A WordPress security checklist for agencies is a repeatable set of hardening and monitoring steps applied to every site you manage: keep core, plugins and themes updated; enforce 2FA and strong roles; lock down file permissions; force SSL; run a firewall and malware scanner; back up off-site; and monitor the whole fleet for downtime, failed updates and signs of compromise.
Most WordPress hacks are boring. They exploit an outdated plugin, a reused admin password, or a forgotten staging site, not some zero-day. For an agency running 20, 50 or 200+ client sites, the risk isn’t that any single site is weak; it’s that a weakness anywhere becomes your incident, your reputation, and your unbillable Saturday. The fix is consistency: the same baseline on every site, checked the same way, every week. This checklist is built to be copied into your runbook and applied across a fleet.
The fleet mindset: secure every site the same way
One-off hardening doesn’t scale. The site you forgot to patch is always the one that gets popped. Agencies need three things working together:
- A baseline, a defined security standard every client site must meet.
- A schedule, updates, scans and backup checks on a fixed cadence, not “when someone remembers”.
- Visibility, one place to see the security state of all sites at once, so drift and failures surface immediately.
That last point is where a multi-site dashboard earns its place. Siteward pulls update status, backup health and uptime from every connected site into a single screen, so you can apply this checklist as a routine instead of logging into each wp-admin one by one. The rest of this guide is the baseline itself.
The complete WordPress security checklist
Work top to bottom. Items are grouped by area; the table below is the copyable summary, and the sections after it explain the why and how.
| Area | Action | Cadence |
|---|---|---|
| Updates | Patch core, plugins, themes; remove unused ones | Weekly |
| Logins | Enforce 2FA on all admin accounts | Once + audit quarterly |
| Logins | Strong unique passwords; limit login attempts | Ongoing |
| Roles | Least privilege; remove stale/unknown users | Quarterly |
| Files | Correct permissions; disable file editing | Once + verify on changes |
| SSL | Force HTTPS site-wide; auto-renew certs | Once + monitor expiry |
| Firewall | WAF or host-level firewall enabled | Once + review rules |
| Malware | Scheduled malware/integrity scans | Daily/weekly |
| Backups | Off-site, tested, automated backups | Daily + test restore monthly |
| Monitoring | Uptime + compromise alerts across fleet | Continuous |
1. Updates, patch fast, prune ruthlessly
Outdated software is the number-one entry point. Apply core, plugin and theme updates weekly at minimum, and treat security releases as urgent (same-day). Just as important: delete what you don’t use. Every deactivated-but-installed plugin is still attackable code on disk. Remove abandoned plugins, default themes you’ll never use, and leftover demo content. Test updates on staging where stakes are high, but don’t let “we’ll test it later” become a six-month patching gap. See our resources for a fleet update workflow.
2. Logins and 2FA, assume passwords leak
Credentials get phished, reused and dumped. Enforce two-factor authentication on every administrator account, non-negotiable for agency staff and client admins alike. Layer on: strong unique passwords (a password manager, not a spreadsheet), limited login attempts to blunt brute-force bots, and a renamed or rate-limited login URL if your stack supports it. Never share one admin account across your team; individual accounts mean individual revocation when someone leaves.
3. User roles, least privilege, always
Most users don’t need to be administrators. Give editors the Editor role, contributors Contributor, and reserve Administrator for the few who genuinely manage the site. Audit the user list on every site quarterly and delete accounts you can’t account for, an unknown admin is a breach until proven otherwise. When offboarding a client or a staffer, remove access the same day.
4. File permissions and hardening
Set sane permissions: directories 755, files 644, and wp-config.php tightened to 640 or 600 where the host allows. Disable the built-in theme/plugin file editor by adding define('DISALLOW_FILE_EDIT', true); to wp-config.php, it removes a favourite attacker tool for injecting code through a compromised admin login. Block PHP execution in /wp-content/uploads/, and keep wp-config.php out of any public backup folder.
5. SSL/HTTPS everywhere
Force HTTPS site-wide and redirect all HTTP traffic. Free certificates via Let’s Encrypt make this a non-issue on cost, the only real risk is a cert silently expiring and breaking a client site. Enable auto-renewal and monitor expiry dates so a lapsed certificate never becomes a Monday-morning emergency.
