Post

WordPress Website Security Hardening

What you can do to stop your WordPress site from getting hacked.

Posted Updated
By Daniel Florido
1 min read

Wordfence

  • Install the Wordfence plugin
  • Set login attempt limit — 5 for personal sites, 10 for client sites
  • Enable 2FA in Wordfence settings
  • Set up critical issue monitoring alerts

Passwords

  • Use long, random, unique passwords for all accounts
  • Use a password manager (e.g. 1Password)
  • Reset all wp-admin passwords after a hack

Plugin and theme hygiene

  • Remove unused plugins and themes
  • Keep plugins, themes and WordPress core up to date
  • Run Wordfence scans to identify abandoned or vulnerable plugins

WordPress settings

  • Disable “Anyone can register” in Settings → General
  • Remove users that no longer need access
  • Reduce admin permissions for users that don’t need them

Server

  • Run the latest supported PHP version
  • Remove backup files from the server (SQL dumps, zip files)
  • Check for non-WordPress files — Wordfence scans for these but manual checks are good practice

wp-config.php

1

chmod 440 wp-config.php

Add to wp-config.php:

1
2

define('WP_HOME', 'https://yoursite.com');
define('WP_SITEURL', 'https://yoursite.com');

.htaccess hardening

Block direct access to wp-config.php:

1
2
3
4

<files wp-config.php>
  order allow,deny
  deny from all
</files>

Block PHP execution in uploads directory:

1
2
3

<Files *.php>
  deny from all
</Files>

Disable directory listing:

1

Options -Indexes

Disable default registration form

If you use a custom registration plugin, redirect the default form:

1
2
3
4

add_action('login_form_register', function() {
    wp_redirect(home_url());
    exit;
});

Management plugins (ManageWP etc.)

  • Enable 2FA on any site management tools
  • Reset passwords for management tool accounts
  • Remove access for accounts no longer in use

Backups

  • Use UpdraftPlus to send automated backups to Google Drive
  • Prefer server-level backups over plugin backups where available

Site recovery checklist

  1. Put site into maintenance mode
  2. Restore the latest clean backup
  3. Download server logs
  4. Update all plugins and themes
  5. Check server logs for unrecognised IP logins
  6. Run Wordfence scan
  7. Block malicious IPs
  8. Check wp-admin users for any accounts that shouldn’t be there
  9. Remove any malicious plugins

Server-level firewall (self-hosted VPS only)

Install UFW — see WordPress on VPS.

wordpress
This post is licensed under CC BY 4.0 by the author.