The 20-Point Security Checklist
- Always-on SSL/TLS: Force HTTPS with 301 redirects and HSTS (Strict-Transport-Security).
- Keep software updated: Core, themes, plugins, server packages.
- Daily offsite backups: Automate; test restores monthly.
- Use a WAF/CDN: Block common exploits, bots, and DDoS.
- Strong passwords + 2FA: For hosting, CMS, email, and SSH.
- Least privilege: Give users only the access they need.
- Disable unused accounts: Remove stale users and keys.
- Limit login attempts: Throttle or use captchas on auth endpoints.
- Secure headers: Add Content-Security-Policy, X-Frame-Options, X-Content-Type-Options, Referrer-Policy.
- Malware scanning: Schedule server and CMS scans; quarantine and alert.
- Least plugin principle: Fewer plugins = smaller attack surface.
- Sanitize uploads: Restrict executable types; scan media directories.
- Protect admin URLs: Rate-limit, IP allowlist, or move/alias admin routes.
- Enforce file permissions: Lock down .env, configs, and uploads; avoid 777.
- Secure DB access: Strong unique credentials; no root logins for apps.
- Use prepared statements: Prevent SQL injection.
- Validate input + escape output: Stop XSS and injection at the edges.
- Bot management: Block obvious scrapers; add robots rules and rate limits.
- Log and alert: Centralize logs; alert on auth anomalies.
- Incident plan: Who to call, what to isolate, how to restore.
Fast win: If you can only do three today, do SSL/HSTS, daily offsite backups, and a WAF. That alone blocks a huge chunk of real-world issues.
Secure Headers: A Minimal Working Set
Add these headers via your server or .htaccess (tune CSP to your site’s scripts/styles):
# Apache (.htaccess) example
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-Content-Type-Options "nosniff"
Header set Referrer-Policy "strict-origin-when-cross-origin"
# Example CSP (tighten per site needs)
Header set Content-Security-Policy "default-src 'self'; img-src 'self' data: https:; script-src 'self' https://www.googletagmanager.com https://pagead2.googlesyndication.com; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; font-src 'self' https://fonts.gstatic.com"
Backups That Actually Save You
- Automate daily backups (files + database) to a different provider/region.
- Keep multiple restore points (7/14/30 days).
- Test a full restore quarterly so you know it really works.
WordPress-Specific Quick Wins
- Change default wp_ table prefix on new installs.
- Disable XML-RPC if not needed; protect wp-login.php.
- Auto-update minor versions; review plugin code quality and last update date.
When Something Looks Off
- Take the site read-only; revoke suspicious credentials; rotate secrets.
- Run malware and integrity scans; compare to last clean backup.
- Patch, restore, and re-enable traffic gradually with monitoring.
Related: Website Speed Optimization · .htaccess Tricks · Backup Strategy