6. Firewall / WAF
A web application firewall filters malicious requests, SQL injection attempts, known exploit patterns, bad bots, before they reach WordPress. Use a host-level or edge WAF (Cloudflare and many managed hosts include one) or a reputable plugin-based firewall. Whatever you choose, apply it as a fleet standard so no site is the soft target, and review the rule set periodically rather than installing and forgetting.
7. Malware scanning and integrity monitoring
Schedule regular malware and file-integrity scans so injected backdoors, spam pages and modified core files surface within hours, not when Google flags the domain. Pair scanning with a clear remediation playbook: isolate, identify the entry point, clean or restore from a known-good backup, then patch the hole. Scanning that nobody acts on is theatre, own the response, not just the alert.
8. Backups, off-site, automated, tested
Backups are your last line of defence against ransomware, a botched update or a hack you can’t clean. Three rules: automated (daily for active sites), off-site (not on the same server that gets compromised), and tested (a backup you’ve never restored is a guess). UpdraftPlus is the common agency choice. The trap at scale is silent failure, backups that quietly stopped running weeks ago. That’s exactly why backup health belongs on your monitoring dashboard, not just in each site’s settings.
9. Monitor the whole fleet for compromise
Hardening sets the baseline; monitoring tells you when it slips. Across a fleet you want continuous visibility into: sites that go down, updates that are pending or failed, backups that haven’t run, SSL about to expire, and the early signs of compromise, unexpected admin users, a sudden fatal error, a site abruptly offline. The agility win is catching the failed update or the cron that stopped before it becomes a defacement or a data-loss call from the client.
Doing this across 50+ sites without burning out
Every item above is achievable on one site in an afternoon. The agency problem is multiplication: the same checklist times fifty, every week, forever. That’s an operations problem, and it’s solved with a dashboard that surfaces the state of all sites at once instead of making you hunt site by site.
This is the gap Siteward is built for. It’s a lean, self-hosted WordPress management tool, two plugins, a dashboard and a child, that connects unlimited sites and shows pending updates, backup health, uptime and critical errors in one parallel view. Because it’s self-hosted, your clients’ data stays on your server, not a third party’s. Its critical-error detection names the culprit plugin instead of just flagging “site down”, which turns a 20-minute investigation into a one-line fix. Crucially there are no per-site fees, the dashboard manages unlimited sites free, and the Agency plan ($129/yr) and Lifetime ($399) add Pro features like UpdraftPlus backup-health checks, WP-Cron health and Zapier alerts. Flat pricing means securing your 200th site costs the same as your first. Explore the full feature set or read the docs to wire it into your routine.
Whatever tooling you use, the principle holds: a security checklist only protects clients if it runs on every site, on schedule, with someone watching the results.
FAQ
How often should an agency run through this WordPress security checklist?
Treat updates, malware scans and backup checks as weekly (security patches same-day), user-role and access audits as quarterly, and uptime plus compromise monitoring as continuous and automated. The point of a fleet dashboard is that the continuous items watch themselves and only ping you when something needs action.
Do I need a security plugin on every WordPress site?
You need the functions, a firewall, malware scanning, login hardening and 2FA, on every site, whether that comes from a plugin, your host, or an edge service like Cloudflare. Many managed hosts already provide WAF and scanning, so layering a heavy security plugin on top can be redundant. Standardise on one approach across the fleet rather than mixing tools site by site.
What’s the single most important item on the list?
Tested, off-site, automated backups. Good hardening reduces the odds of a compromise, but only a recent, restorable backup guarantees you can recover from one, whether the cause is a hack, ransomware or a bad update. Backups you’ve never test-restored don’t count.
How does monitoring help if a site is already hardened?
Hardening is a snapshot; sites drift. Plugins fall out of date, a cron job silently dies, a backup stops running, an unexpected admin appears. Monitoring catches that drift and the early signs of compromise so you fix the failed update before it becomes a defaced homepage and a client phone call.
Can I manage security across many sites without per-site costs?
Yes. Self-hosted tools like Siteward connect unlimited sites for free with no per-site fees, so the security state of your entire fleet lives on one dashboard you control. Paid tiers add backup-health and cron-health monitoring, but the core multi-site visibility is unlimited and flat-priced.