Is your WordPress site secure?

Your server doesn't broadcast which PHP version it runs via HTTP headers.

Easy — one line in .htaccess

Your web server doesn't reveal its software type and version number.

Easy — server config or .htaccess

The generator meta tag is removed from your page source.

Easy — one line in functions.php

Default WordPress files (readme.html, license.txt) are blocked from public access.

Easy — a few lines in .htaccess

The XML-RPC endpoint is blocked and cannot be used for brute-force attacks.

Easy — plugin or .htaccess

The login page has rate limiting or 2FA in place to block automated attempts.

Medium — install a plugin

The REST API doesn't expose WordPress usernames to unauthenticated visitors.

Easy — one snippet in functions.php

Visitors can't browse your uploads folder and see your files.

Easy — one line in .htaccess

Your server sends HSTS, CSP, X-Frame-Options and related headers so browsers apply the right protections.

Easy — one block in .htaccess or nginx config

Visitors who type the plain HTTP address are forced onto the encrypted version of your site.

Easy — a rewrite rule in .htaccess

Session cookies carry Secure, HttpOnly and SameSite flags so they can't be stolen or misused.

Medium — php.ini and wp-config.php

All installed plugins are updated to their latest versions with no known CVEs.

Easy — update in WordPress admin