WordPress Security Hardening: 50 Things You’re Probably Missing

By /

WordPress Powers 43% of the Web — And Hackers Know It

WordPress’s massive market share makes it the biggest target for automated attacks. Every single day, thousands of bots scan WordPress sites looking for vulnerabilities — outdated plugins, weak passwords, misconfigured files, and known exploits. The scary part? Most WordPress sites are running with critical security holes that their owners don’t even know about.

We’ve audited hundreds of WordPress sites, and the same issues come up over and over. This checklist covers 50 security hardening measures — from basics that take 5 minutes to advanced configurations that require server access. Work through them in order, and you’ll have a fortress-grade WordPress installation.

WordPress Core Configuration (Items 1-10)

  1. Keep WordPress core updated. Enable automatic minor updates by adding define('WP_AUTO_UPDATE_CORE', true); to wp-config.php. Major updates should be tested on staging first.
  2. Use strong database table prefixes. Never use the default wp_ prefix. Change it during installation to something unique like x7k9_. If you’re already using the default, there are plugins that help you change it.
  3. Generate unique security keys. Visit https://api.wordpress.org/secret-key/1.1/salt/ and replace the default keys in wp-config.php. Do this immediately if you’re still using the defaults.
  4. Disable file editing in the admin. Add define('DISALLOW_FILE_EDIT', true); to wp-config.php to prevent anyone from editing theme and plugin files through the WordPress dashboard.
  5. Disable file modifications entirely. For production sites, add define('DISALLOW_FILE_MODS', true); to prevent plugin/theme installation and updates through the admin. Manage updates through WP-CLI or your management tool instead.
  6. Force SSL for the admin. Add define('FORCE_SSL_ADMIN', true); to wp-config.php. Your site should already be running HTTPS everywhere.
  7. Set proper file permissions. Directories: 755. Files: 644. wp-config.php: 440 or 400. Never use 777 on a production server.
  8. Move wp-config.php one directory up. WordPress automatically looks one directory above the web root for wp-config.php. Moving it there makes it inaccessible via the web server.
  9. Limit post revisions. Add define('WP_POST_REVISIONS', 5); to prevent database bloat and reduce attack surface from stored XSS in revisions.
  10. Set automatic database repair. Add define('WP_ALLOW_REPAIR', false); (set to true only when actively repairing, then immediately set back to false).

Login Protection (Items 11-20)

  1. Change the default admin username. Never use “admin” as a username. If you have one, create a new admin user with a different name and delete the old one.
  2. Enforce strong passwords. Use a password manager. Every WordPress user account should have a unique, randomly generated password of 16+ characters.
  3. Enable two-factor authentication. Install Wordfence Login Security (free) or WP 2FA. Every admin account should have 2FA enabled — no exceptions.
  4. Limit login attempts. Install a rate-limiting plugin or configure this at the server level. After 3-5 failed attempts, block the IP for 15-30 minutes.
  5. Change the login URL. Move wp-login.php to a custom URL using a plugin like WPS Hide Login. This stops 90% of automated brute force attacks.
  6. Disable XML-RPC. Unless you specifically need it (for remote publishing or Jetpack), block xmlrpc.php entirely. It’s a common attack vector for brute force amplification.
  7. Disable REST API for unauthenticated users. The WordPress REST API exposes user data and site information to anyone. Restrict it with a plugin or custom code.
  8. Block user enumeration. Prevent attackers from discovering usernames through /?author=1 queries and REST API endpoints.
  9. Set up login notifications. Get email alerts when anyone logs into your WordPress admin. Some security plugins include this feature.
  10. Use application passwords carefully. If you must use application passwords for API access, scope them to specific capabilities and revoke them when no longer needed.

Plugin & Theme Security (Items 21-30)

  1. Audit installed plugins regularly. Delete any plugin you’re not actively using. Inactive plugins are still a security risk if they have vulnerabilities.
  2. Keep all plugins updated. Check for updates weekly at minimum. Use an automated update management tool for multi-site portfolios.
  3. Vet plugins before installing. Check the plugin’s update frequency, support forum activity, number of active installations, and reviews. Abandoned plugins are a major risk.
  4. Use only reputable plugin sources. Install plugins only from wordpress.org or well-known commercial vendors. Never download nulled plugins or themes.
  5. Limit the total number of plugins. Every plugin adds attack surface. Aim for 15 or fewer active plugins. Replace multiple single-purpose plugins with comprehensive alternatives.
  6. Monitor plugin vulnerability databases. Subscribe to WPScan or use a tool that alerts you when vulnerabilities are discovered in your installed plugins.
  7. Remove default themes. Delete Twenty Twenty-One, Twenty Twenty-Two, etc. Keep only one default theme as a fallback, and your active theme.
  8. Verify theme file integrity. Periodically compare theme files against the original source to detect unauthorized modifications.
  9. Disable plugin and theme installation. On production sites, use DISALLOW_FILE_MODS to prevent installation of new plugins through the admin.
  10. Test updates on staging first. Before updating plugins on production, test them on a staging environment. Automated tools like OpenClaw can handle this across multiple sites.

