WordPress Security Checklist for US Business Owners in 2025

WordPress powers 43% of all websites on the internet. That statistic is impressive — and also explains why it's by far the most targeted platform for cyberattacks. In 2024, over 90,000 WordPress sites are attacked every minute according to data from Wordfence. Most of those attacks succeed not because they're sophisticated, but because the sites have basic, preventable vulnerabilities.

This checklist is written specifically for US business owners who run their company on a WordPress site and want to make sure they're not an easy target. You don't need to be a developer to understand it — but some items will require technical help to implement.

Why Your Business Is a Target

If you're a small or medium business, you might think hackers don't care about you. That's a dangerous assumption. Hackers run automated scripts that crawl the entire internet looking for specific vulnerabilities. They don't care if you're a Fortune 500 company or a three-person law firm. If your site has a known vulnerability, it will be exploited.

The consequences of a WordPress hack for a US business include: your Google rankings drop (or you get blacklisted entirely), your customers see malware warnings, you risk HIPAA or PCI-DSS fines if you handle sensitive data, you face potential ADA lawsuit exposure if accessibility was damaged, and rebuilding from scratch typically costs $5,000-$20,000 in emergency developer fees.

The good news: most hacks exploit known, patchable vulnerabilities. A properly maintained WordPress site is very difficult to compromise.

The Checklist

1. Keep WordPress Core Updated
WordPress releases security updates regularly. Running outdated versions is the most common entry point for attackers. Enable automatic background updates for minor versions (security patches) in your wp-config.php: define('WP_AUTO_UPDATE_CORE', true);

Never run WordPress versions that are more than one major version behind. Check your version at yourdomain.com/wp-admin and compare to the current release at wordpress.org.

2. Update All Plugins and Themes
Outdated plugins are the leading cause of WordPress hacks. Every plugin you install is a potential attack surface. After WordPress core itself, plugins account for 55.9% of known vulnerabilities (Wordfence 2024 report). Keep every plugin updated. Deactivate and delete any plugin you're not actively using — inactive plugins with known vulnerabilities are still exploitable.

3. Use Strong, Unique Passwords on All Accounts
"Admin123" and "password1" are among the most common WordPress credentials still in use today. Every user account on your WordPress site — especially admin accounts — should use a unique, randomly generated password of at least 16 characters. Use a password manager (1Password, Bitwarden) to generate and store these. Never reuse passwords across services.

4. Enable Two-Factor Authentication (2FA)
A strong password can still be stolen through phishing or data breaches on other services. Two-factor authentication means an attacker also needs access to your phone or authenticator app to log in. The Wordfence or WP 2FA plugins add this capability. For any site with sensitive data or e-commerce, 2FA on all admin accounts is non-negotiable.

5. Change the Default Admin Username
WordPress historically defaulted to "admin" as the username. Bots know this and target it specifically. If any of your users is still named "admin", create a new administrator account with a different username, transfer all content, and delete the old account.

6. Limit Login Attempts
By default, WordPress allows unlimited login attempts. This enables "brute force" attacks where bots try thousands of password combinations. The Wordfence plugin (free tier) or the Limit Login Attempts Reloaded plugin can restrict failed login attempts and temporarily block IP addresses that exceed the limit.

7. Install a Web Application Firewall (WAF)
A WAF sits in front of your WordPress site and blocks malicious requests before they reach your application. Cloudflare (free or paid) provides excellent WAF protection at the DNS level. Wordfence provides an application-level WAF. Both provide a valuable layer of protection. We recommend using both.

8. Set Up a Firewall and Malware Scanner
Regular malware scanning detects injected code before it does damage. Wordfence (free) scans for known malware signatures, backdoors, and suspicious file changes. Sucuri offers a more comprehensive (paid) scanning service. Schedule automated scans and review alerts promptly. Many hacked sites go undetected for months because no one was checking.

9. Enforce HTTPS Everywhere
Your site should be running on HTTPS with a valid SSL certificate. This is a baseline requirement — not optional. Beyond encryption, Google uses HTTPS as a ranking signal. Ensure your SSL certificate is valid, your site redirects all HTTP traffic to HTTPS, and there are no mixed content warnings (HTTP resources loaded on an HTTPS page). Check this with the Why No Padlock tool.

10. Implement Proper File Permissions
WordPress file permissions should follow the principle of least privilege. Directories should typically be 755, files should be 644, and wp-config.php should be 600 or even 400. Permissions set to 777 (which some hosting setups do by default) allow any user on the server to read, write, and execute your files — a serious security risk. Ask your hosting provider or developer to verify your permissions.

11. Secure wp-config.php
Your wp-config.php file contains your database credentials and security keys. Move it one level above the web root if possible (many hosting environments support this). Add the following to restrict direct access via .htaccess on Apache servers:
order allow,deny
deny from all

12. Disable XML-RPC If You Don't Need It
XML-RPC is a legacy WordPress API endpoint that allows remote connections to your site. It's frequently exploited in DDoS amplification attacks and brute force campaigns. Unless you specifically need it (for Jetpack, certain mobile apps, or REST integrations), disable it. The Disable XML-RPC plugin does this cleanly.

13. Set Up Automated Backups to Offsite Storage
Backups are your last line of defense. If your site is compromised, you need a clean copy to restore from. Your backups should be: automated (daily minimum, hourly for WooCommerce stores), stored offsite (not on the same server — consider Google Drive, Dropbox, or Amazon S3), versioned (keep at least 30 days of backups), and tested (can you actually restore from them?).

The UpdraftPlus plugin (free) or BlogVault (paid, and our preference for clients) provide reliable backup solutions.

14. Consider Managed WordPress Hosting
The shared hosting environment is fundamentally insecure. On shared hosting, you share server resources with hundreds or thousands of other sites. A vulnerable site on the same server can create risk for your site. Managed WordPress hosts like Kinsta, WP Engine, and Cloudways provide isolated containers, automated patching, and active security monitoring as part of their service.

15. Have an Incident Response Plan
Even the most secure sites can be compromised. Know in advance: Who do you call if your site gets hacked? Do you have a backup you can restore from? Is your hosting provider equipped to help? Do you have a developer on retainer? A care plan with a WordPress agency like Nuvelo means you have someone to call immediately — with incident response built into the service.

The Bottom Line

WordPress security is not a one-time task. It's ongoing maintenance. A site that's secure today can become vulnerable tomorrow when a zero-day exploit is published for a plugin you're running. The businesses that avoid expensive hacks are the ones that treat security as a continuous process, not a checkbox.

If you're not confident your site is properly secured, a professional security audit is well worth the investment. We offer a comprehensive security hardening service starting at $800, and it includes everything on this checklist plus server-level configuration that most DIY approaches miss.