20+ Battle-tested Ways to Harden WordPress

WordPress security often involves finding weak spots in most websites. Hackers often target smaller websites to reach bigger targets like banks or government sites.

The main point is this: WordPress websites get hacked because they lack basic security.

In this article, we will discuss how to harden your WordPress site. You will learn to protect your website and your visitors from danger.

TL;DR: The easiest way to harden your site is by using a WordPress security plugin, like MalCare. Installing MalCare on your site automatically enables many of the hardening measures we’ve listed; without any coding needed on your part. 

Understanding WordPress hardening

WordPress hardening is about boosting website security. It involves adding layers of protection to keep hackers out. 

Hackers are interested in gaining access to sites for various reasons. It could be to harness a site into a botnet, or to redirect visitors to a spam site. 

Either way, hackers are dangerous to the site, its resources, its users, and everything else associated with it. This includes your information and your visitors’ information.

Hardening is about safeguarding the site to protect these aspects. Hardening builds a stronger shield around your website.

1. Use a firewall

A WordPress firewall will block attacks even before they reach your website. It is the number one way to harden your website. 

Firewalls work by filtering incoming traffic requests. They test each of the requests against a set of rules, and only allow the legitimate requests to pass through to the site. Anything else is blocked. 

Good firewalls also learn automatically. If the IP has carried out malicious activities before, a firewall will mark them as malicious and block that IP.

How to find the right firewall for your site

When shopping for a good firewall, look for a WordPress-specific firewall. These firewalls are build to fortify WordPress sites, by shielding the vulnerable areas of a site from attacks. 

A good firewall should not need constant rule updates—although they are necessary on occasion. Ideally, your site should be be protected from attacks regardless of whether there are vulnerabilities on it or not. While this is not possible 100% of the time, it should be possible 99% of time, and that’s where a great firewall comes in.

🔥 This is what MalCare offers with Atomic Security. A custom-built WordPress firewall that armour-plates your site proactively.

2. Set up malware defences

Besides using a firewall to block attacks, you need to handle malware infections when they occur. 

Daily malware scanning

The reality is that malware can sneak in even with strong security. To fight it, a WordPress malware scanner is key. Scans help find any harmful software on your site. 

A good malware scanner is critical for security. But choosing the right one is tough. There are many options, and each works differently.

So, what is a malware scanner? 

The short answer is that it finds malware on your WordPress site. It is not just a vulnerability scanner. Nor is it just a file change monitor or a blacklist scanner. It incorporates all these aspects and more into a robust scanner that can detect any and all types of malware—wherever it is on the site.  

Swift malware removal 

Scanner found malware on your WordPress site? Quick removal is super important. 

Delays can harm your site and put visitors at risk. Use a malware removal plugin to clean up your site. Malware gets worse over time, so quick removal matters. It’s a race against the damage it can cause. 

MalCare is your best best for malware removal. Apart from unlimited manual removal support from WordPress experts, it has a terrific one-click removal tool built into the dashboard. 

You do not have to wait and worry about the damage malware is wreaking on your site. One click, and you zap it away, leaving your site pristine.

Post-cleanup processes: change salts

WordPress stores your credentials so you don’t have to enter your credentials every time you want to login. But what’s important here is that it’s stored in an encrypted form. 

If the data is stored in plain text, when a hacker gets a hold of the data, they can just read it. If the data is encrypted, it will look like random text that they cannot use.

To encrypt the data, WordPress has to use something known as security keys and salts. In simple terms, keys are random variables that encode your admin username and password, and salts basically help improve the encryption one step further.

If hackers are able to get their hands on your security keys and salts, they can decipher the encrypted data and hack into your account. This is why it is important to change them after a hack.

3. Set up vulnerability scanning

Vulnerabilities are lapses in code that hackers might exploit. These include SQL injection, XSS, RCE, and CSRF vulnerabilities. These are not weak passwords or perceived weaknesses like not renaming the wp-login page. 

A WordPress vulnerability scanner finds these known issues in the WordPress core, plugins, and themes. It relies on a database of plugins, themes, and their versions with security issues. 

A scanner does not find flaws in custom site code. That’s a task for penetration testing, a different process. 

So, a vulnerability scanner is only one part of your site’s security. It’s not sufficient on its own to keep your site safe.

4. Use trusted plugins and themes

Always choose trusted plugins and themes for your WordPress site. 

