WordPress Security Checklist 2026: Complete Guide for UK Businesses

WordPress powers over 40% of all websites, and that market dominance makes it the single most targeted content management system on the internet. For UK businesses, the stakes are particularly high: a compromised website can trigger ICO investigations under UK GDPR, erode customer trust, and cost thousands in emergency recovery fees.

This checklist is not a surface-level overview. It is a systematic, layer-by-layer guide covering every aspect of WordPress security that matters in 2026. Whether you manage one business site or a portfolio of client installations, work through each section methodically to identify and close gaps before attackers find them.

1. Pre-Installation Security: Building on Solid Foundations

Security starts before WordPress is installed. The decisions you make about hosting, server configuration, and database setup determine the baseline resilience of your entire site.

Hosting Environment

• Choose a reputable managed WordPress host. Look for providers that offer server-level firewalls, automated backups, malware scanning, and staging environments. Avoid shared hosting plans where a compromised neighbour site can affect yours.
• Ensure PHP 8.2 or later is active. Older PHP versions no longer receive security patches. Running PHP 7.x in 2026 is a critical vulnerability in itself.
• Enable server-level rate limiting. This throttles brute-force attempts before they reach WordPress, reducing load and blocking automated attacks at the infrastructure layer.
• Verify automatic server patching. Your hosting provider should apply operating system and web server security patches without manual intervention.

Database Configuration

• Change the default table prefix. Replace wp_ with a unique prefix during installation. This makes automated SQL injection attacks harder to execute because attackers cannot assume standard table names.
• Use a dedicated database user. Never use the root database account for WordPress. Create a user with only the minimum permissions WordPress requires: SELECT, INSERT, UPDATE, DELETE, CREATE, ALTER, and DROP.
• Restrict database access to localhost. Unless your database server is on a separate host, bind it to 127.0.0.1 so it cannot be reached from external networks.

2. WordPress Core Hardening

Once WordPress is installed, a series of configuration changes dramatically reduce its attack surface. These are not optional tweaks; they are baseline requirements for any business site.

wp-config.php Hardening

• Move wp-config.php above the web root. WordPress will still find it one directory up, but it becomes inaccessible via a direct URL request.
• Set unique authentication keys and salts. Generate fresh keys using the WordPress secret key API and replace the defaults. Rotate these annually or immediately after any suspected compromise.
• Disable the file editor. Add define('DISALLOW_FILE_EDIT', true); to prevent anyone from editing theme or plugin files through the WordPress dashboard. If an attacker gains admin access, this blocks one of the easiest escalation paths.
• Force SSL for admin and logins. Add define('FORCE_SSL_ADMIN', true); to encrypt all dashboard traffic.

File Permissions

• Directories should be set to 755 (or 750 on stricter hosts).
• Files should be set to 644 (or 640).
• wp-config.php should be set to 440 or 400 so only the server process can read it.
• The .htaccess file should be 444 after final configuration.

Disable XML-RPC

XML-RPC is a legacy protocol that allows remote publishing and pingbacks. It is also a well-known vector for brute-force amplification attacks. Unless you rely on the WordPress mobile app or Jetpack features that require it, disable XML-RPC entirely via your .htaccess file or a security plugin. In 2026, the REST API handles everything XML-RPC once did, but more securely.

3. User Management and Access Control

Compromised credentials are the second most common entry point after outdated plugins. Strong user management policies close this gap entirely.

Password and Authentication Policies

• Enforce strong passwords. Require a minimum of 16 characters with a mix of upper case, lower case, numbers, and symbols. WordPress 6.x and later includes a built-in password strength meter, but consider a plugin that enforces the policy rather than merely suggesting it.
• Mandate two-factor authentication (2FA). Every user with editor-level access or above must use 2FA. Time-based one-time passwords (TOTP) via apps like Google Authenticator or Authy are the most reliable method. Avoid SMS-based 2FA, which is vulnerable to SIM-swapping attacks.
• Limit login attempts. Configure your site to lock accounts after five failed attempts within a ten-minute window. This stops brute-force attacks without inconveniencing legitimate users.
• Change the default login URL. Moving /wp-admin and /wp-login.php to a custom path reduces automated bot traffic significantly.

