The team behind The WordPress Security Checklist run a number of WordPress sites.
And we thought we had done a good job of securing our sites.
We were wrong!
Our sites were compromised. Suspicious looking files appeared on our sites, and we had no idea how or when they managed to get on to our sites.
We cleaned up our sites, added a couple of security plugins and thought that was the end of that.
But it was only a couple of weeks before it happened again.
This time we decided good enough was not good enough. We wanted to get to the bottom of how to secure WordPress properly. After researching the topic we discovered why we had not done a good job of securing our WordPress sites in the first place.
It is very difficult to get a comprehensive and easy to understand answer to the question:
How do I secure my WordPress site?
Sure, there are plenty of blog posts listing the 10 best security plugins (from two years ago) and how to secure your WordPress administration panel. In fact there is too much scattered information out there. Finding, testing and deciding which of the many bits and pieces of information are valuable is a very time consuming exercise.
Hence the birth of The WordPress Security Checklist.
This checklist is the digest of our research into the topic.
It is not perfect. It is not finished. In fact it will never be finished because WordPress continues to develop.
But it is our hope that this checklist will help you do a better job at securing your WordPress site.
And to be prepared if your site is ever broken into.
The goal of the checklist is not to explain everything in detail. It is designed to allow you to get the job done quickly.