WordPress Security Hardening: 25 Essential Steps

Introduction

WordPress is the most targeted CMS. Follow these 25 steps to harden your WordPress installation on Hostxpeed VPS.

1. Keep Everything Updated

Enable automatic updates for core, plugins, and themes.

2. Disable File Editor

define('DISALLOW_FILE_EDIT', true); in wp‑config.php.

3. Set Proper Permissions

Directories: 755, files: 644. wp‑config.php: 600.

4. Move wp‑config.php Above Webroot

Place it one directory above public_html.

5. Disable PHP Execution in Uploads

Add Nginx rule: location ~* /wp-content/uploads/.*.php$ { deny all; }.

6. Change Login URL

Use a plugin like WPS Hide Login to move /wp‑admin to a custom slug.

7. Two‑Factor Authentication

Install Wordfence or Google Authenticator plugin for 2FA.

8. Strong Passwords

Enforce strong passwords and use a password manager.

9. Install a Security Plugin

Wordfence or Sucuri provides WAF, scanning, and login protection.

10. Disable XML‑RPC

Add deny from all in .htaccess.

11. Change Database Prefix

Use $table_prefix = 'wp_'; but change it to something random.

12. Regular Backups

Use UpdraftPlus or Hostxpeed snapshots; store offsite.

13. Disable Directory Listing

Options -Indexes in .htaccess or autoindex off in Nginx.

14. Remove Unused Plugins/Themes

Delete them, not just deactivate.

15. Force HTTPS

Use define('FORCE_SSL_ADMIN', true); and HSTS (see SSL guide).

16. Limit wp‑admin by IP

Allow only your office IP to /wp-admin if possible.

17. Disable REST API for Non‑Logged‑in Users

Add filter to restrict access.

18. Monitor User Activity

Plugins like WP Security Audit Log track changes.

19. Hide WordPress Version

Remove generator meta tag. Also remove readme.html and license.txt.

20. Salt Keys

Generate new salts at api.wordpress.org/secret-key and add to wp‑config.

21. Use a Web Application Firewall

Hostxpeed’s DDoS protection plus ModSecurity (optional).

22. Disable Pingbacks

Uncheck “Allow link notifications” in Discussion settings.

23. Regular Scans with WPScan

Run wpscan --url example.com to find vulnerabilities.

24. Security Headers

Implement CSP, X‑Frame‑Options, etc. (see Security Headers article).

25. Enable Logging and Monitoring

Watch /var/log/nginx/access.log for suspicious patterns.

Conclusion

Apply these steps progressively. Start with updates and login security, then add a WAF.