site:yourhost.com two factor

For example if your host is SiteGround you would Google the following:

site:siteground.com two factor

Enable Two-Factor Authentication on your domain registrar account

…or wherever your domain’s nameservers are pointed to and your DNS records are managed.

Google the following to see how to enable it if your registrar offers it:

site:yourregistrar.com two factor

For example if your registrar is GoDaddy you should switch to Namecheap, but you would Google the following for now:

site:godaddy.com two factor

Install SSL Certificate and redirect all HTTP traffic to HTTPS

Use a secure managed WordPress host

You need to make sure everything is up-to-date, especially plugins or themes with security exploits identified. Managed hosts will help automate updates and patch security holes. They also achieve better performance as they’re optimized specifically for WordPress hosting.



Install and use established security plugin(s)

iThemes Security Pro + Sucuri Security = Best Combo

Use a trusted password manager and make unique passwords for all your accounts

Automate full offsite WordPress backups

Protect yourself with a Proxy or VPN

Always use a VPN when logging into your site from public wifi or your login credentials could be compromised

Add Security Header Protections and block access to wp-config in .htaccess

Add the following code to your website’s .htaccess file to enable security header protections and block access to wp-config as recommended by the Sucuri Security plugin:

<IfModule mod_headers.c> Header set X-XSS-Protection "1; mode=block" Header always append X-Frame-Options SAMEORIGIN Header set X-Content-Type-Options nosniff </IfModule> <files wp-config.php> order allow,deny deny from all </files>

Enable automatic updates for WordPress core

To auto-upgrade WordPress core, add the following line of code to wp-config.php:

define( 'WP_AUTO_UPDATE_CORE', true );

To auto-upgrade WordPress plugins, add the following line of code to wp-config.php:

add_filter( 'auto_update_plugin', '__return_true' );

To auto-upgrade WordPress themes, add the following line of code to wp-config.php:

add_filter( 'auto_update_theme', '__return_true' );

Scan for / fix mixed content errors

Scan your site now for free using JitBit’s SSL Check

Use trusted WordPress plugins and themes

Only utilize plugins and themes that have lots of active sites, good reviews and frequent updates from trustworthy looking authors.

Delete unused WordPress themes & plugins

They’re just dead weight that if compromised may still impact your security. Just delete them.

Other Practical WordPress Security tips

If you have any ideas for additional practical WordPress security tips that should be added to the checklist, please share them in the comments below! If you found this checklist useful please do me a favor and share it with your network.