WordPress Hosting Security Checklist (2025): What Your Host Should Handle by Default

Over 40% of the web — more than 810 million sites — run on the same platform, which makes weak passwords and outdated plugins a constant target for attackers.

You shouldn’t need to babysit protection. A solid host will layer defenses like a WAF and CDN, run automated malware scans, push fast software patches, and offer one-click restores for backups.

When these baseline features are on by default, you can focus on content and growth instead of firefighting. Expect clear, practical items in this checklist that translate tech terms into everyday benefits for your site.

The guide will show what must be included without upcharges, how hosts should automate SSL issuance, and which tools truly reduce the issues you’d otherwise fix with plugins.

• Look for host-level protections enabled by default: WAF/CDN, malware scans, and auto-patching.
• Backups with one-click restore and 24/7 monitoring are must-have features.
• Automated SSL and fast software updates reduce your day-to-day maintenance.
• Host-first defenses cut down on plugin clutter and hidden risks.
• Watch for vague claims or limits that shift responsibility back to you.

Your host stands at the network perimeter, stopping many threats before they ever see your dashboard. That early filtering reduces noise and shields your site from routine attacks.

Good providers add layered controls — firewalls, WAF rules, and bot filtering — so many threats never reach your website. They also run automatic malware scans and keep server software patched so known holes close fast.

Shared environments raise exposure because they offer weaker isolation. VPS or dedicated plans give better account separation and lower the chance that neighbor sites affect yours.

Expect real-time monitoring, 24/7 support, and automatic backups as baseline features. These built-in controls help you spot odd access patterns, restore data quickly, and avoid juggling extra tools.

• Edge blocking: stop attacks before they hit your code.
• Layered defenses: network and application rules, plus bot filtering.
• Managed stack: OS, PHP, and web server updates handled by the host.

A reliable host turns default settings into an active shield that blocks common web attacks before they reach your code.

Edge filtering is the first stop: cloud WAFs and network firewalls should drop DDoS, SQLi, and brute-force attempts before they hit your origin.

Automated malware scanning and real‑time monitoring catch unauthorized code changes and infected files fast. You want file and database scans with alerts and clear next steps.

• Cloud WAF + network firewalls to blunt malicious traffic and reduce load from large attacks.
• Auto-scans that check files and DBs, paired with live monitoring for rapid detection.
• Automatic patching of core, PHP 8.x, and server OS so known vulnerabilities close quickly.
• Encrypted-by-default SSL/TLS (e.g., Let’s Encrypt) with forced HTTPS on every site.
• Account isolation using containers or chroot jails to prevent cross-account contamination from risky plugins.

Expect hardened defaults too: safe PHP settings, minimal exposed services, and sane rate limits out of the box. Ask for dashboards that show WAF events, malware hits, and patch status so you can see what matters.

Reliable backups are the undo button you hope you never need, but must trust to work fast.

Your host should capture daily, offsite backups of files and the database and let you restore a complete site with one click. Automation beats plugin juggling — tools like UpdraftPlus exist, but host‑level backup simplifies recovery.

Match backup frequency to how often you change content: daily for busy stores, weekly for static brochure sites. Test restores regularly so you measure real restore time and verify data integrity.

• Daily offsite backups for files and database; one‑click full-site restores.
• Immutable copies stored away from production to protect against ransomware.
• On‑demand snapshots before big updates and item-level restore for flexible recovery.
• Transparent RTOs and visible backup status so you spot failures early and keep your website running.

A cloud WAF plus CDN should act like a shock absorber for spikes and scripted abuse.

Edge filtering blocks brute force and scripted bots before they touch your dashboard. Cloud WAFs such as Cloudflare and Sucuri apply IP reputation, block known bad actors, and enforce rate limits at the network edge.

Rate limiting and reputation-based rules cut junk traffic so your site stays fast during surges. The host should let you block or challenge by country, ASN, or path without custom code.

A built-in CDN (Cloudflare, Bunny.net, Amazon CloudFront) caches assets globally. This speeds your pages and masks origin IPs so large DDoS attacks hit the edge instead of your server.

“Put defenses at the edge and most attacks never reach your application.”

• Bundle a cloud WAF to stop brute force and scripted abuse at the edge, not inside the admin area.
• Use rate limits and reputation filters to lower unwanted traffic and keep the site responsive.
• Expect TLS termination at the edge, auto certificate management, and HTTP/2 or HTTP/3 support.
• Edge logs should list blocked requests, bot scores, and challenges so you can tune rules fast.

