WordPress security checklist 2019 – (12 tips of 2019 Winter)

Before talking about necessity of WordPress Security Checklist, we need to start from previous step. During recent years, using WordPress has increased significantly and turned it to most popular CMS in the World. Many of webmasters around the globe are using WordPress for their website’s CMS. Not only small businesses, but also lots of big websites benefits from great features of WordPress. According to an article written by isitwp website, many of professional websites such as BBC America, Bloomberg professional, Sony music, Microsoft news, the Walt Disney company and so on are enjoying this CMS right now.

Now guess what! Because of great percentage of using WordPress, there is a great percentage of hackers who are trying to penetrate WordPress. But does it mean WordPress is an unsafe CMS? We believe the mentioned businesses above will answer you. Specially WordPress team is working day by day to find and close any back-door which let hackers to hack your WordPress site. This means WordPress is one of the safest CMSs in the World! Do you think is it enough? It would be enough if you make sure all the items below we gathered as WordPress Security Checklist is really checked on your website right after you installed WordPress on your host.

WordPress security checklist 2019

We discussed with our tech team and here are WordPress security checklist for 2019:

  1. Security plugins
  2. Using the safest username and password and save it in the safest place.
  3. Cookie Hijacking
  4. Read update details before update!
  5. Do not install nulled plugins and themes
  6. Secure host
  7. Backup!
  8. Do not login everywhere!
  9. Use one time secret and similar services
  10. Do not install first found plugin.
  11. Read WordPress security websites one-time in a while
  12. Check your old plugins
  13. Transfer from HTTP to HTTPS

1. Security plugins

There is no doubt that using WordPress security plugins is your first defense line against anything harmful for your WordPress site. They have many features which can increase your site’s security immediately. For example, adding two-factor authentication, Google reCAPTCHA, routine backups and etc.

2. Using the safest username and password and save it in the safest place.

A few years ago, information of users of Gawker media has leaked. Many security researchers analyzed their passwords. It was shocking! Over 3000 thousand people used 123456 for their password! Almost 2000 people used “password” as their password! More than 1000 used 12345678. About 500 people used “qwerty”! You need to know that these are easiest passwords to unlock.

Due to SECURE PASSWORD CHECK which is a free service by Kaspersky security group, it only takes 1 second to crack “qwerty” as a password! 2 minutes for 123456. 1 second for “password”. It shows you how much it is important to use secure passwords for your WordPress dashboard!

As CHRIS HOFFMAN mentioned in his article in howtogeek website, there are some items you need to consider in your passwords:

  1. Minimum, 12 characters.
  2. It should contain symbols, capital letters, and lower-case letters
  3. Stay away from dictionary words and their combinations. e.g. “red house”
  4. Do not use obvious substitutions. e.g. “h0use”
WordPress security checklist 2019
Create complex passwords and save them somewhere safe!

What Should we do he check this item in WordPress security checklist

According to Kaspersky service, a password which has mentioned items, takes about 4 centuries to crack!

Another issue is about 33% of people, use a same password for all their online services and account. It means if one their passwords leaks, they will lose control of all their accounts. Which could turn into a disaster! What is the solution? How we should create complex passwords and memorize them?

There are many online and free services which provide you this. These services are LastPass, KeePass, Dashlane and etc. They provide you complex passwords and save them in an account with a master password. All you need to do is to remember that master password. For example, LastPass has an extension which could be install on browsers such as Chrome, Opera and etc. you just need to install it and login to your account using your master password. It shows you all your passwords and you can login automatically in any website. It also has mobile apps for situations you have no access to your PC and you can use it from your phone! In a full review article we will teach you how to use these services as one of the WordPress security checklist items.

3. Cookie Hijacking

WordPress security checklist cookie hijacking
Do not enter Suspicious websites!

Cookies usually are small text files which has ID tags. They store on your browsers directory on your computer. They have many usages. They created when you visit different websites. Why? They keep track of your movements. For example, you select a theme on our Gmail. When you login again you can see your last selected theme. This happen by your cookies. Imagine you register on a website. When you go to that website again, your browser remembers your registered login. It is great! But in some cases not!

Some hackers misuse of this feature. They use destructible extensions, spam comments and etc. by this they stole your cookies files. Now imagine you have entered to your bank account. They can steal your login information through your login page and use it to steal from you! But don’t worry. As a WordPress webmaster, if you do not wasn’t to lose your website’s login information, consider items below:

  1. Do not install unknown extensions on your browser. They use these extensions to hijack your browser’s cookies.
  2. Do not look for illegal items on the web. Because you will reach to sites which steal your cookies.
  3. Pay attention to suspicious action on your browser. For example, you might see Google banner ad on your google search result page (SERP). This is not something Google do! It means something has happened to your browser and you need to reset it.

4. Read update details before update!

There is no need to always update your plugins as soon as they released. Because they might have some problems after updating. For example, not compatibility with your current WordPress version. Or some bugs that might be solved in next releases. Did you ever noticed that you update a plugin immediately but after one or two days, the developer release a new update? That is the point! Many users update plugins immediately. And new one does not work as good as previous one because of some problems in codes. This mean you will lose your current version and you need to wait for next version. So read the update details and if the new options are not necessary for you right now, wait some days and then update your plugin to new version.

5. Do not install nulled plugins and themes

What is a nulled plugin?

Nulled plugins and themes are cracked or hacked version of premium ones. Some developers buy premium versions, edit them and release them as free. But it is not okay for many reasons.