Never use nulled plugins or themes. These are pirated versions of premium software and often hide malware. They pose a serious risk to your site’s security.

A good rule of thumb is to look for plugins and themes that are actively maintained. Active maintenance means developers regularly update their software. Frequent updates show that developers care about security and the software’s long-term health. This keeps your website safe from new threats.

As an aside, this is a core reason to purchase plugins. A paid plugin is often actively maintained and has a support channel for issues you may face. At MalCare, we use our experience with hacked websites to improve our WordPress security plugin every day. 

5. Keep everything updated

Apart from WordPress itself, it is important to keep themes and plugins updated. Vulnerabilities are discovered every day, and developers of plugins release patches to address those vulnerabilities. 

If you aren’t using any plugins or themes, get rid of them. You can always reinstall them later, if you need them again. Unused plugins are rarely updated regularly. 

🔥 Use auto-updates wisely to secure your site. Smaller updates can be run automatically, leaving you to have to deal with the larger ones only. 

6. Implement password security

Password security is perhaps the lowest hanging of all low-hanging fruit. That’s probably why they’re just as often ignored. And that’s why they’re at the top of a how to harden your WordPress site list.

Set strong passwords

Passwords are hard to remember, and yes some of the best practices are tiresome: no duplicate passwords; not easy passwords; a mix of letters, numbers and symbols; the list is truly daunting, especially when you stop to count how many services you use. 

We sympathise, and so we suggest using a password manager. Use an automatically-generated string of numbers, letters and symbols to keep your account safe. Even though the odds are small, brute force attacks now use dictionary attacks to guess at passwords. 

Don’t reuse passwords

So you’ve set up strong passwords, but now you have to set up strong passwords on all the services that you use. 

It’s a LOT. 

But there is good reason why you are not meant to reuse passwords, even if they are very strong. 

If one system is breached—say a social media account—the breach should be limited to that account. The email-password combination is compromised, and therefore if the same combination exists on another system, you can rest assured that it is only a matter of time before the second system is breached. 

Using unique passwords is like preventing forest fires. You may not be able to stop a few trees from burning, but you can definitely prevent the entire forest going up in flames. 

Require the use of strong passwords

Continuing with our theme of strong passwords, this needs to be the next item on your to-do list. 

When you have multiple users handling your website, you need to ensure every user maintains a strong password and also changes it regularly. Now, this may be easier on a small scale, but when it comes to a bigger team, it would be better to have a software that will automate this for you.

WordPress by default will alert you if you choose a weak password:

However, you can choose to override it by checking ‘confirm use of weak password’. By doing so, you are leaving your website vulnerable to attacks. 

To force the users to update their passwords, there used to be plugins like Expire passwords. It would allow you to set a maximum number of days before the password expires. However, most of these plugins have not been updated for a long time, so we wouldn’t recommend using them. 

7. Fortify login security

WordPress login security is takes password security up a notch. While password security takes take of the human element, protecting the login page makes sure that the system is fortified better against brute force attacks. 

Brute force attacks bombard a login page with username and password combinations, so as to gain unauthorised access. How do you stop that? Glad you asked! 

Two-factor authentication

Protect your login by adding a two-factor verification for every user. It is super simple to set up with many plugin options, including MalCare. 

Two-step verification requires a user provide their login details first, and then enter a password that is generated in real-time. It makes your account harder for hackers to crack, by adding a second factor in addition to passwords.

Limit login attempts

 By default, WordPress allows an unlimited number of login attempts. Enabling limited login attempts on your website increases its security and ensures hackers can’t try thousands of combinations to get in. 

That’s why websites, especially banks, usually give users only three attempts to get their username and password right. After that, you’re given the option of ‘Forgot password’ or even get locked out of your accounts.

If you install MalCare, you will automatically have limited login protection. It implements captcha-based protection that will prevent bad bots from accessing your site.

8. Set up user security

User security goes beyond just strong passwords. 

Implement least privilege permissions

Everyone doesn’t need to be an admin. 

There, we said it. 

There are 6 pre-defined roles you can have on a WordPress website: Super Admin, Administrator, Editor, Author, Contributor and Subscriber. Each role has a set of permissions, and can therefore perform some tasks. These tasks are called capabilities. Roles and capabilities exist for a reason.

Use user roles to restrict access to what individuals need. This limits potential damage if an account is compromised.

The rule of thumb here is to have as few administrators as possible. The reasoning is straightforward: you are reducing the risk of hackers gaining admin access. 

