Skip to content

109 Sandbox

A website made for testing

WordPress security checklist

2020-06-29: Copied to

This is a list of security items to check when setting up WordPress websites and web servers for WordPress websites.

I use it for web servers running Debian 10 (Buster), Apache 2.4 and PHP 7.3 or PHP 7.4, and for websites accessible via HTTPS. The list is a work in progress.

Apache HTTP server

  • Disable TLS 1.0 and 1.1
  • Disable AllowOverride globally (default since Apache 2.3.9) and for each site
  • Disable the autoindex module
  • Disable the auth_basic module
  • Disable the TRACE HTTP method (disabled by default in Debian 10) – h5bp snippet
  • Configure security response headers
    • Disallow MIME sniffing
    • Remove X-Powered-By
    • Configure X-Frame-Options
    • Configure Strict-Transport-Security – h5bp snippet
    • Configure Content-Security-Policy – h5bp snippetmay need adapting
  • Forbid access to hidden files and directories that don’t need to be accessible – h5bp snippet
  • Forbid access to files that don’t need to be accessible – h5bp snippet
  • (for WP) Forbid access to xmlrpc.php if XML-RPC is not needed – snippets
  • (for WP) Forbid access to wp-login.php unless IP is trusted – not always feasible
  • (for WP) Forbid access to wp-login.php if agent uses HTTP/1.* – snippets
  • (for WP) Forbid access to PHP files in wp-content
  • (for WP) Forbid access to PHP files in wp-includes
  • (for WP) Forbid manual uploading of themes and plugins – snippet
  • (for WP) Forbid user enumeration
  • (for WP) Forbid GET requests to core REST API endpoints
  • (for WP) Configure Content-Security-Policy for wp-admin



  • Set DISALLOW_FILE_EDIT to true
  • Set WP_DEBUG_DISPLAY to false
  • Set WP_DEBUG_LOG to true
  • Remove inactive themes except one (fallback)
  • Remove inactive plugins
  • Disable gravatars (one less thing to set CSP for)
  • (via plugin) Require strong passwords for all users
  • (via plugin) Require multi-factor authentication for admins – plugin
  • (via plugin) Disable comments completely if not needed – plugin

Resources and documentation

Possible additions and improvements for the future

Testing post categories in WordPress 5.4.1


This is a test post. One two three four five six seven eight.

It belongs in the Miscellaneous category.

List of design systems and style guides

Also see:

Testing custom feed for Mailchimp

One two three four.

Testing the Notification plugin

This is a post to test the Notification plugin by BracketSpace.

Testing another thing:

  • One
  • Two
  • Three