WP Clinic
Log in Sign up

CHECKLIST

WordPress security checklist for 2026

A practical, no-fluff checklist covering the things that actually reduce your chance of getting hacked. Bookmark it and work through it once, then keep it going.

Updates

  • WordPress core is on the latest version.
  • Every installed plugin and theme is up to date — including ones you've deactivated but not deleted.
  • PHP version is current and supported by your plugins/themes (an outdated PHP version is itself a security risk).

Admin hardening

  • Every admin account uses a unique, strong password (not shared with any other site).
  • No unused or unrecognized admin/editor accounts exist.
  • The default "admin" username isn't in use.
  • Login attempts are rate-limited or otherwise protected against brute force.

Hide your login

  • wp-login.php / wp-admin isn't sitting at a guessable, default URL — a hide-login plugin (or equivalent) moves it somewhere only you know.
  • You know your site's actual current login URL — worth checking, since some hide-login setups get misconfigured after an update.

Backups

  • You have a recent full backup — files and database — stored off the same server as your site.
  • Backups run automatically, not only when you remember to trigger one.
  • You've actually confirmed a backup can be restored, not just that it exists.

Malware scans

  • You run a security scan regularly, not only when something looks wrong.
  • Scanning covers your whole hosting account, not only the WordPress folder — malware planted elsewhere on shared hosting can reinfect your site.
  • You're not running any nulled (pirated) premium plugins or themes — a common source of backdoors.
  • Monitoring is on, so you're alerted to a new issue rather than discovering it weeks later.

Every item on this list is something WP Clinic's free scan and free plugin directly check for — outdated core/plugins/CVEs and your real login URL from the passive scan, and malware/webshells/nulled plugins/backups/monitoring from the deep scan.

Scan your WordPress site free

No signup, no credit card — enter your URL and get a security report in seconds.