The WordPress security audit we run on every managed site is not a marketing exercise — it is the literal checklist that gets executed during onboarding and re-run quarterly thereafter. The 15 items cover the layers an attacker actually targets: file system, database, login, application, network, and supply chain. Most compromised WordPress sites we inherit have failed three or more of these items. None of them are exotic, and none of them require specialty tooling that a competent host cannot deploy.
The non-negotiables are: file permissions set to 644 for files and 755 for directories with wp-config.php tightened to 600, database user privileges restricted to the minimum the site actually needs, WordPress salts rotated and stored outside version control, login URL relocated and protected with rate limiting, two-factor authentication enforced for every administrator without exception, automatic core security releases enabled, plugin and theme updates tracked through a managed pipeline rather than applied blindly, file integrity monitoring active, a web application firewall tuned for WordPress-specific rules, SSL/TLS enforced with HSTS preload, HTTP security headers including a tight Content Security Policy and X-Frame-Options, daily encrypted offsite backups verified by automated restore drills, separate staging and production environments, an incident response runbook with named escalation contacts, and a documented quarterly access review confirming who has admin and why.
The non-negotiables are: file permissions set to 644 for files and 755 for directories with wp-config.php tightened to 600, database user privileges restricted to the minimum the site actually needs, WordPress salts rotated and stored outside version control, login URL relocated and protected with rate limiting, two-factor authentication enforced for every administrator without exception, automatic core security releases enabled, plugin and theme updates tracked through a managed pipeline rather than applied blindly, file integrity monitoring active, a web application firewall tuned for WordPress-specific rules, SSL/TLS enforced with HSTS preload, HTTP security headers including a tight Content Security Policy and X-Frame-Options, daily encrypted offsite backups verified by automated restore drills, separate staging and production environments, an incident response runbook with named escalation contacts, and a documented quarterly access review confirming who has admin and why.
The checklist matters less than the discipline of running it. We have audited sites that had every plugin a security firm recommended and still got compromised because nobody had reviewed the admin user list in three years and a former contractor was still active. Hardening WordPress is mostly about removing things — extra users, extra plugins, extra writable directories, extra exposed endpoints — and then proving on a schedule that the things you removed have stayed removed. A site that is never re-audited is a site that quietly drifts out of conformance, no matter how clean it looked on launch day.
More from Insights
Let's keep the conversation going
We're equipped to tackle your challenges head-on. Learn more about how Inspirable can help your organization grow.