How to Harden WordPress: The Complete Checklist

Hardening is the practice of removing unnecessary attack surface from a system. For WordPress, that means three things in order of impact: closing known vulnerabilities, removing information that helps attackers plan, and limiting what an attacker can do if they get in.

It's a different mindset from "installing security software." A security plugin is a tool. Hardening is a posture. You can have the best security plugin in the world and still be trivially hacked because you left the front door open. Likewise, a well-hardened site without any security plugin is harder to attack than a poorly-configured site running three of them.

The reason hardening works against most real-world attacks is that real-world attacks are not creative. They're automated scans run at scale. The bots are looking for any site with a known vulnerability or obvious misconfiguration. A hardened site fails the bot's checklist and gets skipped — the bot moves on to easier targets. You don't need to be uncrackable. You need to be inconvenient.

These are the items an external security scan can detect from outside your site. They're the public-facing surface — what an attacker (or their bot) sees when they probe your domain. Closing these is the foundation; everything else builds on top.

Server and version disclosure: hide your PHP version, your web server software/version, and the WordPress generator tag. None of these are dangerous on their own, but together they hand an attacker a precise list of which CVEs to try.

Sensitive file exposure: block public access to readme.html, license.txt, and any backup or config files left in the document root. These often reveal version numbers or, worse, credentials.

XML-RPC and user enumeration: disable XML-RPC if you don't use the WordPress mobile app or Jetpack — it's the most-abused brute-force endpoint. Block REST API user enumeration so the list of valid usernames isn't publicly retrievable.

Login page exposure: rate-limit /wp-login.php or hide it behind a non-default path. This single change blocks the bulk of credential-stuffing attacks.

Directory listing, security headers, HTTPS redirect, and secure cookies: all server-config issues that flip from "vulnerable" to "safe" in a single .htaccess or Nginx block. The fix is usually three lines of config; the protection is permanent.

Plugin vulnerabilities: scan your installed plugins against the public CVE database (WPVulnerability, WPScan, etc.). Outdated plugins with known vulnerabilities are the single most common WordPress entry point — by a wide margin.

Some of the most important hardening steps happen inside your WordPress admin or in places an external scanner can't see. These are the items that get skipped most often, because no tool reminds you to do them.

Use a strong, unique password for every admin user. "Strong" means at least 16 random characters from a password manager. "Unique" means it's not used anywhere else. Reused passwords get pulled from breached databases and tried against WordPress logins automatically — this is called credential stuffing and it works on more sites than you'd think.

Enable two-factor authentication on every administrator account. WordPress doesn't have this built in, but plugins like Two Factor (free, official) or Wordfence Login Security add it in five minutes. 2FA defeats credential stuffing entirely; even a leaked password is useless without the second factor.

Audit your users. Open Users → All Users in your admin and look for accounts you don't recognise, especially with Administrator role. Delete dormant accounts. The fewer admins, the smaller the attack surface.

Disable file editing in the admin. Add `define('DISALLOW_FILE_EDIT', true);` to your wp-config.php. This means an attacker who gets into the admin can't immediately drop malicious code into your theme files from the dashboard — they have to find another way in, which buys you time.

Update everything, weekly. Open Dashboard → Updates and run pending updates. Most successful WordPress hacks exploit vulnerabilities that were already patched — the patch just wasn't applied. If you can't manage this manually, enable auto-updates for plugins (Plugins → Plugins → Enable auto-updates per plugin).

Delete what you don't use. Inactive plugins and themes still have files on your server, and those files can still be exploited. If you're not using it, don't deactivate it — delete it.

Your hosting provider controls the layer below WordPress — the operating system, PHP version, web server, and database. Some hardening only happens at that layer, and you either need a host that handles it or you need server access yourself.

Run a current PHP version. PHP 8.2 or newer in 2026. Older versions stop receiving security patches; running PHP 7.4 today means you're on software that hasn't had a security update in years. Most managed hosts let you switch PHP versions in the control panel — do it.

Use a host that does daily backups. "Backups" is the single most under-appreciated security control. When something goes wrong — and eventually something will — the difference between "restore yesterday's backup" and "start over" is everything. If your host doesn't include automated backups, switch hosts or install UpdraftPlus / BlogVault.

Ask your host about server-level malware scanning. Most cPanel-based hosts include this in the control panel (look for ImunifyAV or similar). Run a manual scan now and set up alerts if the host supports them. Server-level scans see things WordPress-level tools can't.

Use HTTPS everywhere. Free Let's Encrypt certificates have made this trivial — every host should provide them automatically. Force redirect all HTTP traffic to HTTPS, set the HSTS header, and never serve mixed content.

If you have shell or DNS access, consider Cloudflare in front of your site. The free tier gives you DDoS protection, basic WAF rules, and bot-fight mode that filters a lot of automated attack traffic before it ever hits your server.

If you're starting from zero and want to do this in one sitting, here's the order that gives you the most protection per minute spent.

Minutes 0–5: run a free external scan on the GuardingWP home page. You'll get a snapshot of your current attack surface and a fix guide for each finding. Don't fix anything yet — just read the report.

Minutes 5–20: rotate your admin password to something long and unique from a password manager. Install a 2FA plugin and enable it on every admin account. Review the user list and delete anyone you don't recognise.

Minutes 20–35: open your hosting control panel. Confirm you're on PHP 8.2 or newer. Confirm daily backups are enabled. Run the host's malware scanner. Force HTTPS at the host level if not already on.

Minutes 35–50: work through the scan findings in order of severity. The .htaccess-based fixes (header suppression, file blocking, directory listing) are usually copy-paste from the guide pages. Run the scan again after each fix to confirm.

Minutes 50–60: enable auto-updates for plugins, add `define('DISALLOW_FILE_EDIT', true);` to wp-config.php, delete any inactive plugins or themes. Set a monthly calendar reminder to log in, check for updates manually, and re-run a scan.

That's it. You'll have done more for your site's security in one hour than 90% of WordPress site owners ever do — and most of the protection is permanent.