Skip to main content

Checklist & Cheat Sheet

Use this as a quarterly audit and as a "before/after" checklist when you make security changes. The performance goal is simple: block bad traffic early and keep defenses out of WordPress PHP whenever possible.

Audit Checklist

Edge (Cloudflare)
  • Managed WAF rules enabled.
  • Login protection: rate limit or challenge on POSTs to wp-login.php.
  • /xmlrpc.php blocked if unused.
  • TLS mode set to Full (Strict).
  • Minimum TLS version set to 1.2+.
  • HSTS enabled only after you validate HTTPS on all subdomains.
Origin (OS + SSH)
  • Firewall allows only 80/443 and restricted SSH.
  • SSH keys only (password auth disabled).
  • Automatic security updates enabled (or a documented patch cadence).
  • Fail2Ban enabled for sshd.
Origin (Web server)
  • Real client IP logging enabled if proxied (so bans/rate limits target attackers).
  • Sensitive files blocked (wp-config.php, backups, .env, etc.).
  • PHP execution blocked in wp-content/uploads/.
  • Directory listing disabled.
  • ModSecurity + CRS only if you can validate wp-admin + REST behavior (optional).
WordPress
  • Core minor auto-updates enabled.
  • DISALLOW_FILE_EDIT set.
  • FORCE_SSL_ADMIN set (when appropriate).
  • WP_DEBUG off in production.
  • Unused plugins/themes deleted (not just disabled).
  • Admin accounts audited (2FA, least privilege).
Database + Backups
  • DB bound to localhost/private network only.
  • WordPress DB user has least privileges.
  • Automated backups run daily and stored off-site.
  • Restore is tested on staging (quarterly).
  • If you claim "HA", you have a database continuity plan (replication/managed DB).
Monitoring + Response
  • Uptime monitoring for public routes and (optionally) a health endpoint.
  • SSL expiry alerts configured.
  • Server resource monitoring (CPU/RAM/disk, error rates).
  • Weekly integrity checks (core checksums, unexpected PHP in uploads).
  • Cloudflare Security Events reviewed periodically.
  • Incident response runbook exists (who/what/where/how to contain).

Verification Commands

Origin-side verification cheatsheet
# WordPress core integrity
wp core verify-checksums

# Find unexpected PHP files in uploads (should be empty)
find /var/www/html/wp-content/uploads -type f -name "*.php"

# Fail2Ban status
sudo fail2ban-client status

# Firewall rules
sudo ufw status verbose

# Quick TLS/HTTPS sanity check
curl -sI https://example.com | grep -iE 'server|strict-transport-security'

What's Next