Quinji Logo
Quinji
WordPress Security Hardening — The Checklist We Actually Use
WordPressSecurityHardening

WordPress Security Hardening: The Checklist We Actually Use

A practical, no-fluff checklist for hardening WordPress sites — covering file permissions, login protection, headers, and server-level controls.

By Atul PathriaMarch 6, 20263 min read

Most WordPress security guides tell you to install a plugin and call it a day. That's not hardening — that's wishful thinking.

This is the actual checklist used when auditing and hardening WordPress sites. No fluff, no plugin marketing.

1. File & Directory Permissions

Wrong permissions are one of the most common entry points.

  • wp-config.php600 (owner read/write only)
  • /wp-content/uploads/755 (no PHP execution)
  • WordPress core files → 644
  • Directories → 755

Block PHP execution in uploads entirely at the Nginx level:

location ~* /wp-content/uploads/.*\.php$ {
    deny all;
}

2. wp-config.php Hardening

  • Rotate all secret keys and salts (use the WordPress key generator — external link, no referral)
  • Change the DB table prefix from wp_ to something random
  • Set define('DISALLOW_FILE_EDIT', true); to block theme/plugin editor
  • Set define('WP_DEBUG', false); in production

3. Login Protection

Brute force is still the #1 attack vector for WordPress.

  • Change the login URL from /wp-admin to something non-standard
  • Rate limit login attempts at the Nginx level — not just via a plugin
  • Disable XML-RPC if you don't use it (most sites don't need it)
  • Block REST API user enumeration
# Block XML-RPC
location = /xmlrpc.php {
    deny all;
}

# Rate limit login
limit_req_zone $binary_remote_addr zone=wp_login:10m rate=5r/m;
location = /wp-login.php {
    limit_req zone=wp_login burst=3 nodelay;
}

⚠️ Warning

Don't rely on a security plugin alone for login rate limiting. If PHP is already executing, the plugin runs too late. Do it at the Nginx/server level.

4. HTTP Security Headers

These headers stop a wide range of client-side attacks:

add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header Referrer-Policy "strict-origin-when-cross-origin" always;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;

5. Admin User Hygiene

  • Delete the default admin username
  • Audit all users with administrator role — remove any you don't recognise
  • Enforce strong passwords for all admin accounts
  • Enable two-factor authentication for admins

6. Plugin & Theme Risk

Plugins are the biggest attack surface on any WordPress site.

  • Remove inactive plugins and themes (disabled ≠ safe)
  • Check every plugin against known vulnerability databases
  • Audit file modification dates — unexpected recent changes are a red flag
  • Prefer plugins with active maintenance and recent updates

💡 Tip

Run wp plugin list --status=inactive --format=table via WP-CLI to quickly audit inactive plugins.

7. Post-Hardening Verification

After applying everything above, verify:

  • Re-run a full malware scan
  • Check file integrity against known WordPress core hashes
  • Test login rate limiting is working
  • Confirm XML-RPC is blocked (test with curl -d "" https://yourdomain.com/xmlrpc.php)
  • Run a security header check

This checklist covers the foundations. A real hardening engagement goes deeper — server-level isolation, WAF rules, monitoring, and a documented incident response plan.

If your site has been hacked or you want a full audit done properly, book a security call.

Tags

WordPressSecurityHardening
← Back to Blog