Final note: Your provider should combine WAF and CDN cleanly with caching and image optimization. They should also offer clear DDoS escalation paths so you’re not left scrambling during an incident.

A tight authentication layer from your provider reduces brute-force noise before it ever reaches site logins.

Let the host enforce two-factor authentication (use Google Authenticator, Authy, or similar) for all admin roles and key users without extra plugins. This makes account takeover much harder and keeps you from training every user on rollout steps.

Require long, unique passwords and offer one-click rules for strong passwords via the control panel. Recommend managers like 1Password or Bitwarden so users don’t reuse weak credentials.

Hosts should limit login attempts and add reCAPTCHA (v2 or v3) on the login page to screen automated attacks. Toggleable IP allow/deny rules help you lock down access during incidents without editing server files.

One-click custom login URL changes cut down scanner traffic. Idle session timeouts (15–30 minutes) with a warning reduce risk from open dashboards on shared machines.

Ban common usernames like “admin” and require role-based authentication profiles for sensitive actions. Provide readable audit trails that show who signed in, when, and from where.

• Enforce two-factor authentication for admin accounts and key users.
• Make strong password rules easy to apply and pair with password managers.
• Limit login attempts and add reCAPTCHA on the login page.
• Offer custom login URL toggle and idle session timeouts.
• Provide IP allow/deny controls and clear login audit logs.

Keep third-party code lean: every extra plugin or theme is another place bugs and backdoors can hide.

Auto‑updates plus a staging site let you patch core, plugins, and themes quickly while testing for regressions before going live.

In 2024 nearly 8,000 new vulnerabilities appeared across plugins and themes, and about 90% were in plugins — so update hygiene matters.

Your host should support auto-updates tied to backups and health checks. Dashboards should flag version drift and show one‑click updates for critical releases.

Blocklists must stop nulled or known‑malicious packages and notify you when software is abandoned. Remove deactivated plugins and unused themes so less code is exposed.

• Keep one default theme for debugging.
• Prefer reputable vendors; use host trust signals.
• Tie updates to backups and quick restores.

Protecting core files and limiting writable paths keeps attackers from turning small bugs into full site takeovers.

Least‑privilege permissions should be the default. Set wp-config.php to 400/440 or 600, directories to 755, and most files to 644. Your host should offer a one-click permission repair tool so you can fix drift fast.

Disable the dashboard file editor to stop attackers from injecting code via a compromised admin account. Add define('DISALLOW_FILE_EDIT', true) to your config and block HTTP access to sensitive files.

Prevent PHP execution in uploads and other user-writable paths with a small .htaccess rule. Also add Options -Indexes to stop directory browsing and exposure of file structure.

• Enforce least‑privilege by default and provide repair and alerts for permission changes.
• Lock down wp-config.php and restrict write access to what the app needs.
• Disable dashboard editing and stop PHP runs in uploads to block webshells.
• Add .htaccess rules like Options -Indexes to reduce disclosure of directory layout.

Your host should surface configuration diffs and ownership warnings so you see risky access quickly and keep the website safe.

Small database changes can mask big problems, so your provider must treat integrity as a first-class feature.

Make it hard for automated attacks to find targets. Change the default wp_ table prefix at install and get host help for safe migrations if you ever need to rename tables.

Grant the WordPress database user only the permissions it needs — no root. That limits damage when credentials leak and keeps your site safer.

Automated scans should compare core files to known-good checksums and flag suspicious content or config changes.

• Log version updates, plugin/theme installs, and role changes so you can trace who did what.
• Alert you on unusual write patterns to key tables or unexpected privilege escalations.
• Offer one-click rollback to a clean snapshot if integrity checks fail.
• Prune revisions and transient data regularly to speed queries and highlight anomalies.
• Provide sanitized staging copies so you test without exposing real user data.

“A short, reliable activity trail is the difference between a quick restore and a forensic headache.”

Trim old protocols and endpoints so your site has fewer ways to fail.

Start small: your host should disable XML-RPC by default and only re-enable it with a clear, time-bound exception. If you must keep it, block dangerous methods like system.multicall.

Force HTTPS everywhere with permanent redirects and automatic certificate renewal. That step closes many trivial man-in-the-middle issues and keeps the website consistent for users and crawlers.

