WordPress Security Checklist: The Complete Pre-Launch Guide

modified time: February 27, 2026

On This Page

You’ve spent weeks (or months) designing your new WordPress site. The content is polished, the plugins are configured, and you are finally ready to hit “Publish” and share it with the world.

Stop.

The moment your website goes live and the DNS propagates, automated bots will begin scanning it within hours. If you haven’t locked down your configuration before launch, you are exposing a vulnerable asset to a highly hostile environment. Security cannot be an afterthought; it must be a prerequisite for launching.

This comprehensive pre-launch security checklist covers the exact steps professionals take to harden a WordPress site before it ever sees public traffic.

Phase 1: Server & Environment Setup

Security begins at the foundation. Before touching the WordPress dashboard, ensure your server is configured securely.

1. Verify PHP Version

Running an outdated version of PHP is a massive security vulnerability.

[ ] Confirm your server is running PHP 8.2 or 8.3.
[ ] Disable older PHP versions in your hosting control panel.

2. Install and Force SSL/TLS

An unencrypted site will be penalized by Google and flagged by browsers.

[ ] Install a valid SSL certificate (Let’s Encrypt is standard).
[ ] Force HTTPS redirection (301 redirect from HTTP to HTTPS).
[ ] Fix any “Mixed Content” errors (ensure all images and scripts load over HTTPS).

3. Change the Default Database Prefix

Automated SQL injection attacks often target the default wp_ table prefix.

[ ] Change your database prefix to something unique (e.g., fs92x_) before installing WordPress, or use a plugin to change it if already installed.

Phase 2: Core WordPress Hardening (`wp-config.php`)

Your wp-config.php file controls the core security behavior of your site. (See our deep dive on wp-config.php for exact code snippets).

[ ] Disable Debug Mode: Ensure WP_DEBUG and WP_DEBUG_DISPLAY are set to false to prevent leaking server paths.
[ ] Disable File Editing: Add define( 'DISALLOW_FILE_EDIT', true ); to prevent attackers from editing themes/plugins via the dashboard.
[ ] Generate Unique Auth Keys: Update your WordPress salts and security keys using the official WordPress API.
[ ] Move/Protect wp-config.php: Ensure your configuration file cannot be accessed publicly via .htaccess or Nginx rules.

Phase 3: Access Control & User Security

The most common way hackers break into WordPress is by walking right through the front door using compromised credentials.

1. Audit User Accounts

[ ] Delete the default admin username.
[ ] Ensure all Administrator accounts have unique, unpredictable usernames.
[ ] Remove any temporary developer or staging accounts that are no longer needed.
[ ] Set the “New User Default Role” to Subscriber (under Settings → General).

2. Enforce Strict Login Rules

[ ] Require Strong Passwords: Force all high-level users to use 20+ character passwords.
[ ] Enable Two-Factor Authentication (2FA): This is mandatory for Administrators and Editors.
[ ] Limit Login Attempts: Install a mechanism to lock out IPs after 3-5 failed login attempts.

Phase 4: Network & Application Protection

Now we build the walls around the application itself.

[ ] Install a Web Application Firewall (WAF): Set up a cloud firewall (like Cloudflare) or an endpoint firewall (like Wordfence) to block malicious traffic and SQL injections.
[ ] Disable XML-RPC: If you aren’t using the Jetpack plugin or WordPress mobile app, block xmlrpc.php to close a major brute-force backdoor.
[ ] Disable Directory Browsing: Ensure visitors cannot view a list of files inside your /wp-content/uploads/ or plugin directories.
[ ] Hide WordPress Version: Remove the meta generator tag that broadcasts your exact WordPress version to hackers.

Phase 5: Cleanup & Maintenance Prep

Leftover files from the development phase are a goldmine for attackers.

[ ] Delete Unused Themes: Keep your active theme and one default fallback theme (e.g., Twenty Twenty-Four). Delete the rest.
[ ] Delete Inactive Plugins: Do not just deactivate them; delete them completely from the server.
[ ] Remove Backup/Staging Files: Ensure there are no .zip, .sql, or .bak files sitting in your public directories. (Attackers scan for these constantly).
[ ] Set Up Automated Backups: Configure your backup solution to send daily encrypted backups to an off-site location (like Amazon S3 or Google Drive).

Phase 6: The Final Pre-Launch Audit

You’ve checked all the boxes. Now, you need to verify from the outside that your defenses are actually working. This is where FunSentry becomes your most valuable pre-launch tool.

Before you point your live domain to the site or remove your password protection, run your URL through a vulnerability scanner.

FunSentry’s Pre-Launch Checks will verify:

Sensitive File Exposure: Did you accidentally leave a debug.log or database dump accessible?
User Enumeration: Is the REST API leaking your new, secure admin usernames?
Security Headers: Are your HSTS and X-Frame-Options configured correctly for maximum browser protection?
Information Disclosure: Is your server exposing detailed software version tags?

Summary Checklist

Keep this quick-reference guide handy for every site you build:

Category	Task	Status
Server	PHP 8.2+, SSL forced, unique DB prefix	🔲
Config	Debug off, File editor disabled, Salts updated	🔲
Users	No ‘admin’, 2FA required, login attempts limited	🔲
Firewall	WAF active, XML-RPC blocked	🔲
Cleanup	Unused plugins/themes deleted, `.sql` files removed	🔲
Backups	Automated, off-site, tested	🔲

Are you truly ready to launch?

Don’t let a simple configuration error ruin your launch day. Run a comprehensive, free pre-launch security audit at FunSentry to verify your checklist and go live with total confidence.

Free Security Scan

Check your WordPress site's security posture — it only takes 30 seconds.

Scan My Site Now