A Beginner’s Guide to Hardening WordPress Security

There are multiple reasons why website owners and managers love WordPress. But there is one big reason why even hackers love it: its popularity.  Hackers are constantly looking for ways to break into WordPress websites. Thankfully, there are some steps you can take to protect your website from such threats. WordPress hardening is a proven way to make it harder for hackers to attack your website.

So, what is WordPress hardening? How can you harden WordPress sites? How hard is it to do?

This complete WordPress hardening guide will help you understand all this and more.

13 Ways to Harden a WordPress Site

Before we dive in, what is WordPress hardening? Simply put, it is a set of steps that fortify a WordPress website to protect it from malware and attacks.

How to harden your WordPress site

In this article are 13 proven ways to harden your WordPress website.

Sounds overwhelming?

Let’s start with six easy ways of site hardening that do not need deep technical or WordPress know-how.

1. Install an SSL certificate

Short for Secure Socket Layer, an SSL certificate moves it from the previous HTTP notation to the more secure HTTPS notation (with the secure padlock). This ensures that all the data between your user’s browser and your website is encrypted, and therefore, safe. Even Google recommends that every website has an SSL certificate for the security of its users.


ssl secure connection https

How can you move your site to HTTPS?

All you need to do is install an SSL plugin like Let’s Encrypt on your WordPress site, and you are all set.

2. Use strong passwords

This is probably the easiest and most effective way of hardening WordPress websites. Ensure that all your users including your WordPress administrators configure login passwords that are at least eight characters long and have a combination of upper- & lower-case alphabets, numbers, and special characters. 

password fields grey

You can also install a password management tool like LastPass to automatically generate and store strong passwords. Additionally, make sure to regularly change all user passwords, say every three months.

3. Use Two Factor Authentication (2FA)

WP hardening is not complete without protecting your login page from brute force attacks. Two-Factor Authentication is a proven method for securing any WordPress login page. With 2FA, users signing into their account have to go through a 2-step verification process of:

  1. First, entering the correct user username and password
  2. Entering a unique verification code that is sent to their mobile device.

How do you enable 2FA? For WordPress sites, install a 2FA plugin like Google Authenticator. 

4. Limit login attempts

By default, WordPress allows an unlimited number of login attempts, which is what brute force attacks take advantage of. You can harden WordPress login pages by limiting the number of failed attempts.

wordpress login

To enable this, you can either use the Limit Login Attempts Reloaded WordPress plugin or use security plugins like MalCare that have in-built login page protection. 

You can even limit attacks by hiding your WordPress login page.

5. Set up a WP firewall

WordPress firewalls block any hacker before they can gain forced entry into your website. A firewall can track malicious IP addresses or those used by hackers across the globe and block any IP request sent from these addresses.

Want to know how to harden WordPress sites with firewalls? Popular WordPress security plugins, like MalCare, have an in-built web application firewall that can easily be enabled for your site.

6. Use a WP security plugin

Security plugins are the best way to detect and fix current issues as well as prevent future attacks on your WordPress site. Since they are developed exclusively for WordPress, they detect security issues that are advanced, lesser-known, or easy for you to miss. 

WordPress hardening plugins like MalCare or Sucuri combine multiple security practices so  you can harden your website in just a few clicks. For instance, MalCare, in addition to malware scanning and automated malware removal, also has an in-built 2FA feature, firewall protection, and an easy way to update your WordPress plugins, themes, and core across multiple websites.  

Installing a security plugin is the best way to take charge of your website security without having to depend on technical experts.


This completes our list of the six easy ways to run WordPress hardening

Now, let’s take a look at seven slightly advanced ways to harden WordPress security that will bolster your website security.

7. Block PHP execution in untrusted folders

While this is slightly technical, it is fairly simple. Hackers, after gaining control of your website, often insert their malicious PHP functions to damage your backend files. What you need to do is block the execution of any PHP files from any unknown folders of your WordPress installation. 

