You are viewing this site in a simplified layout because your browser does not yet support CSS Subgrid.


WordPress security checklist

This is a list of security items to check when setting up WordPress websites or web servers for WordPress websites.

I use it for web servers running Debian 10 (Buster), Apache 2.4 and PHP 7.3 or PHP 7.4, and for websites accessible via HTTPS. The list is a work in progress.

Apache HTTP server

  • Disable TLS 1.0 and 1.1
  • Disable AllowOverride globally (default since Apache 2.3.9) and for each site
  • Disable the autoindex module
  • Disable the auth_basic module
  • Disable the TRACE HTTP method (disabled by default in Debian 10) – h5bp snippet
  • Configure security response headers:
    • Disallow MIME sniffing
    • Remove X-Powered-By
    • Configure X-Frame-Options
    • Configure Strict-Transport-Security – h5bp snippet
    • Configure Content-Security-Policy – h5bp snippetmay need adapting
  • Forbid access to files that don’t need to be accessible – h5bp snippet
  • Forbid access to hidden files and directories that don’t need to be accessible – h5bp snippet
  • (for WP) Forbid access to xmlrpc.php if XML-RPC is not needed – snippets
  • (for WP) Forbid access to wp-login.php unless IP is trusted – not always feasible
  • (for WP) Forbid access to wp-login.php if agent uses HTTP/1.* – snippets
  • (for WP) Forbid access to PHP files in wp-content
  • (for WP) Forbid access to PHP files in wp-includes
  • (for WP) Forbid manual uploading of themes and plugins – snippet
  • (for WP) Forbid user enumeration
  • (for WP) Forbid GET requests to core REST API endpoints
  • (for WP) Configure Content-Security-Policy for wp-admin



  • Set DISALLOW_FILE_EDIT to true
  • Set WP_DEBUG_DISPLAY to false
  • Set WP_DEBUG_LOG to true
  • Remove inactive themes except one (fallback)
  • Remove inactive plugins
  • Disable gravatars (one less thing to set CSP for)
  • (via plugin) Require strong passwords for all users
  • (via plugin) Require multi-factor authentication for admins – plugin
  • (via plugin) Disable comments completely if not needed – plugin

Resources and documentation

Possible additions and improvements for the future


  • 2020-07-14
    • Added Mozilla Observatory to resources.