Skip to main content
VortexMedia
WordPress Security
By The Vortex Media Team June 16, 2026

WordPress Security Checklist for Small Business Sites

Small business sites get attacked because they are easy, not because they are valuable. Bots scan for weak logins, outdated plugins, and missing backups around the clock. This checklist closes those gaps in an afternoon — no security background required.

Most small business sites are not targeted by a person. They are targeted by automated scripts that crawl the web looking for any WordPress install with a guessable password, an unpatched plugin, or a missing firewall. Your site does not need to be famous to get hit — it needs to be reachable. That is the good news: because the attacks are automated, the defenses are largely a checklist, not an ongoing battle.

Work through the items below in order. The early ones block the most common attacks for the least effort. Set aside an afternoon for the first pass, then follow the monthly routine at the end to keep the site protected over time.

1. Lock Down the Login Page

Brute-force attacks against wp-login.php are the single most common attack on WordPress. A bot tries thousands of username and password combinations until one works. Three changes shut this down.

Stop using "admin" as a username

Half of every brute-force attempt assumes the admin username is literally admin. If you have an account named admin, create a new administrator account with a different username, log in as the new account, then delete the old one (assign its content to the new user when prompted).

Use a long, unique password and a manager to hold it

A WordPress admin password should be at least 16 characters and used nowhere else. Do not try to memorize it. Use a password manager such as Bitwarden or 1Password to generate it, then store it. Reused passwords are how a breach on an unrelated site becomes a breach on yours.

Turn on two-factor authentication and limit login attempts

Two-factor authentication (2FA) means an attacker needs your phone, not just your password. Install a plugin such as Wordfence or the free Two-Factor plugin to require a code at login for every administrator. While you are there, enable login attempt limiting so an IP address gets locked out after a handful of failures. That one setting defeats brute-force scripts outright.

2. Keep Core, Themes, and Plugins Updated

Outdated software is the second-largest cause of compromised WordPress sites. When a plugin vulnerability is disclosed, the patch and the exploit go public at the same time — bots start scanning for unpatched sites within hours. Running the current version is your protection.

  • Enable automatic updates for minor core releases. WordPress does this by default. Leave it on. Minor releases are security and bug fixes that rarely break anything.
  • Turn on auto-updates for plugins you trust. In Plugins → Installed Plugins, enable auto-updates per plugin. For a small business site, the convenience usually outweighs the small risk of an update needing a quick fix.
  • Delete what you do not use. Every inactive plugin or theme is still code on your server that can carry a vulnerability. Deactivating is not enough — delete anything you are not actively using.
  • Only install from reputable sources. Stick to the WordPress.org repository or established commercial developers. Avoid "nulled" (pirated premium) plugins entirely; they are a common delivery method for malware.

If you want to confirm none of your current plugins have a known flaw, our guide on how to check if your WordPress plugins have security vulnerabilities walks through auditing them against the public databases.

3. Set Up Automatic Off-Site Backups

A backup is not a security control, but it is the thing that turns a disaster into an inconvenience. If a site is ever compromised, a clean recent backup lets you restore in minutes instead of rebuilding from nothing.

Two rules make a backup trustworthy:

  1. It runs automatically on a schedule. Manual backups get forgotten. Use a plugin such as UpdraftPlus to run daily for an active site, or weekly for a brochure site that rarely changes.
  2. It is stored off the server. A backup sitting on the same server as the site disappears with the site. Send copies to Google Drive, Dropbox, or Amazon S3 so they survive a server failure or a hack.

Once a backup is running, test a restore at least once. A backup you have never restored is a guess, not a guarantee.

4. Force HTTPS Across the Whole Site

HTTPS encrypts the connection between your visitors and your server, which protects passwords, form submissions, and checkout data in transit. It is also a Google ranking factor, so there is no reason to skip it. Nearly every host now issues a free Let's Encrypt certificate in one click.

After the certificate is active, confirm the whole site loads over https:// with no "mixed content" warning in the browser. If a padlock is missing on some pages, a few resources are still loading over plain HTTP. The Really Simple SSL plugin fixes most of these automatically by rewriting insecure URLs.

5. Add a Firewall and Malware Scanner

A web application firewall (WAF) filters malicious traffic before it reaches WordPress, blocking known attack patterns, bad bots, and traffic from flagged IP ranges. A malware scanner watches your files for unexpected changes that signal a compromise.

You can get both at the plugin level with Wordfence or Sucuri Security. For stronger protection, a cloud firewall such as Cloudflare or Sucuri's filters traffic before it ever touches your server. At minimum, run a scanner that emails you the moment a core file changes unexpectedly. Early warning is the difference between cleaning one infected file today versus rebuilding a fully compromised site next week.

6. Tighten User Roles and File Permissions

Not everyone who touches the site needs to be an administrator. The principle is simple: give each person the lowest role that lets them do their job. A content writer needs Author or Editor, never Administrator. Fewer admin accounts means fewer keys to the front door.

  • Review your user list. Remove old accounts from former staff or contractors. Each dormant account is a target.
  • Match roles to tasks. Reserve the Administrator role for the one or two people who genuinely manage the site.
  • Set sane file permissions. On most hosts the right baseline is 644 for files and 755 for directories, with wp-config.php locked down to 600. Your host's support can confirm or set these for you.

7. Harden the Configuration

A few small settings remove easy footholds that attackers rely on.

  • Disable file editing in the dashboard. Add define( 'DISALLOW_FILE_EDIT', true ); to wp-config.php. This stops anyone who breaches an admin account from injecting code through the built-in theme editor.
  • Hide version numbers and directory listings. A current security plugin handles both, removing the breadcrumbs that tell a bot exactly which exploit to try.
  • Protect wp-config.php and .htaccess. These hold your database credentials and server rules. Security plugins can block direct web access to them.
  • Choose a host that hardens the server for you. Much of WordPress security lives below the application — at the server, the network, and the firewall. Good managed hosting handles that layer so you do not have to.

A Simple Monthly Security Routine

Security is not a one-time project. Set a recurring 20-minute reminder on the first of each month and run through this short list:

  1. Apply any pending core, theme, or plugin updates.
  2. Confirm the most recent automatic backup completed, then spot-check that the file exists in off-site storage.
  3. Review the user list and remove anyone who no longer needs access.
  4. Check the malware scanner log for flagged changes.
  5. Delete any plugin or theme you stopped using this month.

That routine, on top of the one-time setup above, keeps a small business site ahead of the automated attacks that take down most neglected WordPress installs.

Let Us Handle the Security Layer

If maintaining this checklist sounds like one more thing you do not have time for, that is exactly what managed hosting is for. Our managed WordPress hosting bakes in the server-level firewall, automatic off-site backups, free SSL, and proactive malware scanning, so the heavy lifting happens before anything reaches your dashboard.

Book a free call and we will review your current setup, then tell you exactly where your site stands.

Related reading: How to Check Your Plugins for VulnerabilitiesThe WordPress Vulnerability TrackerVortex Media Managed Hosting