Complete WordPress Hardening Guide: 15 Security Tweaks

WordPress hardening is the process of configuring your site to minimize security vulnerabilities. By reducing your attack surface, you make it significantly harder for attackers to compromise your site.

What is WordPress Hardening?

Hardening involves:

• Disabling unnecessary features
• Removing information disclosure
• Restricting dangerous capabilities
• Adding protective headers
• Limiting access to sensitive areas

Essential Hardening Steps

1. Hide WordPress Version

WordPress version is displayed in page source and meta tags. Attackers use this to target version-specific vulnerabilities.

Action: Remove version from HTML, RSS feeds, and scripts.

2. Disable XML-RPC

XML-RPC allows remote publishing but is heavily exploited for brute force and DDoS attacks.

Action: Disable completely unless you need mobile apps or Jetpack.

3. Block Pingbacks and Trackbacks

Pingbacks can be used for DDoS amplification and spam.

Action: Disable pingbacks and trackbacks completely.

4. Protect REST API

The REST API exposes user information and can leak sensitive data.

Action: Restrict REST API to authenticated users or disable user endpoints.

5. Disable File Editor

The built-in theme/plugin editor can be used by attackers with admin access to inject malware.

Action: Disable file editing from dashboard.

6. Block User Enumeration

Attackers can discover usernames through author archives and REST API.

Action: Block user enumeration methods.

7. Add Security Headers

• X-Frame-Options: Prevent clickjacking
• X-Content-Type-Options: Prevent MIME sniffing
• X-XSS-Protection: Enable browser XSS filter
• Referrer-Policy: Control referrer information

8. Disable Application Passwords

Application passwords can bypass 2FA. Disable if not needed.

9. Remove Unnecessary Headers

Remove X-Powered-By, X-Pingback, and other revealing headers.

10. Protect wp-config.php

Block direct access to your configuration file.

11. Disable Directory Browsing

Prevent visitors from listing directory contents.

12. Block PHP in Uploads

Prevent PHP execution in wp-content/uploads.

13. Secure Database Prefix

Use a custom database prefix instead of default wp_.

14. Limit Login Attempts

Block brute force attacks by limiting failed logins.

15. Enable HTTPS

Use SSL/TLS for all connections.

WP Folder Shield Hardening

WP Folder Shield implements all these hardening measures with one-click activation:

1. Navigate to WP Folder Shield > Settings
2. Go to "Hardening" tab
3. Enable desired options
4. Save changes

No code editing required. Changes are reversible if issues occur.

Get WP Folder Shield for comprehensive WordPress hardening without technical complexity.