WordPress Security Checklist: 10 Things Every Developer Should Lock Down
If you’re working on WordPress websites—whether for clients or your own portfolio—security isn’t optional. Even small oversights can open the door for hackers. This post covers 10 common security problems in WordPress that I’ve seen in real projects, along with how I handle them. Keeping these in check not only protects your site but also builds trust with your clients.
1. XML-RPC Should Be Turned Off
WordPress still supports XML-RPC, but in most cases, it’s not needed. Hackers often use it for brute force attacks or to ping other sites. I usually disable it unless there’s a specific reason to keep it. One quick way: add a rule in the .htaccess file or use a plugin like “Disable XML-RPC.
2. Stop Directory Listing
Sometimes people forget to turn off directory listing. If it’s left open, anyone can see your folder contents. That can expose plugin names, backups, or other sensitive files. To fix this, just add this to your .htaccess:
Options -Indexes
3. Hide Internal File Paths
If your site throws an error showing a full file path (like /home/username/public_html/…), that’s a problem. Hackers can use that info to plan attacks. In production, I make sure error reporting is turned off. You can do this in your php.ini file or by setting display_errors to “Off” in wp-config.php.
4. Remove Server Signature
Your server might be showing its software version in response headers or error pages. This makes it easier for attackers to find known vulnerabilities. In Apache, I disable it by setting: ServerSignature Off, ServerTokens Prod This keeps the server quiet about what it’s running.
5. Guard Against SQL Injection
SQL injection is still one of the top risks. If you’re writing custom queries, always use prepared statements. Also, avoid sketchy plugins. I usually stick with trusted plugin developers and use tools like Wordfence to monitor unusual activity.
6. Defend Against Clickjacking
Clickjacking tricks users into clicking something they didn’t mean to. To prevent this, I use the X-Frame-Options header:
Header always set X-Frame-Options “SAMEORIGIN”
This stops your site from being embedded in someone else’s frame.
7. Don’t Reveal WordPress Version
WordPress puts its version in the site’s source code. If someone knows what version you’re running, they can target known flaws. I remove it by adding this to the theme’s functions.php:
remove_action(‘wp_head’, ‘wp_generator’);
Secure Your WordPress Site Before It’s Too Late
Fix common WordPress security issues fast. Use this checklist to protect your site from threats.
8. Change the Login URL
Bots and brute-force scripts go straight to /wp-login.php. That’s predictable. I usually install a plugin like WPS Hide Login to change the login page to something unique. It’s a simple trick, but it really helps cut down on login attempts.
9. Review Your robots.txt File
Your robots.txt file might be telling search engines (and attackers) exactly where your admin areas are. Instead of blocking /wp-admin, I prefer using proper noindex headers and keeping robots.txt focused on guiding search engines, not revealing structure.
10. Use Two-Factor Authentication
If someone gets your password, 2FA can stop them from logging in. It’s one of the easiest ways to protect your admin account. I use plugins like Wordfence Login Security or WP 2FA. It’s a must for every serious project I deliver.
Final Thoughts
WordPress security doesn’t have to be complicated, but it should never be ignored. When I build a site, I treat these 10 points as my base checklist. It’s not just about stopping hackers—it’s about building sites that clients can rely on. A secure site always speaks well in a portfolio.
If you’re a developer, I recommend applying these steps to every site you manage. Clients might not notice all the details, but they will notice when something goes wrong. And if you’re someone looking to get a secure WordPress site built, feel free to reach out.
Recent Post
How I Built My First WordPress Website Without Spending a Rupee
I had no idea how to build a website when I first started. Zero tech skills. I didn’t even know