Hardening Wordpress

1. Update WordPress
2. Update themes and plugins
3. Use unique and strong passwords
4. Securing wp-admin & wp-includes
5. Securing wp-config.php
6. Disable file editing in WordPress admin
7. Use a web application firewall (WAF)
8. Security through obscurity
9. Data backup
10. Block user-enumeration
11. Rest API disabled via functions.php
12. Disable XML-RPC in WordPress using .htaccess file

1. Update WordPress

The latest version of WordPress is always available from the main WordPress website at


Since version 3.7, WordPress has featured automatic updates. Use this functionality to ease the

process of keeping up to date.

2. Update themes and plugins

While updating the WordPress core, don’t forget to update your themes and plugins too. Hackers

are particularly fond of old themes and plugins with known security holes.

Update plugins

Update theme

When we select plugins, normally we should check;

                    • Plugin reviews
                    • How many users used that plugin
                    • Previous vulnerabilities

We can recommend the contact form plugin, WAF, backup plugin, and security plugin for use.

                    ❖ WAF – wordfence plugin
                    ❖ Contact form plugin – wp forms
                    ❖ Backup plugin – updraft
These recommendations can change with time.

When we use a plugin, we should go to https://wpvulndb.com/ and search for checking their

3. Use unique & strong passwords

Many potential vulnerabilities can be avoided with good security habits. A strong password is 
an important aspect of this.
Things to avoid when choosing a password:

       ▪ Any permutation of your own real name, username, company name, or name of your
       ▪ A word from a dictionary, in any language.
       ▪ A short password.
       ▪ Any numeric-only or alphabetic-only password (a mixture of both is best).

How to change a password in a WordPress account.

4. Securing wp-admin and wp-includes

Adding server-side password protection to /wp-admin/ adds a second layer of protection around
your blog’s admin area, the login screen, and your files. This forces an attacker or bot to attack
this second layer of protection instead of your actual admin files.

The second layer of protection can be added where scripts are generally not intended to be
accessed by any user.

One way to do that is to block those scripts using mod_rewrite in the .htaccess file.

This should place above the line # BEGIN WordPress

5. Securing wp-config.php

If you use a server with .htaccess, you can put this in that file (at the very top) to deny access to
anyone surfing for it:

6. Disable file editing in WordPress admin

The WordPress dashboard by default allows administrators to edit php files, such as plugin and
theme files.

Plugins ->Plugin Editor

Appearance->Theme Editor

This is often the first tool an attacker will use if able to login, since it allows code execution.
How to disable file editing in WordPress

After entering that line of code

This will not prevent an attacker from uploading malicious files to your site, but might stop some

7. Use a web application firewall (WAF)

There are many plugins and services that can act as a firewall for your website.
We recommend wordfence plugin for this because others can have some security issues.

Wordfence plugin installation

When we select the WAF plugin, we should check:

                • Features they provide
                • Updates frequency Special for something like this
                ▪ Blacklist (IP range allowed).
                ▪ Whitelist (IP range allowed).
                • Dynamic blacklist.
                • Events recording which can be viewed by admins from the back end.
                • Alert of strict mode.
                • File integrity checker
                • Malware scanner

8. Security through obscurity

Rename the administrative account

When creating an administrative account, avoid easily guessed terms such as admin or webmaster as
usernames because they are typically subject to attacks first.

9. Data backups

No matter the size of your WordPress website, finding a way to keep it safe from issues such as updates
gone wrong, hacking, user error, and crashes should be of the utmost importance.
How to backup a WordPress site with an easy-to-use, free backup plugin. we recommend UpdraftPlus
plugin for taking backups.
Step 1

10.Block user-enumeration

• Via functions.php
Add the following code to your theme’s functions file:

// block WP enum scans

// https://m0n.co/enum

if (!is_admin()) {

        // default URL format

        if (preg_match('/author=([0-9]*)/i', $_SERVER['QUERY_STRING'])) die();

        add_filter('redirect_canonical', 'shapeSpace_check_enum', 10, 2);


function shapeSpace_check_enum($redirect, $request) {

        // permalink URL format

        if (preg_match('/\?author=([0-9]*)(\/*)/i', $request)) die();

        else return $redirect;


• Via .htaccess

Add the following code to the site’s root .htaccess file.

# Block User ID Phishing Requests

<IfModule mod_rewrite.c>

        RewriteCond %{QUERY_STRING} ^author=([0-9]*)

        RewriteRule .* http://example.com/? [L,R=302]


11.Rest API disabled via functions.php

Add the following code to your theme’s functions file (Wp-content/ themes/ functions.php ):

12.Disable XML-RPC in WordPress using .htaccess file

Add the following code to the site’s root .htaccess file.