WordPress Hardening: 18 Ways to Harden Security of Your Website


There are systems that are hard to break into, but more often than not, websites get hacked because they are insecure, and they don’t have basic protection in place.

In this article, we’ll go over how to make your WordPress site more secure.

TL;DR: Protect your WordPress site with MalCare, an all-in-one security suite. You can also harden WordPress protection in a single click with MalCare.

Before you start, make sure you have everything you need.

Starting at the top and working your way down the list, we’ve organised the list by ease of implementation. We suggest that you begin by installing MalCare and enabling the Site Hardening function. That’s a big step in the right direction, and you can come back here later for more details.

Pro tip: Before making any changes, including security ones, we always recommend backing up your website. Better safe than sorry!

5 EASY ways to harden your WordPress site

Let’s start with some low-hanging fruit on this list. Let’s get these simple settings out of the way so we can all feel confident about progressing with WordPress hardening.

Set strong passwords

Passwords are possibly the cheapest of all low-hanging fruit. That’s also why they’re always overlooked. That’s why they’re at the top of any list of how to make your WordPress site more safe.

Passwords are difficult to remember, and some of the best practises can be exhausting: no duplicate passwords; complex passwords; a combination of letters, numbers, and symbols; the list can be overwhelming, particularly when you consider how many services you use.

We understand, which is why we recommend using a password manager like LastPass. To keep your account secure, use an automatically created string of numbers, letters, and symbols. Brute force attacks now use dictionary attacks to guess passwords, despite the limited chances.

Require the use of strong passwords

This should be the next thing on your to-do list, keeping with our theme of secure passwords.

When you have several users managing your website, you must make sure that each one has a secure password that they update on a regular basis. Now, this could be simpler on a small scale, but when it comes to a bigger team, it will be safer to have a programme that can automate this for you.

You can, however, choose to override it by checking the box that says, “Confirm use of weak password.” You are making your website vulnerable to attacks by doing so. Plugins like Expire passwords were once used to compel users to change their passwords. You’d be able to set a maximum number of days for the password to expire. We wouldn’t suggest using any of these plugins because they haven’t been modified in a long time.

Implement permissions with the least amount of privilege

On a WordPress website, you can have six pre-defined roles: Super Admin, Administrator, Editor, Author, Contributor, and Subscriber. Each function has a set of permissions that enable it to perform certain tasks. Capabilities are the terms used to describe these functions. The complete list of roles and capabilities can be found here.

Note that the administrator role is the most powerful for a single website, whereas the super admin role is the most powerful for a multisite.

You will need a small number of administrators if you only have one website. In reality, the general rule is that you should have as few administrators as possible. The logic is simple: you’re lowering the chances of hackers stealing admin credentials.

Install SSL

SSL is a method of safely transmitting data from a user to a server and back over an encrypted link.

Apart from the fact that it is a good security practise, Google mandates the use of SSL on websites. Instead of the fun green lock that means a website runs on HTTPS rather than HTTP, it appears to penalise websites by displaying “Not secure” in the browser.

Installing an SSL certificate used to be very difficult, but that is no longer the case. We have a full guide to installing SSL, as well as a guide to ensuring that all of your pages are HTTPS.

Set up a WordPress security plugin

Up until this point, all of the other items on our list have been manual additions to your website. Rest assured, they’re the simple ones that don’t necessitate a lot of setup or plugin installation.

The remainder of this list is a little more complicated. MalCare’s Site Hardening function includes many of the steps.

Installing the plugin and configuring the steps through our dashboard will save you a lot of time.

6 MEDIUM measures to harden WordPress

Each of the WordPress hardening steps we have included in this section include the installation of a plugin. We do not recommend installing plugins lightly because they frequently contain vulnerabilities and serve as infection entry points. Please use discretion when selecting a plugin to carry out the following security steps.

