32 steps to WordPress website security ultimate checklist: Step 1 ~ 5

Website security is an important issue that many new WordPress users can easily ignore. How to ensure WordPress site security is also a difficult problem faced by many users who have just come into contact with WordPress. This series of tutorials on WordPress teach you to introduce a series of steps to protect your WordPress website security. We have divided these steps into 32 steps, today introduced the WordPress website security ultimate checklist Step 1 ~ 5.

WordPress website security ultimate checklist Step 1

WordPress website security ultimate checklist Step 1 ~ 5

1. Keep using the latest version of WordPress

There are always many WordPress users who forbid WordPress kernel program to automatically update the feature because they are worried about ” upgrade may occur plugin incompatibility issue”.

It is a very wrong idea.

We contrast, one side is a vulnerability may be hacked sites, one side is not compatible with the temporary plug-in site, which does you think the problem is more serious?

Plugins occasionally appear incompatible with the latest version of WordPress, but often indicate a very short period of time. Once the site is black, it is the more serious problem. Each time the WordPress kernel is updated, many of the newly discovered vulnerabilities are fixed. If your WordPress kernel is not updated, then your site may be vulnerable to these vulnerabilities.

WordPress website security ultimate checklist Step 1 ~ 5

By default, WordPress allows for automatic updates of the minor version number but does not allow for automatic updates of the major version number. For example, if you are installing WordPress 4.2.1 now, your site will be automatically updated to 4.2.1. If WordPress 4.3 is released in the future, your site will not be automatically updated to this version, you need not click on the button in the background to upgrade manually.

Of course, you can configure it yourself in the file wp-config.php, Put the following line of code into wp-config.proper location of PHP files:

define ('WP_AUTO_UPDATE_CORE', true );

This code defines whether to allow the WP kernel code upgrade status. There are three states here:

  • true: allows automatic updates of major, iterations, and development versions;
  • false: automatic updates of major, minor, development versions are prohibited;
  • minor: allows for automatic updates of iterations, but does not allow for automatic updates of major and development versions.

The default parameter is minor, which you can also modify to true or false.

2. Do not modify the WordPress kernel code

Once you’ve edited the WordPress kernel code yourself or your programmers, you can no longer use WordPress’s auto-upgrade feature to update to the latest version. Because after automatic updates, all the edits you make to the WordPress kernel code are lost.

In this case, if you find a new vulnerability in WordPress, and your website can not be upgraded in a timely manner, then your website may fall is in danger. You’ll have to fix these bugs manually, but it will be time-consuming and also the Website is at risk if you don’t.

So, what do you do when you want to change the WordPress feature? The answer is simple: write a plugin, a plugin dedicated to your own website (Or, get from the WordPress plugins repository). Plug-ins allow you to achieve the functionality you want without having to change the WordPress kernel code.

Again, this logic also applies to your plugins and themes. When you want to fine-tune plugins and themes properly, you will also face issues that cannot be updated to the latest version. Without updating, the site is not safe.

For plug-ins and themes, there is a corresponding solution that allows you to complete the required functionality without modifying the plug-ins and theme code. If your developer recommends that you directly modify the plugin and theme code, then it is recommended that you immediately change a developer.

3. Make sure all plugins are updated to the latest version

Like the WordPress core section, third-party WordPress plugins (and themes) may also be vulnerable. We in the first quarter of 2016 the article in the report on WordPress security trends specifically described, the vulnerability in the popular plug-in, is an important reason for many WordPress sites were hacked.

We have no intention of re-listing the names of these plugins in this article. The vulnerability is a problem that most software cannot avoid. However, how to deal with the problem of software vulnerabilities exposed, we can see the level of Company maintenance personnel.

Many times, as soon as a problem is discovered, the developer of the plugin will immediately fix and release the updated version.

It is then your responsibility to immediately update the plugin to the latest version, otherwise, your website may be hacked.

Whether you are upgrading manually or automatically, remember to keep the plugin updated.

WordPress website security ultimate checklist Step 1 ~ 5

You can set the auto update plugin automatically from the WordPress plugin directory, just put the following code into your WordPress theme’s function template functions.php

add_filter ('auto_update_plugin', '__return_true' );

However, this statement is only valid for download from the official plug-in directory. Download the plug-in from other commercial sites, have their own update mechanism, also need you to keep updated.