Provide simple .htaccess presets for headers such as Content-Security-Policy and X-Frame-Options so you limit client-side risks without editing code. Default to modern protocols (HTTP/2, HTTP/3) and deprecate weak ciphers and old TLS versions.

Offer a guided process to find and retire legacy subdomains, old integrations, and test endpoints. Surface a short checklist to close common exposures, and give toggles to block directory indexing and hotlinking.

Keep legacy features behind explicit, time-bound permissions so these exceptions don’t linger and create new issues later.

Logs and alerts should work like a smoke detector for your website — loud and specific. That means your host must capture activity across logins, file changes, plugin installs, and version updates so you can spot trouble fast.

Comprehensive audit logs act as a black box: they record who signed in, what files changed, and when updates ran. Store those records off the site and protect them from tampering so they remain reliable for detection and forensics.

Real-time alerts must include severity, context, and clear next steps. You want notifications for repeated failed logins, bursts of file changes, or privilege bumps — with links to the tools that let you diff, revert, or quarantine suspicious items.

• Log everything that matters: logins, plugin/theme installs, file changes, and version updates.
• Keep retention sane by default and offer longer storage for regulated sites without complex setup.
• Protect logs off web paths and prevent tampering from compromised accounts.
• Integrate with your tools so alerts reach you in Slack, email, or a webhook.

Spotting known weaknesses quickly lets you prioritize fixes by real risk. Automated scans that know about CVEs reduce the time you spend chasing false leads. They also flag the plugins and themes that truly need urgent attention.

Continuous scanning should check your plugin and theme stack for known vulnerabilities and XSS or CSRF patterns. The scans must map findings to CVE entries and rank them so you can act fast.

Your provider should offer built-in malware detection that finds injected code and gives one-click quarantine or cleanup options. Expect a guided incident process: preserve logs, restore a clean backup, rotate credentials, and re-scan.

• Continuous CVE scanning: flags urgent patches for plugins and themes.
• Prioritized remediation: guidance that sorts fixes by real risk and impact.
• One-click quarantine/cleanup: fast removal tools to limit damage and recovery time.
• Guided incident steps: preserve evidence, restore, rotate creds, and re-scan.
• SLAs and timelines: clear commitments so recovery doesn’t drag on under attack.
• Safe-mode or staging restores: validate fixes before returning to production.
• Root-cause reporting: shows if an outdated plugin or weak access control allowed the breach.
• Panel runbook: short checklists to coordinate your team during an incident.

“Automated CVE-aware scans plus guided cleanup cut mean recovery time and reduce repeat failures.”

A smart provider reduces your daily risk by bundling essential protections at the platform level.

Start by checking core protections that should be included by default. Use the list below to compare providers on essentials like a cloud WAF, CDN, daily offsite backups, strong account isolation, automated patching, and real 24/7 support.

Managed plans often include firewalls, malware scans, daily backups, auto updates, staging, and around-the-clock support. That reduces DIY work across your websites and lowers operational risk.

Shared plans vary a lot. Some providers limit server controls and offer weak isolation, which can put multiple sites at risk. Always verify isolation, rate limits, and whether important protections are truly included.

• Use the checklist to compare WAF/CDN, offsite backups, patching, and real 24/7 support.
• Managed plans typically bundle protections that protect multiple websites and simplify maintenance for you.
• For high-risk or regulated cases, pick VPS or dedicated plans for stronger isolation and guaranteed resources.
• Ask about staging, safe updates, and one-click rollbacks so you can test changes without betting the site.
• Validate support depth—can agents handle a real incident case and guide recovery?
• Confirm transparency: security reports, uptime SLAs, and clear incident communications so you aren’t left guessing.

Balance cost against the real price of downtime and data exposure. A cheap provider can look cheap until you factor in recovery time and lost trust.

For setup and hardening tips, see WordPress security basics.

Close gaps now so attackers can’t test weak points on your live site. Use this short checklist to push your provider and team to act, not wait for an incident.

Prioritize defaults that matter: edge WAF/CDN, forced HTTPS, strict file permissions, and automatic updates for core, PHP, plugins, and themes. Keep plugin hygiene tight—remove unused items and never install nulled code.

Enforce two-factor authentication, strong passwords, rate limits on the login page, and disable XML-RPC unless you need it. Bake in resilience with frequent backups, tested restores, integrity checks, and clear logs for fast forensics.

Layered defenses plus good defaults reduce noise and cut recovery time. Let the platform carry routine work so you can focus on content and growth with fewer vulnerabilities to worry about.