You don’t have to be a developer to keep your WordPress site safe.
- 1. Fix Your Admin Login Details
- ✅ Use a strong, unique password
- ✅ Don’t use “admin” as the username
- 2. Turn On Two-Factor Authentication (2FA)
- 3. Keep WordPress, Themes, and Plugins Updated
- ✅ What to update
- ✅ Simple routine
- 4. Delete What You Don’t Use
- ✅ Remove unused themes
- ✅ Remove unused plugins
- 5. Limit Login Attempts
- 6. Install a Simple Security Plugin (Not a Monster Suite)
- 7. Make Automatic Backups (Non-Negotiable)
- ✅ What a good backup setup looks like
- 8. Use HTTPS (SSL Certificate)
- 9. Secure Your Hosting Account Too
- 10. Clean Up User Accounts and Access
- ✅ Check user roles
- 11. Create a Simple Monthly Security Routine
- Quick Recap: WordPress Security Checklist for Non-Techy Owners
Most hacked sites aren’t targeted personally. Bots just scan the internet looking for easy targets:
- weak passwords
- outdated plugins
- no backups
- default settings
If you fix these basics, you’re already ahead of a huge chunk of WordPress sites.
Here’s a plain-English WordPress security checklist you can follow, even if you hate anything “technical”.
1. Fix Your Admin Login Details
✅ Use a strong, unique password
If your password is something like:
123456passwordyourname123
…you’re basically inviting bots in.
Use a password manager (or your browser’s built-in suggestion) and choose:
- At least 12+ characters
- Mix of letters, numbers, and symbols
- Completely different from any other account
✅ Don’t use “admin” as the username
If your username is admin, hackers already know 50% of your login.
- Go to Users → Add New
- Create a new Administrator account with a unique username
- Log in with the new account
- Delete the old
adminuser (reassign posts to the new user)
2. Turn On Two-Factor Authentication (2FA)
Even if someone gets your password, 2FA adds another lock.
2FA = when you log in, you need:
- Your password
- A one-time code from an app on your phone (like Google Authenticator / Authy)
You can:
- Use a lightweight security plugin that supports 2FA, or
- Use a dedicated 2FA plugin
Once set, logging in takes a few extra seconds—but it makes brute-force attacks almost useless.
3. Keep WordPress, Themes, and Plugins Updated
Outdated software is one of the biggest reasons sites get hacked.
✅ What to update
- WordPress core
- Themes (especially the one you’re using)
- Plugins
✅ Simple routine
Once a week:
- Log in to your dashboard
- Go to Dashboard → Updates
- Update everything that shows as “Update available”
If you’re scared something might break:
- Update one thing at a time (first plugins, then themes, then WordPress)
- Check your homepage after each update
4. Delete What You Don’t Use
Every extra plugin or theme is an extra door into your site.
✅ Remove unused themes
- Go to Appearance → Themes
- Keep:
- Your active theme
- One default WordPress theme (like Twenty Twenty-Four)
- Delete the rest
✅ Remove unused plugins
- Go to Plugins → Installed Plugins
- Deactivate anything you don’t use
- Then click Delete
If you’re not using it and you don’t fully trust it, it shouldn’t live on your site.
5. Limit Login Attempts
Bots try thousands of passwords automatically. You can block them quickly.
Install a login limits plugin (like “Limit Login Attempts Reloaded” or similar):
- It blocks IPs that fail too many times
- This stops endless password-guessing attempts
Defaults are usually fine:
- 3–5 attempts before lockout
- Lockout for 20–60 minutes
You don’t need to touch code. Just install, activate, and check basic settings once.
6. Install a Simple Security Plugin (Not a Monster Suite)
You don’t need a huge “all-in-one” security system with 50 screens.
Look for a simple, well-rated security plugin that can:
- Scan for basic issues
- Harden some default settings
- Add a firewall or basic protection
Set it up once, follow the recommended settings, and then leave it alone.
If the plugin constantly screams at you with red warnings and upsells, it’s probably overkill for a small site.
7. Make Automatic Backups (Non-Negotiable)
No matter how secure you are, things can still go wrong:
- You click something wrong
- A plugin update breaks the site
- Server issue wipes data
Backups are your safety net.
✅ What a good backup setup looks like
- Automatic (daily or weekly)
- Stored off-site (Google Drive, Dropbox, or remote storage—not only on your hosting)
- Easy “one-click restore” option
Many hosting providers include backups. If yours does:
- Log into your hosting panel
- Confirm:
- How often backups are taken
- How long they’re kept
- How to restore if needed
If your host doesn’t handle it well, use a backup plugin with cloud storage.
8. Use HTTPS (SSL Certificate)
If your site still shows “Not Secure” in the browser, that’s bad for:
- Trust
- SEO
- Security
Most hosts now offer free SSL.
Checklist:
- Ask your host or check their panel for “Free SSL / Let’s Encrypt”
- Turn it on for your domain
- Use a plugin or your host’s tool to force HTTPS on all pages
Your site URL should start with https:// and show a padlock icon in the browser.
9. Secure Your Hosting Account Too
WordPress security doesn’t matter if your hosting login is weak.
- Use a strong, unique password for your hosting account
- Turn on 2FA if your host offers it
- Never share your main login with random freelancers; create separate accounts or temporary access if needed
Also, avoid super-cheap, garbage hosting. If your host is constantly infected or slow, that’s a risk no matter what you do in WordPress.
10. Clean Up User Accounts and Access
If multiple people log in to your site, you need to control who can do what.
✅ Check user roles
Go to Users → All Users and check:
- Only you (or people you fully trust) are Administrators
- Writers/editors are set to Author or Editor, not Admin
- Remove old accounts for people who no longer work with you
Never give “temporary admin access” and forget to remove it later. That’s how sites get messed up months later.
11. Create a Simple Monthly Security Routine
You don’t need to live inside your dashboard, but you also can’t ignore it for a year.
Here’s a basic monthly checklist:
- Update WordPress, plugins, and themes
- Check backups are still running
- Remove any plugin/theme you tried and abandoned
- Skim your security plugin dashboard for alerts
- Review user accounts (no unknown admins)
Set a recurring reminder on your phone or calendar. 10–15 minutes per month is enough for most small sites.
Quick Recap: WordPress Security Checklist for Non-Techy Owners
- Strong, unique admin password
- No
adminusername - 2FA turned on for logins
- WordPress, themes, plugins updated regularly
- Unused plugins/themes deleted
- Login attempts limited
- Simple security plugin installed
- Automatic backups going off-site
- Site using HTTPS (SSL)
- Hosting account secured with strong password + 2FA
- Old/extra user accounts cleaned up
- Basic monthly security routine
You don’t have to be “good with computers” to do this. You just need to go through the list step by step and actually implement it, not just read it.