WordPress Security Hardening: 15 Must-Do Steps

WordPress powers 43% of the web — which makes it the most targeted CMS on the planet. Most successful attacks exploit default configurations and neglected updates, not sophisticated zero-days. Here are 15 concrete steps to harden any WordPress installation.

1. Keep Everything Updated

Enable automatic background updates for minor WordPress releases. Review plugins weekly — outdated plugins account for 52% of WordPress hacks.

// wp-config.php
define('WP_AUTO_UPDATE_CORE', 'minor');
define('AUTOMATIC_UPDATER_DISABLED', false);

2. Change the Default Admin Username

The username admin is targeted in every brute-force script. Create a new administrator with a unique username, then delete the original admin account.

3. Use Strong Application Passwords & 2FA

Enable WordPress Application Passwords for REST API authentication. Install a 2FA plugin (Wordfence, WP 2FA) for all administrator accounts.

4. Move wp-config.php Above the Web Root

# Move one level up from public_html/
mv /var/www/html/wp-config.php /var/www/wp-config.php
# WordPress finds it automatically

5. Set Correct File Permissions

# Directories
find /var/www/html -type d -exec chmod 755 {} \;

# Files
find /var/www/html -type f -exec chmod 644 {} \;

# wp-config.php — restrictive
chmod 400 /var/www/wp-config.php

6. Disable XML-RPC

# Nginx
location ~* ^/xmlrpc\.php$ {
    deny all;
}

# Or via functions.php
add_filter('xmlrpc_enabled', '__return_false');

7. Limit Login Attempts

Install Limit Login Attempts Reloaded or configure Nginx rate limiting to block brute-force attacks at the server level.

# Nginx rate limiting
limit_req_zone $binary_remote_addr zone=login:10m rate=1r/m;

location ~* ^/wp-login\.php$ {
    limit_req zone=login burst=3 nodelay;
}

8. Hide the WordPress Version

// functions.php
remove_action('wp_head', 'wp_generator');
add_filter('the_generator', '__return_empty_string');

9. Disable File Editing in Admin

// wp-config.php
define('DISALLOW_FILE_EDIT', true);
define('DISALLOW_FILE_MODS', true); // also blocks plugin/theme install

10. Force HTTPS Everywhere

// wp-config.php
define('FORCE_SSL_ADMIN', true);

# Nginx redirect
server {
    listen 80;
    return 301 https://$host$request_uri;
}

11–15. Additional Hardening

• 11. WAF: Enable Cloudflare WAF or install Wordfence for application-layer filtering
• 12. Database prefix: Change wp_ table prefix during installation (hard to change later)
• 13. Disable directory browsing: Add Options -Indexes to .htaccess
• 14. Regular backups: Use UpdraftPlus with remote storage (S3, Google Drive) — test restores quarterly
• 15. Security headers: Add X-Frame-Options, X-Content-Type-Options, and Content-Security-Policy headers via Nginx or a plugin

Security is a process, not a checklist. Implement these steps, then subscribe to the WordPress Security Team blog and the WPScan vulnerability database to stay ahead of emerging threats.