The Website Security Hardening Checklist (No Plugins, No BS)

Every website security article online is one of two things. Either it is enterprise jargon written for a company with a security team and a budget, or it is a thinly veiled pitch for a $99 a month scanner that promises to make the scary stuff go away if you just hand over your credit card.

Neither helps the person who actually needs help: the small business owner running their own site, or the freelancer who builds for those owners and wants a list they can hand over and say "do these."

So here is that list. Grouped, prioritized, with a free tool for every single item. No plugins you have to buy. No fear-selling. This website security checklist is the one I actually use, and there is a downloadable PDF so you can print it, share it, or tape it to your monitor.

Want the printable version? Download the complete checklist as a PDF — 9 pages, 22 items, no login required.

Why 2026 Is Different (And Why Your Old Checklist Won't Cut It)

In June 2026, automated traffic crossed a line nobody really announced: 57.5 percent of all HTML traffic is now machines, not people. That is the first time in the history of the web that bots are the majority. Roughly 40 percent of all traffic is bad bots, the kind probing your login page and scanning for outdated software.

The barrier to attacking your site has basically collapsed. A teenager with a combo list, an OpenBullet config, and a cheap residential proxy can run a credential-stuffing campaign against your login before dinner. AI tools find bugs faster than humans patch them. And your build pipeline is an attack surface now too, which it never used to be. In 2026 alone we have had a self-replicating npm worm called Shai-Hulud, a compromised version of axios that triggered a CISA alert, and a campaign that poisoned 57 packages with 286 malicious versions in under two hours. I wrote about that whole mess in Your Website Is One Compromised npm Package Away From Disaster, and it has only gotten worse since.

The point is not to scare you. The point is that the baseline moved. A checklist from 2021 leaves gaps that today's automated attacks walk right through.

How to Read This List (Must-Do vs Nice-to-Have)

Every item below is tagged one of two ways.

Must-Do means if you skip it, you will eventually get hit. Not might. Will. These are the things automated attacks specifically look for.

Nice-to-Have means defense in depth. Smart, worth doing, but you will not get owned tomorrow for skipping one.

Here is my honest advice for working through this website security checklist: do every Must-Do this week. Block out two hours, work top to bottom. Then do the Nice-to-Haves over the next month whenever you have a slow afternoon. Do not try to do all of it in one sitting and burn out on item three.

Group 1: Transport and HTTPS (Must-Do)

If your site does not force HTTPS in 2026, that is the equivalent of leaving your front door not just unlocked but propped open. Get a valid TLS certificate (free via Let's Encrypt or your host) and force every HTTP request to redirect to HTTPS. That is non-negotiable.

Then add an HSTS header with max-age=31536000 and includeSubDomains, and submit your domain to the preload list at hstspreload.org. HSTS tells browsers to never even attempt an insecure connection, which closes a sneaky downgrade-attack window. While you are at it, kill any mixed content, those stray http:// images or scripts on an otherwise secure page.

Free tools for this group: run your domain through SSL Labs at ssllabs.com/ssltest for a full certificate grade, and check your preload status at hstspreload.org. Platform note: if you are on a static site hosted on Cloudflare or Netlify, most of this is automatic and free. WordPress hosts vary wildly, so verify it yourself rather than assuming.

Group 2: Access and Logins (Must-Do)

This is where most small sites actually get breached. 80 percent of hacking incidents involve compromised credentials, not some clever zero-day. The average WordPress site sees over 30 million login attempts a month. Wordfence alone blocks around 65 million brute-force attempts a day across its network. Your login page is under siege whether you notice or not.

Here is the Must-Do list. Stop using "admin" as your username. Use a password manager (Bitwarden is free and excellent) and give every admin account a unique 20-plus character password. Turn on two-factor authentication or passkeys on everything: your CMS, your hosting panel, and your domain registrar. Use an authenticator app or a hardware key, never SMS, because SIM-swapping is real and SMS codes get intercepted. Then rate-limit your login page, because WordPress does not do this by default and will happily let a bot guess passwords all day. The Nice-to-Have here is least-privilege user roles: not everyone who touches the site needs to be an administrator.

One honest aside on the "no plugins" framing. I am not against security plugins, I am against being told you need a paid suite to be safe. If you are on WordPress and want a plugin to handle login limiting and 2FA in one shot, that is reasonable, and I broke down the good ones in Best WordPress Security Plugins 2025. The point is you do not need to spend money to cover this group. The free options work.

Quick reality check: if you run a static site, this entire group mostly disappears. No login page means nothing to brute-force.

Group 3: Updates and Dependencies (Must-Do)

Outdated plugins are the number one cause of WordPress hacks in 2026. Full stop. There are roughly 333 new vulnerabilities disclosed every week, and 52 percent of developers admit they do not patch known flaws. In one two-day stretch last October, Wordfence blocked 8.7 million attacks targeting sites running outdated plugins. The WordPress plugin ecosystem alone logged 7,966 CVEs in 2024.