How can you do this? Locate the .htaccess file in your WordPress installation and paste the following code with the help of a text editor tool:

<Files *.php>

deny from all


8. Disable the file editor

Apart from inserting their PHP functions, hackers can easily modify backend files and plugins/themes once they gain control of your website. Then, they launch attacks like SQL injections and spam hacks by inserting their malicious code or scripts using your File Editor tool. These attacks lower your website’s credibility, drive your users away, and even damage your SEO rankings

The best guard against such attacks is to disable your file editor tool. To perform this step, open the wp-config.php file in your WordPress installation and insert the following code:

define( ‘DISALLOW_FILE_EDIT’, true );

9. Change security keys

WordPress sites often store user credentials so that registered users don’t have to keep entering their username and password each time they access their login accounts. To secure these credentials, WordPress stores them in encrypted form instead of plain text. 

Security keys are random variables that are used to encrypt these credentials. Hackers try to gain control of these security keys to decrypt the user credentials and gain illegal access to accounts.

As an effective WordPress hardening measure, it is a good practice to change these security keys regularly. To do this, you can use the Secret Key link to generate your security keys and then insert them into the secret-key section of your wp-config.php file.

10. Secure WP-Admin

Hackers often use bots to target attacks on the WordPress Admin page (/wp-admin). This is why your admin panel has to have an extra layer of security.  

The best way of securing your wp-admin panel is to install the SSL certificate first and then add the following code to the wp-config.php file of your WordPress installation:

define(‘FORCE_SSL_ADMIN’, true);

While this step may look simple, it can lead to plugin-related complications later; we recommend that you do this with the support of a WordPress technical expert.

11. Secure wp-config.php file

As we have seen in some of the previous steps, hackers often try to control websites through the crucial wp-config.php file. To harden WordPress, you must protect the wp-config PHP file at all costs.


Here are some ways by which you can secure the wp-config.php file in your WordPress installation:

  • Hide the file by moving it from its current installation folder to one level up so that hackers cannot locate it at the default location. 
  • Deny access to the wp-config.php file by adding the following code to the .htaccess file:

<files wp-config.php>

order allow, deny

deny from all



12. Assign user roles and permissions carefully 

Typically, hackers try to break into accounts of WordPress administrators as they have the highest levels of permissions. Once they gain control of an admin account, hackers can inflict maximum damage compared to breaking into user accounts with lesser privileges.

Apart from Super Admin and Administrator roles, WordPress supports four other user roles — including Editor, Author, Contributor, and Subscriber — that have lower privileges.

To implement least privilege permissions, limit the number of administrators, and assign lower roles to other users. By limiting the number of admin users, you can minimize the damage caused by hackers even if they manage a successful hack.

13. Change the default username from ‘admin’

Most WordPress websites continue to use the default username, such as ‘admin’ or ‘webmaster’, for administrators. This makes it easier for hackers to guess the administrator credentials and launch attacks on the admin accounts.

You can harden WordPress admin accounts by changing the default administrator account name that is harder to guess. You can perform this task:

  • Through the phpMyAdmin SQL tool.
  • Or by running the following command on any MySQL client:

UPDATE wp_users SET user_login = ‘newuser’ WHERE user_login = ‘admin’;

Over to you

It’s important to remember that website security is an ongoing process as hackers are always thinking up new ways to attack and damage sites. If you’re looking for a simple way to handle WordPress security, security plugins like MalCare do a great job of combining most of the WordPress hardening steps from this article with ways to detect even lesser-known malware or types of attacks. 

We hope this WordPress hardening guide makes implementing  WordPress security easier and simpler for you. Let us know your feedback in the comments below.  

Feature image by Andras Vas on Unsplash


Pasquale Mellone

Pasquale is Founder at Increasily.com, a H2H marketing agency based in Dublin, Ireland, and owner at print-on-demand ecommerce Mintycase.com. Pasquale has worked in Digital Marketing and Account Management since 2004. He currently lives in Dublin with his wife, stepdaughter and cat.

Comments (2)

  1. Dawn
    12 September 2022

    Very readable, useable tutorial. As a volunteer for a small, budget-less group I am very appreciative. Keep up the awesome work!

    • Pasquale Mellone
      14 September 2022

      thank you!

Comments are closed.