2-factor authentication

The login page is one of the most popular ways for hackers to gain access to a website. They use a tactic known as brute force attacks, in which they use bots to guess a website’s login credentials. Another way hackers can gain access to your information is if it has been leaked from another website. Hackers are well aware that many users use the same username and password for different accounts across the internet, making the guessing game much simpler!

You can add two-factor authentication for any user, whether they are a Super Admin, Administrator, Editor, Author, Contributor, or Subscriber, to protect yourself.

Many websites, such as Gmail, offer users the option of using two-factor authentication to log in to their accounts. This requires a user to provide their login details first, and then enter a password that is created in real-time (usually a one-time password sent to the registered phone number) (usually a one-time password sent to the registered phone number). It makes it more difficult for hackers to break into your account or gain access to your WordPress dashboard.

Limit login attempts

There’s a reason why websites, especially banks, only give users three chances to enter the correct username and password. Following that, you’ll be given the option of resetting your password or being locked out of your accounts.

The goal is to eliminate brute force attacks and make it more difficult for hackers and fraudsters to succeed.

WordPress makes an infinite number of login attempts by default. Enabling restricted login attempts on your website improves its protection and guarantees hackers can’t try thousands of combinations to get in. Limiting login attempts on your website can be done in three ways.

  • You can add a plugin like Limit Login Attempts Reloaded.
  • If you have the MalCare security plugin installed on your website, you have restricted login protection against failed attempts by default. The plugin uses captcha-based security to prevent bad bots from gaining access to your site.
  • Adding code to the functions.php file by hand. You must have a WordPress action and hook filter, as well as a callback feature. This approach is both technological and dangerous. It’s best not to try this if you don’t know how to code.

In our article about restricting login attempts, you’ll find the code for the third alternative as well as a more comprehensive description.

Keep an audit log

This isn’t strictly a WordPress hardening measure, but it’s a must-have security measure.

Simply instal a plugin like WP Security Audit Log which will monitor anything that happens on your website. And in this way, you will know exactly what your users are doing and when. You can then keep an eye on what’s going on with your site and hold users responsible for their behaviour.

Logins, logouts, changes made, creations, revisions, deletions, additions, updates, and so on can all be tracked by the plugin. If you are compromised, you should refer to the activity log to detect any unusual activity or changes made.

If your website has undergone any significant changes, you will be notified immediately. With a single click, you can also log off or block any user.

Auto logout inactive users

This feature is often seen on bank websites and applications that log you out after a certain amount of inactivity. This is to prevent unauthorised access to your account.

To set this up, you can use a plugin that has an idle session logout option.

Set up alerts for suspicious WordPress logins

Hackers are actively devising new ways to circumvent security features, so we must remain vigilant. It’s a good idea to set up alerts on your website so that you can be notified as soon as any suspicious activity occurs.

To do this you need to use a protection plugin like MalCare. It continuously checks your website and notifies you if it detects any malware or suspicious activity.

Set up a web application firewall

A web application firewall can prevent hackers from accessing your website even before they arrive. They do this by monitoring IP addresses, which are numerical identifiers assigned to any internet-connected computer.

If the IP has carried out malicious activities previously, they’ll be labelled and barred from coming to your site.

Set up a firewall using a security plugin, and you can rest easy knowing your website is protected to the fullest extent possible.

7 COMPLEX WordPress hardening methods

Now we’ll get down to the nitty gritty of hardening WordPress. The following steps necessitate some coding or development knowledge; otherwise, errors may result in site crashes and breakdowns.

Proceed with care when using these hardening tools, and if you haven’t already, make a backup of your website.

Block PHP execution in untrusted folders

This is a little technical, but we’ll do our best to make it as simple as possible.

To begin, you should be aware that PHP is a scripting language used in web development. A PHP function is a section of code in a programme that can be performed to accomplish a specific task. The files and directories that make up your WordPress website are the next step. Just a few files and directories, however, use php functions. Once a hacker has gained access to your website, they can build their own files or insert their PHP functions into the ones you already have.

