WordPress Security Hardening: 10 Steps to Protect Your Site

WordPress powers over 40% of all websites on the internet, which makes it the most targeted CMS for automated attacks. The good news is that the vast majority of successful WordPress hacks exploit preventable vulnerabilities — weak passwords, outdated software, and misconfigured defaults. This guide covers the most effective security hardening steps you can take on a self-hosted WordPress site.

---

1. Keep WordPress Core, Themes, and Plugins Updated

Outdated software is the leading cause of WordPress compromises. When a vulnerability is discovered and patched, attackers immediately begin scanning for sites still running the vulnerable version.

• Enable automatic background updates for minor WordPress core releases (enabled by default in modern WordPress installations).
• Update plugins and themes promptly when new versions are released. If you’re not checking regularly, consider enabling automatic updates for plugins you trust.
• Remove plugins and themes you’re not actively using. Inactive code still presents attack surface.

// Enable automatic updates for major core releases (add to wp-config.php)
define( 'WP_AUTO_UPDATE_CORE', true );

---

2. Use Strong, Unique Passwords and Limit Login Attempts

WordPress’s login page (/wp-login.php) is hit by automated brute-force attacks thousands of times per day across the internet. Two mitigations work together here:

Strong passwords: WordPress includes a built-in strong password generator. Use it — or better, use a password manager (1Password, Bitwarden, etc.) to generate and store credentials.

Limit login attempts: By default, WordPress allows unlimited login attempts. Install a plugin like Limit Login Attempts Reloaded or Login LockDown to block IPs after a defined number of failed attempts.

Alternatively, use two-factor authentication (2FA). Plugins like WP 2FA add TOTP-based second factors to login without changing your workflow significantly.

---

3. Change the Default Admin Username

Creating a user named admin is a WordPress installation default that many people never change. Automated attacks almost always try admin as the username first.

If your admin account is named admin:

1. Create a new administrator user with a different username
2. Log out and log in as the new user
3. Delete the original admin account (reassigning its content to the new user)

---

4. Move or Protect the Login URL

Renaming /wp-login.php to a custom URL is a lightweight way to eliminate the vast majority of automated login attacks, since bots targeting the default URL won’t find it.

WPS Hide Login is a popular plugin that changes the login URL without modifying core files. Set it to something non-obvious like /site-access rather than /login or /admin, which are also commonly scanned.

Note: If you use this approach, record the custom URL in your password manager. Losing it doesn’t lock you out permanently (you can reset it via the database or FTP), but it’s an extra step to remember.

---

5. Harden wp-config.php

wp-config.php contains your database credentials and secret keys. A few protections are worth adding:

Move it above the web root (if your host allows): WordPress will find wp-config.php if it’s one directory above the WordPress installation, but the web server won’t serve it directly.

Add a deny rule in .htaccess (Apache servers):

<files wp-config.php>
order allow,deny
deny from all
</files>

Use unique, complex authentication keys and salts. If your site was set up with default or simple keys, regenerate them using the WordPress secret key generator. Replace the existing keys in wp-config.php. This immediately invalidates all existing sessions.

Disable file editing from the admin panel:

define( 'DISALLOW_FILE_EDIT', true );

This prevents a compromised admin account from editing plugin or theme code directly through the WordPress dashboard.

---

6. Disable XML-RPC If You Don’t Need It

XML-RPC is a WordPress feature that enables remote publishing and third-party app connections. It’s also frequently abused for brute-force attacks and DDoS amplification, because it allows multiple authentication attempts in a single request.

If you don’t use Jetpack, the WordPress mobile app, or any service that requires XML-RPC, disable it. Add to .htaccess:

<Files xmlrpc.php>
  order deny,allow
  deny from all
</Files>

Or use a plugin like Disable XML-RPC for a one-click solution.

---

7. Set Correct File Permissions

Incorrect file permissions are a common way attackers escalate access once they’ve gained a foothold. The recommended permissions for a WordPress installation are:

Path	Permission
Directories	755
Files	644
wp-config.php	440 or 400

Permissions of 777 (world-writable) on any file or directory are a serious security risk and should never be used in production. If your host requires 777 permissions to make WordPress function, that’s a red flag about the hosting environment.

---

8. Use HTTPS with a Valid SSL Certificate

All WordPress sites should be served over HTTPS. Beyond encryption, HTTPS is a trust signal to visitors and a confirmed Google ranking signal.

Most hosts provide free SSL certificates via Let’s Encrypt. Once your certificate is active, make sure WordPress is configured to use it:

// In wp-config.php
define( 'WP_HOME', 'https://yourdomain.com' );
define( 'WP_SITEURL', 'https://yourdomain.com' );

Also add an HTTPS redirect in .htaccess to prevent any HTTP access:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

---

9. Install a Security Plugin

A dedicated WordPress security plugin handles monitoring and detection tasks that would otherwise require manual attention. Reputable options include:

• Wordfence Security — Includes a Web Application Firewall (WAF), malware scanner, and login security features. The free version covers core protections.
• Sucuri Security — Provides auditing, file integrity monitoring, and blacklist monitoring. Sucuri also offers a paid WAF/CDN service.
• iThemes Security — Covers a broad range of hardening tasks through a single dashboard.

These plugins won’t replace good hosting or the fundamental hardening steps above, but they add detection and firewall capabilities that catch attacks other measures miss.

---

10. Choose Hosting That Prioritizes Security

Security hardening at the WordPress application level only goes so far. The hosting environment determines whether your server is isolated from other customers, whether malware can spread across accounts, and how quickly security incidents are detected and contained.

Key things to look for in a security-conscious WordPress host:

• Account isolation — On shared hosting, a compromised site on the same server can sometimes access files from neighboring accounts. Managed hosts use containerization or VMs to prevent this.
• Automatic malware scanning — The host proactively monitors for malicious code rather than waiting for you to notice something is wrong.
• Automatic backups — Regular automated backups give you a clean restore point if something goes wrong. Look for daily or more frequent backups with off-server storage.
• Web Application Firewall — A WAF at the server or CDN level blocks common attack patterns before they reach WordPress.
• DDoS protection — Volumetric attacks can take down a site regardless of WordPress configuration. CDN-backed hosting mitigates this at the network edge.

Rocket.net is a managed WordPress host that addresses security at the infrastructure level. It runs on Cloudflare’s enterprise network, which provides WAF, DDoS mitigation, and bot management out of the box — not as optional add-ons. Combined with isolated containers per site and automated daily backups, it significantly reduces the attack surface compared to typical shared or unmanaged hosting.

---

Summary

Most WordPress security incidents are preventable. The fundamentals:

1. Keep everything updated — core, plugins, and themes
2. Use strong passwords and limit login attempts
3. Remove default usernames and protect the login URL
4. Harden wp-config.php and disable unnecessary features like file editing and XML-RPC
5. Set correct file permissions and enforce HTTPS
6. Add a security plugin for monitoring and WAF
7. Choose hosting that provides security at the infrastructure level

Start with updates and authentication hardening — they address the most common vectors. Then work through the remaining steps systematically. Each one narrows the window for attackers.

If your current host doesn’t offer account isolation, automated backups, and a built-in WAF, moving to a managed WordPress host like Rocket.net may be the single most impactful security improvement you can make.