Guide

WordPress security checklist 2026: harden your site in an afternoon

Ten concrete steps, ordered by impact, to drastically cut your attack surface today.

Dunes Labs Team June 5, 2026 6 min read

You don’t need to be an expert to halve your risk. These ten steps, ordered by impact, harden your WordPress in an afternoon.

The essentials (do them today)

  1. Unique, strong passwords for admin, hosting and database. Use a password manager.
  2. Enable 2FA on every admin account. It is the best effort-to-protection ratio there is.
  3. Automatic backups — and, above all, test that you can actually restore them.
  4. Update core, plugins and themes. Delete what you don’t use: every inactive plugin is still attack surface.

The next level

  1. Limit login attempts and hide or protect wp-login.php against brute force.
  2. Correct file permissions (typically 644 for files, 755 for folders) and keep wp-config.php out of public reach.
  3. Disable file editing from the dashboard (DISALLOW_FILE_EDIT).
  4. HTTPS site-wide and security headers (CSP, HSTS).

Real defense

  1. A WAF and a query firewall that block injections and malicious uploads before they reach the database.
  2. Monitoring and forensic analysis that catches suspicious changes and warns you before the problem grows.
The first four steps stop most automated attacks. The next six protect you from the serious ones.

The last two steps, in one click

Points 9 and 10 are exactly the hardest to build by hand. Sentinel ships them out of the box —WAF, query firewall, forensic scanner, quarantine and monitoring— and installs in under five minutes. It hardens the hard part without touching a line of config.

Keep reading

Security 90% of hacked WordPress sites were "up to date" Analysis Anatomy of a WordPress attack: how they get in and how to stop them
DunesLabs AssistantI help you choose a plan