Server & Network Security (Items 31-40)

  1. Use a Web Application Firewall (WAF). Cloudflare provides a basic WAF on all plans. Wordfence and Sucuri also offer WordPress-specific WAFs.
  2. Block PHP execution in uploads. Add a .htaccess or Nginx rule to prevent PHP execution in the /wp-content/uploads/ directory. This is critical for preventing malicious file uploads from executing.
  3. Protect wp-config.php with server rules. Block direct web access to wp-config.php using .htaccess or Nginx configuration.
  4. Disable directory listing. Ensure your web server doesn’t show directory contents when no index file is present. Add Options -Indexes to .htaccess or configure in Nginx.
  5. Restrict wp-admin access by IP. If you have a static IP, restrict wp-admin access to only that IP. For dynamic IPs, use a VPN with a static IP endpoint.
  6. Implement fail2ban rules. Configure fail2ban to monitor WordPress login attempts and automatically ban IPs that exceed the threshold.
  7. Use SSH keys, not passwords. For server access, disable password authentication and use SSH keys exclusively. Disable root login.
  8. Keep server software updated. Regularly update your OS, web server, PHP, and MySQL/MariaDB to patch security vulnerabilities.
  9. Configure proper security headers. Add headers for X-Frame-Options, X-Content-Type-Options, X-XSS-Protection, Content-Security-Policy, and Strict-Transport-Security.
  10. Enable rate limiting at the server level. Configure Nginx or Apache rate limiting to protect against DDoS and brute force attacks before they reach WordPress.

Monitoring & Response (Items 41-50)

  1. Set up file integrity monitoring. Monitor core WordPress files for unauthorized changes. Wordfence and Sucuri both offer this feature.
  2. Configure automated malware scanning. Schedule daily or weekly malware scans. Many security plugins offer scheduled scanning.
  3. Monitor uptime and response codes. Set up uptime monitoring that alerts you immediately when your site goes down or returns error codes. This can indicate a hack or defacement.
  4. Log all admin actions. Use an activity log plugin to track every action taken in the WordPress admin — who did what and when.
  5. Set up automated backups. Daily backups stored off-site (not on the same server). Test your backup restoration process quarterly.
  6. Create an incident response plan. Document what to do if your site is hacked: who to contact, how to restore from backup, and steps to identify and close the vulnerability.
  7. Monitor for blacklisting. Check if your site or IP has been blacklisted by Google Safe Browsing, Spamhaus, and other reputation services.
  8. Scan for SEO spam. Regularly check for hidden links, Japanese keyword hack, and pharmaceutical spam injections. These are often invisible to casual inspection.
  9. Audit user accounts regularly. Remove old user accounts, revoke access for team members who’ve left, and review user roles quarterly. Every unnecessary account is an attack vector.
  10. Use a security monitoring service. For multiple sites, use a centralized security monitoring tool. OpenClaw provides continuous security monitoring across your entire WordPress portfolio with automated alerts and response capabilities.

Security Headers Reference

Add these to your .htaccess or Nginx configuration:

# .htaccess security headers
Header always set X-Frame-Options "SAMEORIGIN"
Header always set X-Content-Type-Options "nosniff"
Header always set X-XSS-Protection "1; mode=block"
Header always set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Permissions-Policy "geolocation=(), microphone=(), camera=()"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"

Block PHP Execution in Uploads

# Add to /wp-content/uploads/.htaccess
<Files *.php>
    Order Deny,Allow
    Deny from all
</Files>

The 80/20 of WordPress Security

If you only do five things from this list, do these:

  1. Keep everything updated — WordPress core, plugins, themes, PHP version, server software
  2. Use strong, unique passwords + 2FA — for every admin account, no exceptions
  3. Install a WAF — Cloudflare’s free plan catches the majority of automated attacks
  4. Set up automated backups — daily, off-site, and tested regularly
  5. Delete unused plugins and themes — reduce your attack surface to the minimum

These five actions alone will put you ahead of 90% of WordPress sites on the internet. The remaining 45 items on this list will take you from “well-protected” to “fortress-grade.”

Security isn’t a destination — it’s a practice. Review this checklist quarterly, and you’ll stay ahead of the evolving threat landscape.

Managing security across dozens or hundreds of WordPress sites? OpenClaw provides centralized security monitoring, automated vulnerability scanning, and coordinated updates across your entire portfolio — so you can catch threats before they become breaches.

Scroll to Top