You can avoid such a hack by preventing PHP functions from being executed from any unknown folder. You can also turn off PHP executions in areas where they aren’t needed.

Take these steps to do so:

Caution: tampering with WordPress’s backend files and database tables is dangerous and can destroy your site. It necessitates technological expertise. It’s best to seek professional assistance if you have no idea what you’re doing.

1. Access your website’s files via cPanel > File Manager. If you don’t have access to cPanel, you can use FileZilla, an FTP client. To access your files, you’ll need your FTP credentials.

2. You’ll find three folders named wp-includes, wp-admin, and wp-content in public html.

3. Next, search for the .htaccess address. If it doesn’t exist, build one using a text editor such as Notepad and save it as.htaccess.

4. Copy and paste the code below into your.htaccess file.

<Files *.php>

deny from all


5. If you’re making a new file, you need to upload it to two folders: wp-includes and wp-content/uploads

This will change the file permissions and make it impossible for any PHP files to run in these folders. If all of this is too technical for you, protection plugins like MalCare will take care of it for you.

Disable file editor

A hacker who gains access to a WordPress Administrator account has complete control over your website. They can edit the coding of your theme and plugins through the “Editor” option in the dashboard. They can also upload scripts to view their own content, deface your site, spam your users, and so on. The most popular hacks that occur through these editors include SQL injections , SEO Spam hacks and Japanese SEO Spam.

To find the editor, go to Appearance > Editor. Plugins > Plugin Editor, for example:

You’ll need to go through your wp-config file to disable the editor. The same methods that we used to access the website’s files via File Manager or FTP can be used here.

The next step necessitates technical coding expertise and, if not completed correctly, will result in your site being broken. Even if it appears to be easy, it’s best not to attempt it if you don’t know what you’re doing. MalCare’s ‘Disable file editor’ function is recommended.

If you want to use the manual process, we’ve outlined the steps you’ll need to take.

1. Locate your wp-config file in your File Manager and right-click to get the Edit function.

2. Here, you will see more information about it and you can select Disable Encoding Check. Then proceed to Edit.

3. Now, it opens up your wp-config file and leaves you wondering what to do next! Don’t stress. Scroll down and find the line:

/* That’s all, stop editing! Happy publishing. */

4. Above this, paste the following code

define( ‘DISALLOW_FILE_EDIT’, true );

5. Save changes and close the editor.

6. Return to your dashboard and you’ll see that you no longer get the editor option.

If you don’t have access to cPanel, you can use FTP to get your wp-config file. Attach the line of code to it in any text editor. Return it to the website in the same manner that you downloaded it. The old file can be overwritten.

Change security keys

WordPress remembers your login credentials so you don’t have to type them in any time you want to log in. But the fact that it’s kept in an encrypted format is crucial.

If the data is stored in plain text, a hacker may simply read it if they get their hands on it. If the data is encrypted, it will appear as random text, which they will be unable to use.

WordPress must use something called security keys and salts to encrypt the data. To put it another way, keys are random variables that encode your admin username and password, and salts help to boost the encryption even more.

If hackers obtain your encryption keys and salts, they can decrypt the encrypted data and gain access to your account.

Now using the same method above, access your files and copy-paste the values that are generated into your wp-config file.

We also advise WordPress website owners not to attempt it if they are not tech-savvy because it involves modifying the code. It’s safer to use a protection plugin that can do this for you.

Disallow plugin installations

There are times when a user or a client can instal a plugin without carefully examining its reliability or legitimacy, as you would. This can cause a slew of issues on your platform, so it’s best to take away their ability to do so entirely.

There are two ways to uninstall plugin and theme updates and installations:

You can do this by adding a line of code to your wp config.php file.

Apply the same procedure as in the previous section, but this time add the following line:

define(‘DISALLOW FILE MODS’,true);

Please keep in mind that updating themes and plugins, as well as installing new ones, would necessitate deleting this line of code.