Role-Based Access Control

• Apply the principle of least privilege: give each user only the permissions they need to perform their role.
• Audit user accounts monthly. Remove inactive accounts, downgrade roles that have been over-provisioned, and verify that no unknown administrator accounts exist.
• Never share login credentials between team members. Each person should have their own account for accountability and audit trails.

4. Plugin and Theme Security

Plugins and themes are the largest attack surface in any WordPress installation. Every plugin is third-party code running with full access to your database and file system.

• Audit every installed plugin. Remove any plugin that is inactive, abandoned (no update in 12 months), or duplicates functionality already provided by another plugin. Each plugin is a potential vulnerability.
• Enable automatic updates for plugins and themes. WordPress 6.x supports granular auto-update settings. Enable them for all plugins and test on a staging environment first if you are concerned about compatibility.
• Only install plugins from the official WordPress repository or verified commercial sources. Nulled (pirated) plugins are the most common delivery method for backdoors and malware.
• Use a vulnerability database. Services like WPScan or Patchstack maintain databases of known plugin vulnerabilities. Subscribe to alerts so you are notified when a plugin you use is affected.
• Keep your theme minimal. Use a well-maintained theme from a reputable developer. If you use a child theme, ensure the parent theme is actively updated. Remove all unused themes, keeping only the active theme and one default WordPress theme as a fallback.

5. Database Security and Backups

Your database contains every piece of content, every user record, and every configuration setting. Protecting it is non-negotiable.

• Schedule automated daily backups. Store backups in at least two separate locations: one off-site (such as Amazon S3, Google Cloud Storage, or a dedicated backup service) and one local or on a different server.
• Test backup restoration quarterly. A backup you have never tested is not a backup. Spin up a staging environment, restore the backup, and verify that the site functions correctly.
• Encrypt backup files at rest and in transit. Backup files contain sensitive data including password hashes and personal information. Encryption ensures they remain protected even if the storage location is compromised.
• Restrict phpMyAdmin access. If your host provides phpMyAdmin, restrict access by IP address or disable it entirely and use command-line tools or a secure local client instead.

6. SSL/HTTPS Enforcement

In 2026, HTTPS is not optional. Browsers flag non-HTTPS sites as insecure, search engines penalise them, and transmitting any form data without encryption violates UK GDPR principles.

• Install a valid SSL certificate. Most managed hosts include free certificates via Let's Encrypt. For e-commerce or sites handling sensitive data, consider an Extended Validation (EV) certificate for additional trust signals.
• Force HTTPS site-wide. Set up a server-level redirect from HTTP to HTTPS for all pages. Update the WordPress site URL and home URL settings to use https://.
• Enable HSTS headers. HTTP Strict Transport Security tells browsers to only connect via HTTPS, preventing protocol downgrade attacks. Set the max-age to at least one year.
• Check for mixed content. Use a tool like the browser developer console or an online scanner to identify any resources (images, scripts, stylesheets) still loading over HTTP. Fix all mixed content warnings.

7. Monitoring, Scanning, and Threat Detection

Prevention is critical, but detection is equally important. A security event you discover in hours causes far less damage than one you discover in weeks.

Web Application Firewall (WAF)

A WAF inspects incoming traffic and blocks malicious requests before they reach your WordPress installation. Options range from cloud-based services like Cloudflare and Sucuri to plugin-based solutions. For UK businesses handling customer data, a WAF is a practical necessity. Our WordPress security retainer includes WAF configuration and monitoring as standard.

Malware Scanning

• Run automated malware scans at least daily. Configure your security plugin to scan file integrity, database content, and outbound links.
• Set up email or Slack alerts for scan failures or detected threats so your team can respond immediately.
• Supplement automated scans with periodic manual reviews, especially after significant plugin updates or changes to site functionality.