4. Remove all non-enabled plug-ins

As the number of plug-ins you install increases, the more likely these plug-ins become vulnerable.

Sometimes we install plugins to test their functionality and then forget to remove those plugins. If these add-ons reveal a vulnerability, your site could become a target(especially if you haven’t upgraded to the latest version).

Even if these plugins are not activated, your website may be attacked.

To minimize the risk, the safest way to completely remove unused plug-ins. To find out which plugins are useless is very simple, as long as this plugin is not enabled(activated), there is no use of the plugin.

Delete these plugins.

Similarly, for those plug-ins that have been activated but are not used, they should be removed. Another point, to test the plug-in, do not test in your production site. You can create a copy of the test (locally for testing, or on other servers). Then in the beta version of the site to test the plug-in.

5. Make sure all themes are updated to the latest version

Timely upgrade to the latest version, not only for WordPress core programs and WordPress plugins but also for WordPress themes. To keep your WordPress site safe, you need to update all your themes to the latest version. Otherwise, any bug that has been fixed on the theme will still exist in your site.

You might think that you have made a lot of adjustments to personalize the theme, and if you upgrade it, those changes will be lost. For this problem, the correct solution is that all theme tweaks should be set by sub-themes instead of directly modifying the original theme. This way, you can upgrade the WordPress theme directly to the latest version without worrying about affecting your website.

If you want to do something completely, you can also remove all the other unused topics.

Similarly, you can set up from automatically upgrades the theme to the latest version. You just need to put the following code into the function template file with the theme functions.php

add_filter ('auto_update_theme', '__return_true' );

Of course, this is only for download the theme from, the official theme directory.

Other business topics have their own update upgrade mechanism, also need you to keep updated.

If you are not good at Editing WordPress wp-config.php files and functions.php files, you can also install the Advanced Automatic Updates plugin for setup. It can set various settings above.

Also read: Top 10 Things To Do After Installing WordPress

If you liked this article, then please follow us on social media and don’t forget to Subscribe to our mail list.

(Unfinished, continue reading…)

You May Also Like

About the Author: WPC Staff

WPCrons staff has long-term experience of WordPress & like to constantly spot problems and plotting how to solve them. We believe you don't need to be a nerd or a programmer or a network engineer to make a difference.

Leave a Reply

Thanks for choosing to leave a reply. Your opinions and comments are very important to us, and your email address will NOT be published. If you need a private conversation then use our contact form. Please add an avatar if you do not have and make the comment section more beautiful.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it. Accept! No, thanks!

Why my browser don’t show me the coupon?

By default, Google Chrome and some other browser block pop-ups from automatically showing up on your screen. When a pop-up is blocked, the address bar will be marked Pop-up blocked Pop-up blocked.

ComputerAndroidiPhone & iPad

  1. On your computer, open Chrome.
  2. At the top right, click More More and then Settings.
  3. Under “Privacy and security,” click Site settings.
  4. Click Pop-ups and redirects.
  5. At the top, turn the setting to Allowed or Blocked.

  1. On your Android phone or tablet, open the Chrome app Chrome.
  2. To the right of the address bar, tap More More Settings.
  3. Tap Site settings and then Pop-ups and redirects.
  4. Turn Pop-ups and redirects on or off.

  1. On your iPhone or iPad, open the Chrome app Chrome.
  2. Tap More More and then Settings Settings.
  3. Tap Content Settings and then Block Pop-ups.
  4. Turn Block Pop-ups on or off.

Share via


Subscribe to get FREE updates

Join 1000s of readers around the globe. Don’t worry. We also don’t like Spam. We are weekly.


We are using affiliate links & images from respective product sites in our articles occasionally, means that if you click on one of the links and purchase an item, we may receive a commission (at no additional cost to you). All the reviews & opinions (positive or negative) are 100% our own. We are not getting any money to write them. The trademarks mentioned in this website belong to the respective companies. All the articles are information purpose only, to help someone to educate & save money. In case any problem with the content, you can reach us anytime through our contact us page »