WordPress security: 10-minute monthly checklist with wp-cli

Most WordPress security advice is vague. A 10-minute monthly check using WP-CLI catches real issues—like unpatched plugins and misconfigurations—before they lead to breaches. The author, devautomation, built this checklist from actual incidents seen across client sites [devto].

Run wp --allow-root core check-update to verify WordPress core is current. List plugins needing updates with wp --allow-root plugin list --update=available --format=table—plugins with known CVEs are often exploited within days of disclosure [devto]. Replace any plugin inactive for six months or more; abandoned code is a liability.

Check for a user named "admin" using wp --allow-root user list --field=user_login | grep '^admin$'. If it exists, rename it—default usernames are low-hanging targets. Confirm wp-config.php has restrictive permissions (600 or 640) and ensure WP_DEBUG_LOG is off in production. Debug logs exposed online have leaked secrets in real breaches.

Why this works: it’s narrow, actionable, and based on observed attack patterns. Most compromises start with outdated plugins or config slips—this targets both. Automating these checks in a monthly routine cuts risk without overhead.

The checklist isn’t about theoretical hardening. It’s a triage: find the most common, dangerous flaws fast. That’s how you stop 90% of breaches before they start.