Anay Pandya
Founder of ZeriFlow · 10 years fullstack engineering · About the author
Key Takeaways
- 15 essential WordPress security hardening steps. From basic settings to advanced configuration, protect your WordPress site from the most common attacks.
- Includes copy-paste code examples and step-by-step instructions.
- Free automated scan available to verify your implementation.
Why WordPress Security Matters
WordPress powers over 40% of all websites on the internet. That ubiquity makes it the biggest target for automated attacks. Every day, thousands of WordPress sites are compromised through:
<div class="zf-stat-callout" style="background:#0d1117;border:1px solid rgba(16,185,129,0.25);border-left:3px solid #10b981;border-radius:4px;padding:16px 20px;margin:24px 0"> <p style="margin:0 0 4px;font-size:10px;font-weight:700;text-transform:uppercase;letter-spacing:0.15em;color:#10b981;font-family:monospace">ZeriFlow Data — 12,400+ sites analyzed</p> <p style="margin:0;font-size:13px;color:#e2e8f0;line-height:1.6;font-family:monospace">Across 12,400+ sites in our scan corpus, 29% still accept TLS 1.1 connections — a protocol deprecated by RFC 8996 in March 2021 and flagged as insecure by every major browser.</p> </div>
Is your site actually secure?
Run a free check — 60 seconds
- Brute force attacks on login pages
- Exploits in outdated plugins and themes
- SQL injection through vulnerable forms
- Cross-site scripting (XSS) via unvalidated input
- File upload vulnerabilities
The good news: most WordPress attacks exploit basic misconfigurations that you can fix in an afternoon.
15 Steps to Harden Your WordPress Site
Step 1: Keep WordPress Core Updated
WordPress core updates include security patches. Enable auto-updates:
// wp-config.php
define('WP_AUTO_UPDATE_CORE', true);Or update manually from Dashboard > Updates. Never ignore the "update available" notification.
Step 2: Update All Plugins and Themes
90% of WordPress hacks come from vulnerable plugins. Rules to follow: - Enable auto-updates for all plugins (WordPress 5.5+) - Delete unused plugins entirely (deactivating is not enough) - Delete unused themes (keep only your active theme + a default) - Check plugin reviews and last update date before installing
Step 3: Use Strong Admin Credentials
- Change the default
adminusername to something unique - Use a password manager and generate a 20+ character password
- Enable two-factor authentication with a plugin like WP 2FA or Wordfence
Step 4: Change the Login URL
The default /wp-admin and /wp-login.php URLs are targeted by every bot on the internet.
Use a plugin like WPS Hide Login to change your login URL to something custom like /my-secret-login.
Step 5: Limit Login Attempts
Block brute force attacks by limiting failed login attempts:
Install Limit Login Attempts Reloaded and configure: - Max 3 retries before lockout - 20-minute lockout after failed attempts - Increase lockout after 3 lockouts - Email notification on lockout
Step 6: Disable XML-RPC
XML-RPC is an old API that most sites do not need. It is commonly used for brute force attacks and DDoS amplification.
// Add to functions.php
add_filter('xmlrpc_enabled', '__return_false');Or block it at the server level:
# Nginx
location = /xmlrpc.php {
deny all;
return 403;
}Step 7: Disable File Editing
By default, WordPress lets admins edit plugin and theme files from the dashboard. If an attacker gets admin access, they can inject malicious code directly.
// wp-config.php
define('DISALLOW_FILE_EDIT', true);Step 8: Protect wp-config.php
Your wp-config.php file contains database credentials and security keys. Protect it:
# Nginx
location = /wp-config.php {
deny all;
return 403;
}# Apache (.htaccess)
<Files wp-config.php>
Order Allow,Deny
Deny from All
</Files>Step 9: Add Security Headers
WordPress does not set security headers by default. Add them in your server config or via a plugin:
// functions.php
function add_security_headers() {
header('X-Content-Type-Options: nosniff');
header('X-Frame-Options: DENY');
header('X-XSS-Protection: 1; mode=block');
header('Referrer-Policy: strict-origin-when-cross-origin');
header('Permissions-Policy: camera=(), microphone=(), geolocation=()');
header('Strict-Transport-Security: max-age=31536000; includeSubDomains');
}
add_action('send_headers', 'add_security_headers');Step 10: Use HTTPS Everywhere
Force HTTPS in WordPress:
// wp-config.php
define('FORCE_SSL_ADMIN', true);Also update WordPress Address and Site Address in Settings > General to use https://.
Step 11: Disable Directory Listing
Prevent attackers from browsing your directory structure:
# .htaccess
Options -IndexesStep 12: Secure the Database
- Change the default table prefix from
wp_to something random (e.g.,xk7_) - Use a dedicated database user with minimal privileges
- Enable database encryption if your host supports it
For new installations, set the prefix in wp-config.php:
$table_prefix = 'xk7_';Step 13: Set Proper File Permissions
# Directories: 755
find /var/www/html -type d -exec chmod 755 {} \;
# Files: 644
find /var/www/html -type f -exec chmod 644 {} \;
# wp-config.php: 600 (read/write by owner only)
chmod 600 wp-config.phpStep 14: Install a Security Plugin
A good security plugin adds multiple layers of protection:
Recommended options: - Wordfence — Firewall, malware scanner, login security (free tier excellent) - Sucuri Security — Audit logging, file integrity monitoring, security hardening - iThemes Security — 30+ security settings in one plugin
Pick one (not multiple, they can conflict) and configure it properly.
Step 15: Set Up Automated Backups
Even with perfect security, you need backups:
Recommended backup plugins: - UpdraftPlus (free, backs up to cloud storage) - BackWPup (free, scheduled backups) - BlogVault (paid, real-time backups + easy restore)
Configure daily database backups and weekly full backups, stored off-site.
Verify Your WordPress Security
After implementing these steps, run a ZeriFlow scan on your WordPress site. It checks your SSL configuration, security headers, cookie settings, and 80+ other security points. The scan takes about 60 seconds and shows you exactly what is working and what still needs attention.
Quick Wins Summary
| Step | Time | Impact |
|---|---|---|
| Update core + plugins | 5 min | Critical |
| Enable 2FA | 10 min | High |
| Change login URL | 5 min | Medium |
| Limit login attempts | 5 min | High |
| Disable XML-RPC | 2 min | Medium |
| Disable file editing | 1 min | Medium |
| Add security headers | 10 min | High |
| Force HTTPS | 5 min | Critical |
Conclusion
WordPress security hardening is not optional — it is essential. The 15 steps above cover the most important attack vectors and can be implemented in a single afternoon. Start with updates, strong credentials, and HTTPS, then work through the rest of the list.
Scan your WordPress site now to see your current security score.
Further Reading
- Mozilla SSL Configuration Generator
- RFC 8996 — Deprecating TLS 1.0 and TLS 1.1
- OWASP WordPress Security Implementation Guideline
<!-- zf-internal-links -->
Related resources
Keep improving your website security
Related tools
Website Vulnerability Scanner
Run a broader website security audit across headers, TLS, DNS, cookies, SEO, and disclosure checks.
Security Headers Checker
Check CSP, HSTS, X-Frame-Options, and other response headers.
SSL Checker
Review TLS certificate, HTTPS, and transport security signals.
DMARC Checker
Validate email authentication records for domain spoofing protection.
CSP Checker
Review Content-Security-Policy coverage and common gaps.