Using a security plugin

Using a plugin is the simplest way to allow and disable this function. If you’re using MalCare, all you have to do is activate it and then disable it by clicking a button.

This is a drastic move, but it’s important if you have a lot of users managing your site or if you want to prevent your client from downloading plugins they don’t need.

Secure your wp-config.php file

Wp-config.php, one of the most important files in your WordPress installation, is a popular target for hackers. Wp-config is responsible for making a WordPress website work, in addition to containing the database access keys for your website.

In addition to disabling file editing, you can also adjust the security keys and prevent plugin installation.

Hide wp-config.php

The first step is to raise the wp-config.php file. This isn’t so much a security measure as it is a way to make it more difficult for malware to locate the file. However, moving the file does not make it impenetrable, so plan accordingly.

Note: There is no agreement among developers on whether moving the file is a good idea. In certain cases, such as the Contact Form 7 weakness, this measure may be entirely ineffective. However, we prefer to err on the side of making it as difficult as possible to be hacked.

Deny access to wp-config.php

Denying access is a much more concrete measure, because if you do this, you won’t have to pass the file at all. Add the following code to your.htaccess file, right at the top:

<files wp-config.php>

order allow,deny

deny from all\s</files>

There are a few things you can do to secure your wp-config.php file. This article includes a checklist for each of them that you can complete in a single sitting.

Separating out databases

If you have several websites with separate WordPress installations, it’s a good idea to keep the databases separate and located in different locations. As a result, if hackers gain access to one of the websites, your other websites will be unaffected—at least in theory, because a lot depends on the protection of the other websites.

This is best achieved during installation, but it can be done later and is well worth the effort. This does, however, necessitate any knowledge of MySQL and its configurations.

Securing wp-admin

You can compel logins to be transmitted over SSL if you want to take login protection to the next stage, which you should. Ascertain that SSL has been installed and that any problems with mixed content have been resolved.

Then, in the wp-config.php file that you are familiar with, add the following code:

define(‘FORCE SSL ADMIN’, true);

We know this is a super simple move, but there is a reason why it is included here in the complex section. Plugins don’t always get along with SSL, and SSL can be configured in strange ways at times. Check out this article for a detailed overview of how this works and what to look out for.

Using a WordPress protection plugin

Install MalCare to do a lot of what we’ve suggested above quickly and easily.

Good WordPress security plugins include a web application firewall, bot protection, and scanner, as well as the website hardening steps you need to put in place. But you don’t have to think about wasting time sorting out the technological aspects of it any longer.

Not all plugins, however, have the same level of convenience and benefits. There are several plugins available, but we prefer MalCare because it does the job quickly and easily with just a few clicks.

Your website is already safe once you instal the plugin. Here’s how to do it:

  • Regularly scans the website for any suspicious activity.
  • A proactive firewall that prevents unwanted visitors from accessing your website.
  • Notifications in real time if your website is infected with malware
  • Malware removal in a single click

Quite apart from all of these features, there are various levels of website hardening you can enforce on your website. Since not all website owners would choose to implement these security measures on their site, these measures are optional. You can choose what to do according to your needs.

The three levels of website hardening you can implement are:


This allows you to prevent PHP from running in untrusted files. You can also turn off editing of files. As we discussed earlier, this is a move you absolutely should take.

Under normal circumstances, you wouldn’t actually meddle with the files and folders of WordPress. Only the wp-admin dashboard will be used to manage your website. In the files editor with themes and plugins, you also don’t need to make any changes. Disabling them closes some of the doors hackers can use to attack your site.


You can block plugin and theme instals which means no one can instal new ones on your website. This measure is a little drastic and should be taken only if you suspect a hack or you have too many people working on the website. If you want to add a new plugin/theme, you will need to uninstall this from the MalCare dashboard.


You can update security keys and reset passwords for all users from this page. WordPress websites are often managed by a group of individuals, each with their own username. This makes it easier for hackers to guess passwords and gain access to your site.

