Skip to content

WordPress Code Review Checklist


Sr No.checkDescription
1Change table prefix for all WordPress tablesChange table prefix from wp_ to something else. You can change this either setting up or in wp-config.php file.
2Is WP version and Plugin versions, updated?Always make sure that you are using the updated WP and plugin versions.
3Delete/Remove any themes or plugins that are not active.Remove the inactive themes or plugins that are not in use.
4Keep only one theme as backup and remove the rest unwanted themesKeep on of the default theme as fallback and remove the rest of the theme.
5Make sure 404 page is created.Make sure that the 404 error page is created.
6Do not use root/admin user accounts. Every user should has his own account.Prevent using root/admin user accounts. These will be dummy accounts and can easily be recognized.
7Create an editor role user account specifically for publishing the contentTo differentiate and keep the track of the contents update it will be ideal to have an editor account for publishing content. So that no other settings are changed.
8Update the admin email address.Update the admin email address to client’s email.
9Enable site to be crawledUncheck the discourage indexing checkbox for the live site.
10Change Security Key (Generator provided by the Security key/Salt key generated by WP.
11Delete wp-config-sample.phpRemove the config sample file.
<mark style={{display: ‘block’, padding: ‘inherit’, background: ‘#ffeb3b52’ }}>Security guidelines
12Change the login slugChange the login slug. To verify this, enter the domain name with /login ( the page should redirect to 404 page and If it opens the login page then your site not secure.
13Enable two factor authenticationEnable the two factor authentication to enhance the security for the users logging in.
14Use strong passwords for loginSet strongs passwords for the users created. This will prevent hackers from manipulating your password easily
15Hide login error messages”Error login messages may expose your website and give hackers an idea if they’ve gotten username correct/incorrect, vice versa. It is wise to hide it from unauthorized login. To hide login error messages, simply put the following code in functions.php.
php function wrong_login() { return 'Wrong username or password.'; } add_filter('login_errors', 'wrong_login')
16Limit login attemptsLimit login attempts in order to prevent your site from brute force attack.
17Block the Rest APIBlock REST API if it is not in use
18Manage 301 redirectAdd 301 redirection for the links requested by the clients.
19Test for Responsiveness:“Ensure that your website is responsive and mobile ready by running Google’s Mobile Friendly Test. URL:
20Limit meta titleMake sure all pages and posts have a unique title, fewer than 70 characters.
21Limit meta descriptionMake sure all pages and posts have unique meta descriptions, fewer than 156 characters.
22Create robot.txt fileAllow indexing for only the folder you want to get tracked in the SEO. Deny the indexing for the files with sensitive data.
23Protect your wp-config fileAs wp-config.php file contains all the confidential details of your site, so it’s pretty important that you protect it at all costs.
24Following files should not be accessible and should be redirected to 404 page
  1. /readme.html
  2. /license.txt
  3. /wp-admin/install.php
Prevent users from accessing the following files. Add the redirection rule to .htaccess.
25Disable Theme and plugin EditorDisable file edit via wp-config.php by adding the following code: define('DISALLOW_FILE_EDIT',true);
26Compress ImagesMake sure to reduce all the image sizes by compressing files using WP Smush plugin.
27Site speed optimizationMake sure the necessary steps are taken to optimize the site speed.
28Set correct permissions to file and foldersFor security all the folders should have 755 permission and files should have 644 permission.
29Setup Weekly Databsae backupMake sure to setup DB backupon weekly basis.
30Disable comments if it is not in used.Disable the commenting options if that is not used.
31Prevent Directory AccessPrevent your directory from gtting accessed. So accomplish this add the follwoing code in the .htaccess file. Prevent folder browsing Options All -Indexes
32Scan the website for viruses, malware, and security breachesScan for viruses, malware and security breaches if you find any resolve them.
<mark style={{display: ‘block’, padding: ‘inherit’, background: ‘#ffeb3b52’ }}>Additional Security pointers
33Remove the wlwmanifest LinkThe wlwmanifest tag is another meta tag that shows up on every WordPress website. The tag is used by Windows Live Writer, which is an almost obsolete app used to publish directly to WordPress. Removing this line of code will marginally improve the load time, reduce the DOM size and enhance Googlebot crawl process (one link less to follow).
remove_action('wp_head', 'wlwmanifest_link');
34Disable XML-RPCadd_filter( 'xmlrpc_enabled', '__return_false' );
35Disabled the RSD service”RSD is a discovery service that helps discover Pingbacks and XML-RPC on WordPress blogs. As we’ve disabled XML-RPC and Pingbacks, then we can safely disable RSD as well. To disable it, use this code into the theme’s functions.php file:
remove_action( 'wp_head', 'rsd_link' ) ;
36Limit post revisionsdefine ('WP_POST_REVISIONS', 3);
36Unload the code from blog functionalities (If the blogs are not in use on the site)
36Disable pingbacks and trackbacks (If blogs/default post not in use)Note: From the dashboard settings it will disable Pingbacks only on new posts, but the Pingbacks on older posts will remain enabled. To disable Pingbacks on older posts, follow these steps:
  1. Go to Posts > All Posts
  2. Bulk select all posts
  3. In the Bulk Actions drop-down, choose Edit and then Apply
  4. In the Pings dropdown, choose ‘Do not allow
  5. Click Update.
36Make sure site do not have any Unsafe Cross-Origin in Linksif there is any external link added to the site then make sure the anchor tag has the following attribute set rel="noopener noreferrer"

For Disable Embeds in WordPress (if not in use)

function disable_embeds_code_init() {
// Turn off oEmbed auto discovery.
add_filter( 'embed_oembed_discover', '__return_false' );
// Don't filter oEmbed results.
remove_filter( 'oembed_dataparse', 'wp_filter_oembed_result', 10 );
// Remove oEmbed discovery links.
remove_action( 'wp_head', 'wp_oembed_add_discovery_links' );
// Remove oEmbed-specific JavaScript from the front-end and back-end.
remove_action( 'wp_head', 'wp_oembed_add_host_js' );
add_filter( 'tiny_mce_plugins', 'disable_embeds_tiny_mce_plugin' );
// Remove all embeds rewrite rules.
add_filter( 'rewrite_rules_array', 'disable_embeds_rewrites' );
// Remove filter of the oEmbed result before any HTTP requests are made.
remove_filter( 'pre_oembed_result', 'wp_filter_pre_oembed_result', 10 );
add_action( 'init', 'disable_embeds_code_init', 9999 );
function disable_embeds_tiny_mce_plugin($plugins) {
return array_diff( $plugins, array('wpembed') );
function disable_embeds_rewrites ($rules) {
foreach($rules as $rule => $rewrite) {
if(false !== strpos($rewrite, 'embed=true')) {
return $rules;