WordPress hardening is the proactive work that prevents compromise — applying security best practices BEFORE you get hit, not after. Hardening covers every layer: server, PHP, WordPress core configuration, file permissions, user accounts, login protection, WAF. Each layer alone catches some attacks; the combination catches nearly all of them.
This guide covers the WordPress hardening techniques I implement on every audit + hardening project in 2026. wp-config.php hardening, .htaccess rules, file permissions, login protection, WAF configuration, 2FA, and the monitoring patterns that detect new issues. Concrete implementation, not abstract principles.
Quick verdict: the seven highest-leverage WordPress hardening wins are (1) wp-config.php hardening + correct file permissions, (2) WAF at edge (Cloudflare), (3) 2FA enforced, (4) brute force login protection, (5) strong unique passwords, (6) regular updates, (7) ongoing monitoring. Each is straightforward to implement; together they eliminate 95%+ of attack surface.
WordPress hardening: quick reference
If you are evaluating WordPress hardening for your next project, you are weighing real trade-offs between cost, complexity, ownership, and time-to-launch. The right WordPress hardening decision depends on a handful of variables — team capacity, scope clarity, and how much ongoing maintenance you can absorb. The summary below is the 60-second version; the rest of this guide unpacks the nuance.
- WordPress hardening pricing typically ranges based on scope clarity, integration count, and ongoing support requirements.
- WordPress hardening timelines vary from days (small scope) to months (enterprise scope) depending on complexity.
- The biggest variable in WordPress hardening is requirements clarity at the brief stage — vague briefs produce vague quotes.
- Vendor selection for WordPress hardening matters more than tool selection — the right team beats the right stack.
- WordPress hardening ROI is positive when scope is bounded, deliverables are specified, and success criteria are measurable.
For complementary perspectives on WordPress hardening, the WordPress hardening guide and OWASP Top Ten security risks resources cover adjacent angles worth reviewing alongside this guide. They focus on the underlying technology and standards — this post focuses on the WordPress hardening decision specifically.
When you revisit your WordPress hardening approach in 12 to 24 months, three signals usually indicate a refresh is justified. First, the original brief no longer matches business reality — product, audience, or operational scope has shifted. Second, the underlying technology has moved forward enough that the WordPress hardening decision made under previous constraints would be different today. Third, ongoing maintenance overhead has crept up beyond what was forecast at launch. None of these are emergencies on their own; together they signal it is time to revisit fundamentals rather than patch around them.
wp-config.php hardening
wp-config.php is the most security-sensitive file. Hardening checklist:
define('DISALLOW_FILE_EDIT', true)— disable theme/plugin file editor in admindefine('DISALLOW_FILE_MODS', true)— disable plugin/theme installation via admin (use deploys instead)define('WP_AUTO_UPDATE_CORE', 'minor')— auto-apply security patchesdefine('FORCE_SSL_ADMIN', true)— require HTTPS for admindefine('WP_DEBUG', false)— never debug in production$table_prefix = 'wp_random_xyz_';— change default prefix- Fresh salts from api.wordpress.org/secret-key/1.1/salt
- File permissions 600 — owner read/write only
- Move above web root when host allows — wp-config.php at
/var/www/wp-config.phpinstead of/var/www/html/wp-config.php
.htaccess hardening rules
For Apache hosts, .htaccess rules block common attack patterns:
- Block xmlrpc.php —
<Files xmlrpc.php>Order Deny,Allow Deny from all</Files> - Protect wp-config.php —
<Files wp-config.php>Order Deny,Allow Deny from all</Files> - Disable directory browsing —
Options -Indexes - Block PHP execution in /uploads/ — prevent uploaded malware from running
- Block author scans — redirect
?author=Nqueries - Add security headers — X-Frame-Options, X-Content-Type-Options, Strict-Transport-Security
File permissions + ownership
Correct file permissions limit attack surface:
| Item | Permissions |
|---|---|
| Directories | 755 |
| Files | 644 |
| wp-config.php | 600 |
| .htaccess | 644 |
| /uploads/ directory | 755 |
| Owner | web server user (www-data, apache) |
| NOT 777 | never world-writable |
2FA enforcement
Two-factor authentication prevents 99%+ of credential-stuffing attacks:
- Plugins — WP 2FA (free), Two Factor Authentication, Wordfence Login Security
- Methods — TOTP via authenticator apps (Google Authenticator, Authy)
- Backup methods — backup codes for account recovery
- Hardware keys — YubiKey for high-security accounts
- Enforcement — make 2FA mandatory for admin + editor roles
- Grace period — 7-30 days for existing users to set up 2FA
2FA + strong passwords + unique passwords: These three together eliminate the vast majority of WordPress login attacks. 2FA alone catches credential stuffing. Strong unique passwords prevent reuse attacks. Together they’re the foundation. Skip 2FA and you’re betting your site on password strength alone.