Both security keys and passwords should be changed on a regular basis. If you have a big team, this will help automate and speed up the process.

If you’ve been hacked before, this is an important step to take to ensure you don’t get hacked again.

Apart from this, you profit from the following WordPress security features on your website:

  • Limited login attempts
  • CAPTCHA-based login
  • Alerts for unauthorised access
  • An activity log that shows file modifications/updates on your site
  • It also analyses every IP request to protect you from hacks like brute force attacks
  • It also prevents common WordPress security threats like SQL injections attacks, SEO spam, and your website being used in DDOS attacks

A full-featured WordPress security plugin is more than the sum of its parts. Even though each of these safeguards is successful against threats on its own, when combined, they form a formidable shield against malicious activity. Install MalCare now, and rest easy in the knowledge that you have done the utmost to protect your website.

For extra credit

Although the following advice does not fall under the category of WordPress hardening, it is still recommended for security-conscious website administrators. Once you’ve completed the list above, we strongly advise you to take these measures.

Backup your website

Backups are the most uninteresting item on this list. We know; we develop the best-in-class backup plugin for WordPress.

A bad scenario best illustrates the importance of having a good backup. Assume you’ve spent months or years developing your website. It has clients, interesting content, ad sales, and a good reputation. And then, all of a sudden, it was gone. It may be a malware infection or a server failure on your web host’s end, or any number of other possibilities. Consider this scenario. In those circumstances, what would you give to have a backup?

It is critical to have backups. It’s only common sense.

Keep your computer clean of malware

Sometimes it’s the obvious things that get us. Your website protection is affected by the device you use, as well as WiFi. If you have a keylogger on your device, there’s no point in hardening WordPress since you’ve already given a hacker your login credentials.

Always keep everything updated

Aside from WordPress, it’s important to keep themes and plugins up to date. Every day, new bugs are found, and plugin developers release patches to fix them.

Remove any plugins or themes that you aren’t using. If you need them again, you can always reinstall them.

As a side note, this is a big incentive to buy plugins. A paid plugin is frequently updated and has a support channel for any problems you may encounter. Every day, we use our experience with hacked websites at MalCare to enhance our security plugin. A plugin that is actively managed is an investment in security.


Consider switching to SFTP instead of FTP for file transfers to your server. It operates in a similar way for moving data, but it uses SSH instead of FTP. The information being sent is encrypted and cannot be read when in transit. Additionally, both the user and the server must be authenticated while using SFTP.

As a result, SFTP is becoming the new norm, and FTP is being phased out. Because the configuration is nearly identical, there’s no reason to stick with the legacy protocols.

Use a trusted web host

The majority of security articles (including this one) will concentrate on what you, as a website administrator, can do to keep your website safe. Granted, there’s a lot you can do, and the majority of bugs are introduced by installed software. That does not, however, imply that the server is impenetrable.

There’s not much you can do if your web host isn’t doing their part to keep their servers secure. Servers are also vulnerable to attack, and not only of the digital variety. Are the servers, for example, in a physically safe location? Will a hacker gain access to the room and steal data that way? These are crucial factors to consider, but a website administrator has little influence over them.

So, what are your options? Choose a reputable web host. A good web host is transparent about their practises, and will include concrete measures they undertake to protect their servers from attack. This is not the place to cut corners, as a cheap web host could end up costing you a lot of money in the long run.


The value of installing a WordPress security plugin cannot be overstated.

Removing malware is a painstaking and difficult process, subject to missteps and costly errors. Only experts should carry out the procedure, which can be costly. Plus, by that time, you’ll have already lost data, traffic, credibility, and a lot more.

So yeah, take a preemptive approach to security, and install a good WordPress security plugin. Return to this article to enforce hardening steps, and then test the website to look for the WordPress hardening errors.

You’ll be grateful for your foresight in the future.