Preskoči na sadržaj
(+381) 60 3535 720
Moj nalog
BeoHosting
BeoHosting
Moj nalogKontakt
(+381) 60 3535 720
 

10 min

WordPress Security Checklist

20 steps to protect a WordPress site.

WordPress HostingGuides

BeoHosting Tim

10+ godina iskustva — Stručnjaci za web hosting i infrastrukturu

Poslednje ažurirano:

WordPress runs over 43% of all websites on the internet, which makes it the most common target for hackers. The good news: most attacks rely on known vulnerabilities you can prevent with these 20 steps. The checklist covers every layer of security — from basic settings to advanced maintenance.

WordPress Security Checklist

1

Update WordPress, themes and plugins

Most attacks target outdated WordPress core, themes or plugins. Enable automatic minor updates, review major updates monthly after a backup. Delete unused plugins and themes — they are still attack vectors.

2

Use strong passwords and 2FA

Use 16+ character random passwords for admin accounts. Enable two-factor authentication with WP 2FA or Google Authenticator. Never reuse passwords across accounts. Store them in a password manager (1Password, Bitwarden).

3

Limit login attempts

Install Limit Login Attempts Reloaded to block IPs after 3-5 failed attempts. Change the admin URL from /wp-admin to a custom one using WPS Hide Login. Disable XML-RPC if you do not need it (xmlrpc.php is a common attack vector).

4

Install a security plugin

Install Wordfence, Sucuri Security or iThemes Security. These plugins provide: malware scanning, firewall (WAF), brute-force protection, file-integrity monitoring and login security. Run weekly scans.

5

Force HTTPS site-wide

SSL is mandatory. On BeoHosting, free Let's Encrypt SSL is included. Force HTTPS via cPanel "Force HTTPS Redirect" or .htaccess. Update all internal URLs to https:// using the Better Search Replace plugin.

6

Set up automatic backups

Schedule daily database and weekly file backups with UpdraftPlus. Store off-site (Google Drive, Dropbox, S3). Test restore quarterly. BeoHosting automatically takes daily backups on all packages.

7

Harden file permissions

Set directories to 755 and files to 644. Make wp-config.php read-only (440). In .htaccess, deny access to wp-config.php, .htaccess and readme.html. Disable directory browsing.

8

Disable file editing from admin

Add define('DISALLOW_FILE_EDIT', true); to wp-config.php so attackers cannot edit themes or plugins through the admin panel even if they gain access.

9

Hide WordPress version

Remove the WordPress version meta tag from the head section. Add to functions.php: remove_action('wp_head', 'wp_generator'); This makes it harder for attackers to target known version-specific vulnerabilities.

10

Choose secure hosting

Use hosting with Imunify360, ModSecurity WAF, DDoS protection, daily backups and CageFS isolation. BeoHosting includes all of these as standard. Avoid cheap shared hosting without these protections.

Spremni da pokrenete svoj sajt?

SSL zaštita
Brzina
24/7 podrška

Pridružite se 4.000+ zadovoljnih korisnika. Besplatna migracija i 15 dana garancije povrata novca.

Izaberite paketKontaktirajte nas
15 dana garancija povrata novca
Besplatna migracija15 dana garancija24/7 podrška

FAQ

Odgovori na najčešća pitanja o našim uslugama.

WordPress core, themes and plugins should be updated as soon as new updates are available. For minor versions (e.g. 6.4.1 to 6.4.2), enable automatic updates. For major versions (e.g. 6.4 to 6.5), wait 2-3 days for stability confirmation, take a backup, then update.

Wordfence is a great first line of defense, but not sufficient on its own. Combine it with strong passwords, 2FA, regular updates, correct file permissions and reliable hosting. Security is a multi-layered process — no single plugin can replace all other measures.

A brute-force attack is an attempt to guess a password by trying thousands of combinations. Protect by: limiting login attempts (Limit Login Attempts), using 2FA, changing the admin URL and a strong password. BeoHosting servers run Imunify360 which automatically blocks brute-force attempts.

Hack signs: unexpected redirects, unknown admin users, unfamiliar files on the server, Google malware warning, spam links in content, sudden slowdown. Install Wordfence which scans files and compares them with originals — it reports every suspicious change.

Yes, the free Let's Encrypt SSL certificate BeoHosting offers provides the same encryption as paid certificates. The difference is in warranty and company validation. For most WordPress sites (blogs, presentations, small stores), free SSL is fully sufficient.

Naše garancije za vaš mir

Zaštićeni ste sa svake strane

15 dana garancije

Vraćamo novac bez pitanja u prvih 15 dana.

Besplatna migracija

Mi prebacimo vaš sajt bez prekida — vi ništa ne radite.

24/7 podrška

Naši stručnjaci su tu 24/7 kroz tikete i live chat.

Guides