Skip to content

WordPress Security Hardening

WordPress is secure when maintained properly, but it is also the most targeted CMS on the internet. Most compromises are not “Hollywood hacks”. They are outdated plugins, weak credentials, and exposed admin surfaces.

WordPress Security Hardening

This article gives you a practical hardening baseline from beginner to advanced. Apply the quick wins first, then level up.

GOZEN HOST support shortcut

If you open a ticket about WordPress security, include: your domain, the exact symptoms, when it started, and whether you updated plugins/themes recently. That turns guesswork into an actionable incident.

Quick hardening checklist (do these first)

  • Keep WordPress core, plugins, and themes updated
  • Remove unused plugins and themes
  • Use strong passwords and enable 2FA for admin users
  • Disable file editing in wp-admin
  • Enforce HTTPS for login/admin
  • Lock down sensitive files (wp-config.php, .env, backups)
  • Limit login attempts and reduce brute-force exposure
  • Add a WAF or security layer (hosting or plugin)
  • Monitor changes (malware scans, file integrity, logs)
  • Have a tested restore plan (backups you can actually restore)

1) Patch fast and reduce attack surface

Update WordPress safely

  1. Update plugins and themes first.
  2. Update WordPress core next.
  3. Re-test: login, checkout forms, contact forms, caching, and critical pages.

Avoid zombie plugins

A plugin that has not been updated in a long time is a risk, even if it “still works”. Replace it with something maintained.

Remove what you don’t use

Delete, don’t just deactivate: - Unused plugins - Unused themes (keep only your active theme and one default theme as fallback)

This reduces the number of code paths an attacker can exploit.

2) Lock down authentication (the number one real-world win)

Use strong credentials

  • Use a password manager
  • Use unique passwords per site
  • Avoid “admin” style usernames

Enable 2FA for administrators

2FA blocks most credential-stuffing attacks. If you only do one security upgrade, do this one.

Recommended approach: - Enable 2FA for all admin users - Enable it for editors if they publish content frequently

Create least-privilege user roles

  • Admins: only people who truly need it
  • Editors: content editing
  • Authors: content writing
  • Contributors: limited publishing rights

Remove old users, contractors, and “temporary” accounts.

3) Secure wp-config.php and core settings

Disable file editing in wp-admin (must-have)

Add this to wp-config.php:

define('DISALLOW_FILE_EDIT', true);

This blocks attackers from injecting code via the built-in theme/plugin editors.

Force SSL for admin/login (if HTTPS is enabled)

define('FORCE_SSL_ADMIN', true);

Note

This assumes your site already has a valid SSL certificate and your WordPress Address and Site Address are HTTPS.

Refresh security keys and salts

If you suspect a compromise, rotate salts to force all users to re-authenticate.

  • WordPress.org provides a salts generator
  • Replace the AUTH_KEY / SECURE_AUTH_KEY block in wp-config.php

4) File permissions and ownership (beginner-safe defaults)

Correct permissions prevent “write anywhere” scenarios.

General guidance: - Directories: 755 - Files: 644 - wp-config.php: 600 (or 640 depending on server setup)

On Linux (VPS/dedicated environments), you can apply:

find /path/to/wordpress -type d -exec chmod 755 {} \;
find /path/to/wordpress -type f -exec chmod 644 {} \;
chmod 600 /path/to/wordpress/wp-config.php

Shared hosting note

File ownership and permission models can differ (suPHP, LSAPI, CloudLinux). If a permission change breaks the site, revert and contact Support.

5) Reduce brute-force and abuse against wp-login

Option A (beginner): Limit login attempts (plugin or hosting protection)

Use one of: - A reputable security plugin that limits login attempts - Hosting-side protection if available (WAF or brute force rules)

Option B (intermediate): Hide wp-login? Don’t rely on it

“Hide login URL” can reduce noise, but it is not a security control by itself. Use it only as an extra layer.

Option C (advanced): Restrict wp-admin by IP (only if you have static IPs)

This is strong, but can lock you out if your IP changes. Use it only when you know your access IPs.

6) Disable or restrict XML-RPC (only if you do not need it)

xmlrpc.php is commonly abused for brute force and pingback amplification.

  • If you do not use Jetpack, the WordPress mobile app, or external publishing, you can disable it.
  • If you do need it, restrict it and focus on 2FA and WAF.

Add this to your WordPress .htaccess (usually in the WordPress root):

<Files "xmlrpc.php">
  Require all denied
</Files>

Add inside the relevant server block:

location = /xmlrpc.php {
  deny all;
  return 444;
}

Note

If disabling XML-RPC breaks a feature you rely on, revert this change and use a WAF and 2FA instead.

7) Protect sensitive files and block obvious leaks

Block access to wp-config.php and hidden files

<Files wp-config.php>
  Require all denied
</Files>

<FilesMatch "^\.(?!well-known)">
  Require all denied
</FilesMatch>

location = /wp-config.php { deny all; }
location ~ /\. { deny all; }

Do not store backups in public web directories

Common mistake: - Saving .zip or .sql backups inside public_html or www

Attackers scan for those files constantly.

8) Add an application security layer (WAF and malware scanning)

A WAF (Web Application Firewall) helps block known exploit patterns and malicious bots.

Good options: - Hosting-side WAF (best if available) - A reputable WordPress security plugin with firewall features

What matters: - It updates frequently - It blocks brute force and common exploit payloads - It logs events so you can see what is happening

9) Monitoring that actually helps

Minimum monitoring setup: - Scheduled malware scans - File integrity checks (alert on changed core files) - Login alerts for admin accounts - Access/error log review when something looks off

If your site is revenue-critical, upgrade the posture: - Uptime monitoring (external) - Alerting to email and a secondary channel

10) If you think you’ve been hacked (containment playbook)

Do this in order:

  1. Do not panic-edit random files. Preserve evidence.
  2. Change passwords: - WordPress admin users - Hosting control panel - Database user
  3. Disable or remove suspicious plugins/themes.
  4. Scan for malware and backdoors.
  5. Restore from a known-clean backup if available.
  6. Update everything again after cleanup.

What to send Support: - Domain and affected URLs - What you see (redirects, spam pages, admin lockout, unknown users) - When it started - Any recent changes (plugins, themes, deployments)

Don’t pay the ransom

If someone demands payment to “unlock” your site, treat it as a criminal incident. Focus on containment, cleanup, and recovery.

Summary

A secure WordPress setup is not one magic plugin. It is a baseline:

  • Patch quickly
  • 2FA and strong authentication
  • Lock wp-config and permissions
  • Reduce exposed surfaces (wp-login, XML-RPC, sensitive files)
  • WAF and monitoring
  • A restore plan you have tested