Note: For a single website the administrator role is the most powerful, whereas for a multisite it is the super admin role. 

Auto logout inactive users

Also, set up auto logout for inactive users. This reduces the risk of unauthorized access if someone forgets to log out.

This feature is seen primarily with bank websites and apps that log you out after a period of inactivity. This is to protect your account from any unauthorized access.

In fact, remove dormant users regularly. Inactive accounts can become security risks over time.

User registration only if necessary

Consider disabling user registration if it’s not essential for your site. Fewer users mean fewer potential entry points for attackers.

9. Monitor your site

Harking back to malware scanners again here. Daily scans are a great way to keep an eye on things going wrong on your site. 

MalCare, in particular, uses multiple signals to detect malware. Of these signals, two are especially interesting: 

• Blacklist monitoring: checks to see if your site appears on Google’s blacklist of sites that are considered compromised with malware.
• File change monitors: sort of an activity log for site files, file change monitors can pinpoint suspicious activity quickly. However a word of caution here: malware can sometimes circumvent system timestamps, so it is not 100% on its own.

Keep an activity log

An activity log may not be a WordPress hardening measure per se, but it is an absolute must-have security measure. 

Activity logs track everything that happens on your website. This way, you will know exactly what your users are doing and when. You can then monitor what’s happening on your website and hold users accountable for their actions.

Try out the activity log on MalCare, and see how much clarity you have for your site. 

Logs keep track of everything: logins, logouts, changes made, creations, modifications, deletions, additions, updates, etc. If you are hacked, you can see early warning signals in the activity log. Look for any suspicious activity or changes made.

10. Use secure services

When transferring or access data, always pick the secure options. Secure options use encryption. While it may be slightly more painful to set up and use, it is always better than the alternative. 

Use SSL

SSL is a way to transmit data securely from user to server, and back again, over an encrypted connection. 

Quite apart from the fact that it is a good security practice, Google requires that websites have SSL. It penalises websites by showing “Not secure” in the browser. 

It was complicated to install an SSL certificate, but not any more. You also need to make sure that all your pages are HTTPS as well. 

Securing wp-admin

To take SSL security to the next level—which you totally should—you can force logins to be transmitted over SSL. Make sure you’ve installed SSL and addressed any mixed content issues. 

Then navigate to the wp-config.php file, and add this code: 

define(‘FORCE_SSL_ADMIN’, true);

Use SFTP

If you use FTP to transfer files to your server, consider switching to SFTP instead. It works in much the same way for transferring files, except that it does so using SSH. The data that is transferred is encrypted and cannot be read while in transit. Also, SFTP uses authentication for both the user and server.

SFTP is becoming the new standard, and replacing FTP as a result. The configuration is practically the same, so there is no good reason to continue with the legacy protocols. 

11. Set adequate file permissions

File permissions on WordPress control who can read, write, and execute files and directories. Proper permissions help prevent unauthorized access.

If all users can change or read files and directories, it creates a security risk. This is a concern for systems with many users, like servers. Therefore, setting the right permissions is a key security measure.

Here are the recommended file permissions for your WordPress site:

• Root directory: 755
• wp-admin: 755
• wp-includes: 755
• wp-content: 755
• wp-content/themes: 755
• wp-content/plugins: 755
• wp-content/uploads: 755
• .htaccess: 644
• index.php: 644
• wp-config.php: 640

Generally, set WordPress directory and folder permissions to 755. Most file permissions should be set to 644. These permissions align with WordPress recommendations. They also ensure that automatic updates function properly. Stricter permissions may cause updates to fail. By setting adequate file permissions, you protect your site from unauthorized changes.

12. Set up the right security headers

Security headers are key for WordPress security. They work quietly in the background to protect your site. These simple lines of code help stop threats. They prevent information theft and block break-in attempts. 

Security headers depend a lot on your site, and should be set up accordingly. 

13. Disable file editing

If a hacker gets access to a WordPress Administrator account, they can take full control of your website. 

From the dashboard, they can edit the coding of your theme and plugins through the option of “Editor”. They can also upload their own scripts to display their content, deface your site, spam your users, etc.

You can disable file editing in critical files through MalCare’s hardening options, or manually via cPanel, FTP or by using a file manager plugin. 

Note: Remember to uninstall the file manager plugin after use, if you do use it. It is not necessary for daily use, and can be a threat. 

