Tick the items and watch live how well your WordPress site is set up. 17 concrete, practical measures grouped by login, updates, files and backups. Your progress stays local in your browser.
The WordPress core is well maintained. Most hacks don't come through the core but through weak passwords, missing updates and insecure plugins — exactly the items on this list that you control yourself.
A security plugin helps but doesn't replace the basics: up-to-date software, strong logins with 2FA and tested backups. Too many plugins even increase the attack surface.
Yes — only locally in your browser (localStorage). There's no account and no server; nothing is transmitted or tracked.
Up-to-date software, strong and unique logins with two-factor authentication, and tested off-site backups. That covers by far the most common attacks.
Then clean up first, harden second — this list is prevention. For emergencies we offer WordPress hack recovery.