During using WordPress, you may need to install some plugins that are expensive for you now. You do not have enough money or it is not reasonable to pay lots of money for your business at the current point. What do you do in this situation? Do you wait to have enough money? Do you find substitute plugins? Or do you install their nulled version?

There are so many dangers in using nulled plugins and themes. Hackers hide some codes in them that will effect on your site in a bad way. They show pop ups and ads to your users and you will not find out that until they start to complain.

Another problem is that if the main developer finds out you are using their plugin and theme illegally, they can take legal actions against you. So it is not logical for saving 40 dollars, live in fear of mentioned items for a long time.

In a full review article we have discussed about what a disaster could be happen if you use Nulled Plugins.

6. Secure host

What are the main items you consider in choosing a hosting service for your website? Price? Programming language? Shared host? VPS? etc. What about security? We believe before all the mentioned items; you must check the security status of that hosting services. Imagine a hacker can penetrate to that host. What will happen? You definitely lose all your data. And worse than that, you will lose your business as an eCommerce. You will lose your customers trust. And you the final shot could be leak your customers or users’ information. You are doomed! Please have a full research about different hosting services’ security before choosing a new one. In a full review article we have discussed about best hosting services for WordPress sites.

7. Most important item in WordPress Security Checklist: Backup!

A professional store owner in offline businesses, use everything he can to minimum his loss in case something bad happen to his business. Why we can do as an online business owner? Imagine the worst case scenario. All data of your hosting services erased after an earthquake or explosion. You may say it is impossible. We have the same idea with you. But there are many other dangers that could happen and you will lose all your data immediately. But what is the solution?

backup to check important item in WordPress security checklist
Backup all your data in a routine!

There are some plugins that can make backups of all your data and send them to your email monthly, weekly and even daily. It totally depends on your business. Many of great host services do the same thing for you but do not forget to act like that professional store owner. Now you are sure that if even you lose all your data, you have something to start again. Don’t you think it is the most important item in WordPress Security Checklist?

8. Do not login everywhere!

We highly recommend to login your site just from your own pc. Do not use other computers. Because the computer you use might have some malwares which steal your login information. Or even more simple, the browser might save your login information and next person who sits there, can use it.

But you may face a necessary situation, and there is no other way. In this cases, you need to use incognito or private mode in the browser. Incognito or private mode in browsers does not let any data to be saved or stored. Such as history, cookies, passwords.

9. Use one time secret and similar services : an important item in WordPress security checklist

In some cases, you may need to add a new user to your site or send login information to somebody through messaging applications. Do not do that! That information will save there forever! And next days, next months or even next years somebody might see that and use it to enter your site. So why you want to decrease your website’s security.

In this situations we recommend to use services like one time secret. This services ad similar ones let you to send vital information like login passwords, links and etc. When you enter your information in this services, the give you a link that includes that information. Now you can send that data to anybody you want. After second person viewed that link, it will be erased automatically. Just like it never existed!

10. Do not install first found plugin

For any purpose there are many WordPress plugins on resource or other websites. Beginner webmasters install the first plugin they found immediately. What will happen then? The first thing is if you search more, you may find better plugin. But the more important one is the plugin might have destructible code or act just like a nulled plugin.

Here are the steps for this item in WordPress security checklist:

  • The first step is to search enough and at least find 5 plugins.
  • After that read all their descriptions.
  • The next step is to read all the users’ comments. It is your duty to find if the comments are fake or not.
  • Right after you finished all the steps, choose the best plugin which is suitable for you.

11. Read WordPress security websites one-time in a while

There are many websites in the internet which explain all security points of WordPress in a while. The best thing you can do is to read these websites and blogs once in a while. This will help you to find out the plugins and themes that leads hackers to websites. Or for example you can find out that the new WordPress release has some bugs that can vulnerable your site and result in losing data. Then you prevent to update your WordPress core until that problem be solved.

These websites and blogs also share new security tips with their readers that helps to increase your WordPress site’s security.

12. Check your old plugins

This happen for every webmaster that after a while, there are lots of unnecessary plugins which are working on their site. Most of them might even have no new updated for months or years. So notice that every few months check your installed plugins and see if is there any plugin which you are not using right now or you can replace it with a new one and regular updates. But you need to be careful. Removing them might cause some problems. So first deactivate the and check if everything is working properly or not. Everything is just fine like before? REMOVE them NOW!

13. Transfer from HTTP to HTTPS

Have you ever noticed to websites’ URLs? A non-ignorable condition for a trusted and secure website is to use SSL. When a website use SSL to transfer data to between server and users, its URL will be changed to HTTPS instead of HTTP. e.g. https://recentwp.com. We have talked about this item and how to activate it in a full review article which is : How to change HTTP to HTTPS in a WordPress site URL?


We have reviewed 11 tips which are necessary to check all WordPress Security Checklist items. According to experiences if you consider all this items, the probability of losing your data or being hacked is almost zero. What other items you do in your WordPress website which is not mentioned in this article? Please share with us and our readers to update this article with your comments and mentioning your name.

Was this post helpful for you?
so so

If you want get latest posts in your email, insert your email in this fiel now:

Our subscribes until now:

Leave a Reply

Sending comments means that you read Comments rules and accept it.

Post's Comments Newest Featured

  1. Wow! This can be one particular of the most helpful blogs We ave ever arrive across on this subject. Basically Magnificent. I am also an expert in this topic so I can understand your hard work.

    • 2 years User of HamyarWp

      Thanks a lot. It is really nice of you and we appreciate it.

we suggest this post to read