Prescriptive, Auditable Hardening Controls for Enterprise WordPress Environments.
-lightgrey.svg){kind=icon}
This is an audit checklist — it answers "what do I verify?"
Each control has a description, rationale, audit command, and remediation step. The target reader is a security engineer, auditor, or sysadmin running a compliance check against a live WordPress environment. Use this document to systematically verify that a site meets a defined security posture.
This document is not an operational how-to (use the Operations Runbook for step-by-step procedures), not an architectural guide (use the Hardening Guide for background and threat context), and not a writing reference (use the Style Guide).
The WordPress Security Benchmark provides prescriptive, actionable guidance for establishing a secure configuration posture for WordPress 6.x running on a modern Linux server stack. This guide covers the entire stack to address hardening at the OS, Web Server, PHP, and Database layers.
- Web Server Hardening (Nginx & Apache)
- PHP Runtime Security
- Database Isolation & Least Privilege (MySQL & MariaDB)
- WordPress Core Configuration
- Authentication & Access Control (2FA, session management, least privilege)
- File System Permissions
- Logging, Monitoring & Malware Detection
- Supply Chain & Extension Management (SBOM, plugin vetting)
- WAF, Backup & Recovery
- AI & Generative AI Security
- Server Access & Network (SSH, SFTP, firewall, process isolation)
- Multisite Security
This benchmark is optimized for the following environment:
| Component | Minimum Version | Recommended |
|---|---|---|
| WordPress | 6.x | Latest Stable |
| OS | Ubuntu 22.04+ / Debian 12+ | Latest LTS |
| PHP | 8.2+ | 8.3+ |
| Web Server | Nginx 1.24+ / Apache 2.4+ | Latest |
| Database | MySQL 8.0+ / MariaDB 10.6+ | Latest |
The benchmark categorizes recommendations into two levels of security posture:
Foundational security settings that can be implemented on any WordPress deployment with minimal impact on functionality. Every site should meet this baseline.
Strict security controls intended for high-risk environments handling sensitive data or regulated content. These may require additional operational overhead or custom tooling.
- WordPress-Security-Benchmark.md: The full technical guide containing detailed audits and remediation steps.
- WordPress-Security-Benchmark.docx: A Microsoft Word
.docxintermediary generated from Markdown and used as the template source for final publication formats. - WordPress-Security-Benchmark.epub: The EPUB version generated from the
.docxintermediary. - WordPress-Security-Benchmark.pdf: The PDF version generated from the
.docxintermediary.
Build pipeline: WordPress-Security-Benchmark.md -> WordPress-Security-Benchmark.docx -> WordPress-Security-Benchmark.pdf and WordPress-Security-Benchmark.epub.
This guide is intended for:
- System Administrators & DevOps Engineers
- Security Engineers
- WordPress Developers
Each recommendation includes:
- Description: Clear explanation of the setting.
- Rationale: Why this setting is critical for security.
- Audit: Commands to verify compliance on your server.
- Remediation: Step-by-step instructions to apply the fix.
This benchmark is one of four complementary documents covering WordPress security from different angles:
| Document | Purpose |
|---|---|
| WordPress Operations Runbook | Operational — "how to do it." Step-by-step procedures, code snippets, and incident response playbooks. |
| WordPress Security Hardening Guide | Advisory — "what to implement." Enterprise-focused security architecture and threat mitigation. |
| WordPress Security Style Guide | Editorial — "how to write about it." Terminology, voice, and formatting conventions for security communication. |
- Hardening WordPress — Official WordPress.org Advanced Administration Handbook, including the Hardening subsection.
- Securing WordPress — Information Security Guideline from the University of British Columbia's Office of the CIO.
- Dan Knauss — author, editor
- Claude (Anthropic) — review, revision, cross-document alignment
- Gemini (Google) — independent review and revision planning
- GPT-5 Codex (OpenAI) — independent review and revision planning
This document and the three related documents in this series are revised with the assistance of frontier LLMs. Multiple models independently review all four documents for factual errors, outdated guidance, and cross-document misalignments, with the WordPress Advanced Administration Handbook as the primary authority. A human editor reviews, approves, or rejects every recommended change before it is applied. For the full methodology, see AI-Assisted Documentation Processes. The machine-readable editorial agent skills and cross-document consistency rules are in the skills directory.
Contributions are welcome! If you find an error or have an improvement for the benchmark, please open an issue or submit a pull request.
This project is licensed under the Creative Commons Attribution-ShareAlike 4.0 International License (CC BY-SA 4.0).