WordPress hardening is the process of reducing your site’s attack surface — removing or locking down everything that does not need to be accessible, and configuring the things that do need to be accessible as securely as possible. It is not glamorous. It is the kind of work that prevents problems rather than fixing them.
What WordPress hardening involves
- Disable file editing in the dashboard — WordPress allows theme and plugin files to be edited directly from the admin panel. This is a significant risk if an attacker gains access. Disabling it removes the capability
- Protect the wp-config.php file — This file contains database credentials and security keys. Restricting access to it at the server level is a standard hardening step
- Disable XML-RPC if not needed — XML-RPC is a remote access feature that is frequently targeted in brute-force attacks. Most sites do not need it
- Hide the WordPress version — Publicly exposing which version of WordPress you run tells attackers which known vulnerabilities to target
- Restrict access to sensitive directories — Directories like
/wp-includes/and/wp-admin/should not be directly browsable - Set correct file permissions — Overly permissive file and folder permissions make it easier for attackers to write or modify files on the server
- Use a modern, supported PHP version — Outdated PHP versions have known vulnerabilities and receive no security patches
When should this be done?
Ideally before a site launches. In practice, it should be done as soon as possible on any existing site that has not been through a proper security review. Hardening is a one-time setup with ongoing checks — most of these measures stay in place without requiring regular attention.
WordPress hardening is part of what we review and implement during a website checkup and as part of ongoing maintenance. More in our security knowledge base.
Dealing with a hacked or infected site? Learn about our malware removal service →