Uptime and Availability Monitoring

• Use an external uptime monitoring service that checks your site every one to five minutes. Sudden downtime can indicate an active attack or a compromised server.
• Monitor server resource usage. Unexpected CPU or memory spikes may indicate crypto-mining malware or a DDoS attack in progress.

8. Incident Response Preparation

No security posture is impenetrable. Having a documented incident response plan ensures that when a breach occurs, your team reacts quickly and methodically instead of scrambling.

1. Document your response procedure. Include steps for containment (taking the site offline or into maintenance mode), evidence preservation (full backup before cleanup), eradication (removing malware and closing the entry point), and recovery (restoring from a clean backup and re-hardening).
2. Maintain a contact list. Include your hosting provider's emergency support line, your security team or professional recovery service, your domain registrar, and your ICO notification contact.
3. Know your GDPR notification obligations. Under UK GDPR, you must report a personal data breach to the ICO within 72 hours of becoming aware of it. If the breach poses a high risk to individuals, you must also notify affected data subjects directly.
4. Practise the plan. Run a tabletop exercise at least once a year. Walk through a hypothetical breach scenario and identify gaps in your process.

If your site has already been compromised, our WordPress malware removal service provides emergency cleanup with a fixed-fee guarantee and no hidden costs.

9. GDPR and UK Data Protection Considerations

For UK businesses, WordPress security is directly tied to legal compliance. The UK GDPR and the Data Protection Act 2018 require you to implement appropriate technical and organisational measures to protect personal data.

• Conduct a data mapping exercise. Identify every place your WordPress site collects, stores, or processes personal data: contact forms, user registrations, WooCommerce orders, comment submissions, and analytics tracking.
• Minimise data collection. Only collect the personal data you genuinely need. Every additional data point increases both your attack surface and your compliance burden.
• Encrypt personal data at rest. Use database encryption for tables containing customer information. Ensure that backup files containing personal data are also encrypted.
• Implement data retention policies. Automatically delete personal data you no longer need. WordPress plugins can help automate the deletion of old form submissions, inactive user accounts, and expired order data.
• Display a compliant privacy policy and cookie notice. Ensure your privacy policy accurately describes your data processing activities and is easily accessible from every page.

10. Ongoing Maintenance: The Checklist Never Ends

Security is not a project with a completion date. It is a continuous process that requires regular attention and periodic professional review.

Weekly Tasks

• Verify that automated backups completed successfully.
• Review security scan reports for warnings or anomalies.
• Apply any pending plugin, theme, or core updates.

Monthly Tasks

• Audit user accounts and permissions.
• Review server access logs for suspicious patterns.
• Test one backup restoration on a staging environment.

Quarterly Tasks

• Run a comprehensive WordPress security audit covering every item in this checklist.
• Review and update your incident response plan.
• Assess whether any new plugins or integrations have introduced additional risk.

Annual Tasks

• Rotate all authentication keys, salts, and administrative passwords.
• Review your hosting provider's security posture and SLA.
• Conduct a penetration test or commission a professional security assessment.
• Update your GDPR records of processing activities and data protection impact assessments.

For businesses that prefer to hand off this ongoing responsibility, our WordPress maintenance service covers updates, monitoring, backups, and security hardening on a monthly retainer basis.

Final Thoughts

This checklist is comprehensive, but it is also practical. You do not need to implement every measure on day one. Start with the highest-impact items: update everything, enable 2FA, configure automated backups, and install a WAF. Then work through the remaining items systematically over the following weeks.

The cost of prevention is always lower than the cost of recovery. A professional security audit typically costs a fraction of what a full hacked website recovery demands in fees, lost revenue, and damaged reputation.

If you are unsure where your site stands, get in touch with our team for a no-obligation security assessment. We will identify your most urgent vulnerabilities and recommend a prioritised remediation plan.