Secure your wp-config.php file

One of the more critical files in your WordPress installations, wp-config.php is a prime target for hackers. Apart from containing the database access credentials to your website, wp-config is responsible for making a WordPress website function. 

You can do two things here, in addition to disabling file editing: change security keys and disallowing plugin installation. 

Hide wp-config.php

The first is to move the wp-config.php file one level up. This is not a safety move as such, but more to make it harder for malware to find the file. Moving the file doesn’t make it impenetrable though, so set expectations accordingly. 

Note: There is no consensus amongst developers about whether or not moving the file is a good idea. In some instances, such as the Contact Form 7 vulnerability, this measure may be altogether ineffective. However, we like to err on the side of let’s-make-it-as-hard-to-be-hacked-as-possible.

Deny access to wp-config.php

Denying access is a much more concrete measure, and if you do this, you won’t have to move the file at all. Go to your .htaccess file and add the following code, right at the top: 

<files wp-config.php>
order allow,deny
deny from all
</files>

There are a few things you can do to protect your wp-config.php file.

14. Disallow plugin installations

There are occasions when a user or a client might install a plugin without checking its compatibility or credibility, as thoroughly as you may do. This can lead to a number of problems on your website, so it is best to remove the ability for them to do so altogether. 

The easiest way to enable and disable this function is by using a plugin. If you’re using MalCare, you simply need to click a button to enable it and thereafter disable it.

This is an extreme measure but a necessary one in cases where you have many users handling your site; or in the event you would like to limit your client from installing plugins unnecessarily.

15. Disable directory listing

Directory browsing lets users see the contents of folders on a WordPress site. This means a list of files and subfolders. Usually, WordPress shows an index file. This file displays the site’s content instead of the folder’s files. Without an index file, WordPress shows the folder’s contents. 
For security, directory browsing should be disabled. This way, when someone tries to open a folder, they get a 403 Forbidden error. They won’t see the list of files.

16. Block XML-RPC

The wp-login or wp-admin page isn’t the only way hackers try to maliciously log into your site. WordPress has a feature called XML-RPC, which lets other systems talk directly to your site. In a sense, it is an alternative way to log into your site. 

Disabling XML-RPC is important, as it poses a security risk to your site.

17. Block PHP execution in the uploads folder

WordPress uses PHP to give websites dynamic capabilities. However, only certain files and folders need to execute PHP functions. 

A hacker, aiming to control your site, can insert their PHP functions to give themselves remote access.

To prevent these class of attacks, you can disable the PHP executions in places where it doesn’t need to happen.

Either you can choose to do this manually, by modifying WordPress core files, or alternatively using MalCare to flick a switch and stop PHP execution in certain folders. 

18. Backups 

The decidedly unexciting entry on this list: backups. We know; we develop the best-in-class backup plugin for WordPress.

The importance of a good backup is best illustrated by a bad scenario. Imagine you have spent months and years on building your website. It has customers, engaging content, generates revenue with ads, and has a reputation. And poof, one day that vanished. 

It could be a malware infection or a server failure with your web host; any one of a million reasons. Imagine. What would you give to have a backup under those circumstances? 

Backups are vital. You don’t want to need one, but to have a fallback in case the site is wiped out. 

However, don’t have too many unsecured backups strewn across different locations. While redundancy is key to backup security, the backups themselves must be encrypted and stored in securely. 

It is best to choose a provider with enterprise-grade encrytion for backups, like BlogVault. 

19. Regular site audits

Conducting regular site audits keeps your WordPress site secure. During these audits, check for unused users. Accounts not in use can be security risks, and removing them helps protect your site.

Also, look for fake plugins. Sometimes, malware can create these fake plugins. They can harm your site and steal data. Identifying and removing them is crucial.

Regular audits help you spot issues early, maintaining a safe and secure website.

20. Separate out databases and cPanel installations

Susceptibility to transference of malware between sites on shared hosting security is not, as most people believe, because of web hosts, but because of shared management systems like cPanels or databases.

If you run more than one website with separate installations of WordPress, it is wise to keep the databases distinct from each other, and stored in different locations. Therefore if hackers gain access to one website, your other websites will remain unharmed—at least theoretically, because much depends on the security of the other websites themselves. 

Although this is best accomplished during installation, it can be done later and it is worth the effort. However, this does require some familiarity with MySQL and its configurations.

21. Web host security

Although many people believe hosts are responsible for security, lots of malware attacks actually come from vulnerabilities on sites. The hosts are responsible for infrastructure, so that’s what you look at to choose a secure host.

