How to harden your wordpress

Keep WordPress Updated

WordPress is an open source software which is regularly maintained and updated. By default, WordPress automatically installs minor updates. For major releases, you need to manually initiate the update.

If you’d rather not do it manually, you can configure automatic updates.

Hide WordPress version

There are three areas where your WordPress version number will be hidden:

You can hide them via putting the php code under functions.php

NOTE: Also, you need to delete the readme.html file located in the root of your WordPress install because this also contains the WordPress version.

Strong Passwords and User Permissions

  • Change the Default “admin” username – create a new admin username and delete the old one.
  • Limit Login Attempts
  • Automatically log out Idle Users in WordPress
  • Add Security Questions to WordPress Login Screen
  • Rename login page

File System Protection

To protect your website you want to make sure and use the correct file permissions. Each directory and file has different permissions which allow people to read, write and modify them. If your permissions are too loose this could open up a door for an intruder and if they are too restrictive this could break your WordPress install as plugins and WP core needs to be able to write to certain directories. To reset the default file permissions on your WordPress installation, you may use the following commands within a CLI.

WordPress comes with a built-in code editor which allows you to edit your theme and plugin files right from your WordPress admin area. In the wrong hands, this feature can be a security risk which is why we recommend turning it off.

Network Security

  • Always use secure connections – No matter where you are you should always trying to ensure the connections you are using are secure. You should use SFTP encryption if your web host provides it, or SSH. If you are using an FTP client the default port for SFTP is usually 22.
  • Block Bad Bots – There are always bad bots, scrapers, and crawlers hitting your WordPress sites and stealing your bandwidth. See a comprehensive list of bots at
  • Secure web – If you aren’t running over an HTTPS connection your username and password are sent in clear text over the internet. You can see an example in this article on how to actually sniff and capture WordPress logins over unsecured connections using these free tools. KeyCDN wrote a guide on how to migrate from HTTP to HTTPS. Once you are running on HTTPS it is recommended to force SSL usage by adding the following to your wp-config.php file.

With the SEO advantages of HTTPs and performance benefits of HTTP/2 there is no reason not to be using an SSL certificate. And with the Let’s Encrypt project moving forward, web hosts and CDN’s are already starting to offer free certs.

  • Disable XML-RPC on Nginx – A while back there were a number of brute force attacks exploiting XML-RPC in WordPress, as reported by Sucuri. 99% of people most likely don’t use this function anyway and can disable it. There is a great article from Jesse Nickles on how (and why) to disable WordPress XML-RPC. You can install the free WordPress plugin Disable XML-RPC from the WordPress repository. Basically, this plugin disables the XML-RPC API on a WordPress site running 3.5 or above. You can also block access to this file using Nginx config:

You can check your website header secure or not on this website

Data Protection

  • Install a WordPress Backup Solution – Automated daily backup
  • Change WordPress Database Prefix

Install a security plugin to harden your website’s weakest spots.

A security WordPress plugin monitors your website 24/7 and ensures that you have all the data to properly harden the website`s open doors. This should be the no 1 tool in your arsenal against threads. There are a handful of great plugins that can protect your websites, like:

  • WordFence
  • iThemes Security
  • Shield Wp Security
  • Wp Defender

You can use this list of plugins to scan your site and see if it has hidden malware.

Advanced Security

  • ClickJacking Protection on your site – X-Frame-Options in Header
  • Monitor incoming attacks – alert from threat detection
  • JavaScript/SQL injection
  • DDoS
  • Brute force attacks.
  • Blocks IP addresses identified as belonging to spammers or hackers.


How to harden your wordpress

log in

Use demo/demo public access

reset password

Back to
log in
Choose A Format
Personality quiz
Trivia quiz