So the Must-Dos: keep your core, plugins, and themes updated, and enable automatic updates for security patches. Audit your plugins and themes, then delete every single one you are not actively using. An inactive plugin still on the server is still a vulnerability, deactivation is not deletion. If your site has any kind of build step, run npm audit and turn on Dependabot so you get pinged the moment a dependency goes bad. Commit your lockfile. The whole reason supply-chain attacks work is that nobody is watching what their dependencies pull in.

There is a quieter win here too: fewer moving parts means less to patch. A lot of the plugins people install do trivial things you can handle with a few lines of code, which I covered in 20 WordPress Plugins You Can Replace With a Few Lines of PHP. Every plugin you remove is one less thing that can betray you at 3 a.m.

Group 4: Backups and Recovery (Must-Do)

A backup you have never restored is not a backup. It is a wish. I learned this watching someone discover their "daily backups" had been silently failing for four months, right when they actually needed one.

Set up automated off-site backups. Off-site matters, because a backup sitting on the same server that got compromised is worthless. Follow the 3-2-1 rule: three copies, on two types of media, with one off-site. For WordPress, UpdraftPlus is free, reliable, and has over 3 million installs. For servers or static sites, restic and Duplicati both do encrypted, deduplicated backups to any S3-compatible storage with AES-256. The Nice-to-Have that almost nobody does: actually run a test restore once. Confirm the thing works before you are depending on it in a crisis.

Group 5: Bots, Monitoring and WAF (Mix)

Remember that bots are now the majority of web traffic. Putting a web application firewall and CDN in front of your site is the single highest-leverage move for dealing with them, and Cloudflare's free tier gives you a WAF, bot challenges, rate limiting, and free HTTPS for exactly zero dollars. I would call this one a Must-Do in 2026.

Beyond the WAF, add server-level intrusion blocking with fail2ban, set up basic uptime and file-change monitoring so you know the moment something changes, and throttle the AI crawlers that are quietly eating your bandwidth. AI crawlers now make up over 20 percent of verified bot traffic, and most of them ignore the spirit of robots.txt. That is a real cost, and I walked through how to deal with it in AI Bots Are Crawling Your Website to Death. Here's How to Stop Them.. For a quick free health check, Sucuri SiteCheck will scan your site for known malware and blacklist status.

Group 6: Hardening Headers (Mostly Nice-to-Have, Cheap Wins)

Here is a stat that should make you feel better about your odds: fewer than 25 percent of the top million sites have a proper Content Security Policy, and over 40 percent are missing HSTS entirely. Security headers are genuinely differentiating because almost nobody bothers, and they cost you nothing but a few minutes.

The headers worth setting: a Content Security Policy to shut down cross-site scripting (highest value of the bunch), X-Content-Type-Options: nosniff, X-Frame-Options or frame-ancestors to block clickjacking, a sensible Referrer-Policy, a Permissions-Policy, and secure, httponly flags on your cookies. Run your site through securityheaders.com or Mozilla Observatory to see your current grade and exactly what is missing. On a static site or Cloudflare, this is a one-file change. On WordPress you will be editing .htaccess, nginx config, or dropping in a snippet.

Group 7: Server and File Hardening (WordPress-Heavy)

If you run WordPress, file permissions matter more than people think. Set files to 644 and directories to 755, and lock wp-config.php down to 440 or 400, not the default 644, because that file holds your database credentials. From there: disable file editing inside the dashboard so a compromised login cannot rewrite your theme, disable XML-RPC if you are not using it (it is a favorite brute-force vector), and make sure your uploads directory cannot execute PHP.

Notice the pattern. This entire group exists because WordPress runs code on a server with a database behind it. A static site skips almost all of it. Fewer moving parts, fewer things to harden.

The WordPress vs Static/Astro Reality

Let me be honest about something. Easily half of this checklist exists purely because of server-side platforms. No PHP interpreter, no database connection, no admin login page, no file-upload handler means no entire categories of attack. The WordPress plugin ecosystem logged nearly 8,000 CVEs in a single year. A static Astro site has a CVE surface close to zero because there is barely anything there to exploit.

I am not telling everyone to rip out WordPress tomorrow. Plenty of sites genuinely need a CMS and a database, and WordPress is a perfectly defensible choice when you keep it updated and locked down. But I am saying this clearly: your platform choice is itself a security decision. If you are starting fresh and your site is mostly content, going static removes work from every single group above. That is not a small thing.

The Honest Conclusion (And Get the PDF)

I am not going to pretend any checklist makes you 100 percent safe. It does not. Someone determined and well-resourced can get into almost anything given enough time. That is not the goal.

The goal is to not be the easy target. Almost everything hitting your site is automated, looking for the unlocked door, the outdated plugin, the reused password. Do the Must-Dos in this list and you have quietly stepped out of the way of maybe 90 percent of it. The bots move on to someone who skipped Group 2.

So here is the full website security checklist as a downloadable. Print it, share it with a client, work through it on a slow afternoon. If you liked this format, the Ultimate website relaunch checklist is built the same way.

And if you would honestly rather not deal with any of this, that is fair. It is genuinely tedious work, and I do it for clients precisely because most of them have better things to do. If that sounds like you, let's talk. I cannot promise you will never get attacked. What I can promise is that you will not be the easy target anymore.