Most security articles (like this one) will focus heavily on what you, as a website administrator, can do to keep your website secure. Granted, there is a lot you can do, and most vulnerabilities are brought in by installed applications. However, that doesn’t mean that the server is invulnerable. 

It is important to choose the right web host. Look for markers of a good company: reviews, responsive support, etc. 

Are the servers in a physically secure location, for instance? Could a hacker gain access to the room and steal data that way? These are important considerations, but again a website administrator has limited control in this regard. 

A good web host is transparent about their practices, and will include concrete measures they undertake to protect their servers from attack. This is not the place to cut costs, because an inexpensive web host could prove to be a very costly decision in the long run. 

22. Keep your computer clean of malware

It is sometimes the obvious things that trip us up. Whichever computer you use—or indeed WiFi—has an impact on your WordPress security. There is no point in hardening your site, if there is a keylogger on your computer. You’ve basically handed over your login credentials to a hacker. 

Security through obscurity aka hardening myths

Some security measures focus on hiding parts of WordPress, but they might not be as effective as believed.

For real security, focus on strong defenses like firewalls and regular updates, not just hiding elements.

Using a WordPress security plugin

To do much of what we have suggested above easily and quickly, install a security plugin. 

Good WordPress security plugins combine the website hardening measures you need to implement on your website, along with a web application firewall, bot protection and scanner. So now, you don’t have to worry about spending a lot of time figuring out the technical aspects of it.

However, not all plugins offer the same convenience and benefits. There are quite a few plugins out there, but we recommend MalCare simply because it gets the job done quickly and easily in just a few clicks.

Once you install the plugin, your website is already secured. Here’s how:

• Scans your website regularly and checks for any suspicious activity
• Proactive firewall that blocks malicious traffic from visiting your site
• Real-time notifications for any malware present on your website
• One-click malware removal 

MalCare also has different levels of WordPress hardening. These measures are optional because not all website owners will want to execute these security measures on their website. You can choose what to do according to your needs.

The three levels of website hardening you can implement are:

Essentials

This enables you to block PHP execution in untrusted folders. You can also disable file editing. As we discussed earlier, this is a step you absolutely should take.

Under normal circumstances, you wouldn’t actually meddle with the files and folders of WordPress. You would only operate your website from the wp-admin dashboard. You also don’t need to edit anything in the files editor of themes and plugins. Disabling them closes some of the doors hackers can use to attack your site.

Advanced

You can block plugin and theme installations which means no one can install new ones on your website. This measure is a bit extreme and should be taken only if you suspect a hack or you have too many people working on the website. If you want to install a new plugin/theme, you will need to disable this from the MalCare dashboard.

Paranoid

Here, you can change security keys and reset the passwords for all users. Often WordPress websites are operated by a team of people, with each person having their own login. This increases the opportunities for hackers to guess credentials and access your site.

These are the options to use after a hack cleanup.

Conclusion

We cannot stress the importance of installing a WordPress security plugin enough. 

Removing malware is a painstaking and difficult process, subject to missteps and costly errors. Only experts should undertake the process at all, and that can be an expensive proposition. Plus, you will already have lost data, traffic, reputation and much more by that point. 

Your future self will thank you for your foresight.

FAQs

What is WordPress hardening? 

WordPress hardening refers to settings and configurations that increase the security of your website. These techniques cover the gamut of website assets and strengthen known weak entry points, in order to reduce the risk of malware. 

Why should I harden WordPress? 

If you care about your website’s security, and by extension the safety of your visitors’ data, then that’s why you should harden WordPress. These are simple measures to take in order to address vulnerabilities and reduce the risk of malware infection. 

Is it difficult to harden WordPress? 

There are measures you can take to harden WordPress that are simple and done via your dashboard. Those aren’t hard. There are others that are a little more complex, but installing a WordPress security plugin will go a long way to mitigating that complexity. And let’s face it: installing a plugin is not difficult at all. 

Do I need to harden WordPress if I have a security plugin?

Yes, because even though a good WordPress security plugin will include quite a few of the critical WordPress hardening measures, they will not be able to perform all of them. Choosing a strong password, for example, is outside the scope of a security plugin. 

How do I harden my WordPress? 

WordPress hardening methods vary from simple to slightly complex, based on the amount of coding experience required to execute them. The easiest way to harden WordPress is to install a WordPress security plugin.