Login protection
Beyond 2FA, layered login protection:
- Limit Login Attempts — block IPs after N failed attempts
- WPS Hide Login — change /wp-admin/ URL to custom slug
- CAPTCHA on login — for sites with sustained attack traffic
- IP allowlist for admin — when team has known IP ranges
- Disable XML-RPC — prevents brute force amplification
- Login attempt logging — alerting on suspicious patterns
WAF configuration
Web Application Firewall blocks attacks before they hit WordPress:
Cloudflare WAF
Free tier — basic WAF rules, DDoS mitigation. Pro $20/mo — managed WordPress ruleset, advanced rate limiting, bot mitigation. Enterprise — custom rules, advanced threat intelligence. For most sites, Pro tier is the sweet spot.
Wordfence
Free — basic WAF, malware scanning. Premium $99/yr — premium ruleset, real-time threat intelligence, country blocking, scheduled scans. Application-level WAF runs on your server (different layer than Cloudflare).
Server + PHP hardening
Server-level hardening (when you control the server):
- PHP version 8.2+ — older versions are EOL
- disable_functions in php.ini — disable exec, system, shell_exec, passthru, popen, proc_open
- open_basedir restriction — limit PHP to specific directories
- SSH key auth only — disable password SSH auth
- Fail2ban — auto-ban IPs after suspicious patterns
- Firewall (ufw / iptables) — only allow needed ports (80, 443, 22)
- Automatic security updates — unattended-upgrades on Ubuntu
Update discipline
Keeping WordPress up to date is the single most important hardening:
- WordPress core — auto-update minor versions; manual + tested for major
- Plugins — security updates within 7 days; feature updates within 30 days
- Themes — security updates within 7 days
- Test on staging — for sites where updates have caused breakage history
- Backup before updates — automated daily backup catches problematic updates
Monitoring + alerting
Hardening is not done once — ongoing monitoring catches new issues:
- File integrity monitoring — Wordfence, MalCare, custom WP-CLI scripts
- Login attempt logging — alerting on suspicious patterns
- Plugin/theme update monitoring — alert when security updates available
- Uptime monitoring — alert on site outages
- SSL certificate expiry — alert before expiry
- Malware scans on schedule — daily or weekly automated scans
- Server resource monitoring — unusual CPU / memory may indicate cryptomining backdoors
Common WordPress hardening mistakes
Patterns that cause problems:
- Hardening once, never updating — security tools need configuration updates
- Plugin proliferation — installing 5 security plugins; they conflict and slow site
- 2FA optional — must be enforced, not optional
- Weak admin passwords — even with 2FA, easy passwords get cracked given enough time
- Neglecting backups — hardening is preventive; backups are recovery; both needed
- Skipping server hardening — focusing on WordPress while leaving server defaults
Implementation — FAQs
How long does WordPress hardening take?
For a thorough hardening pass: 6-16 hours of work depending on site complexity. WAF setup + tuning, 2FA enforcement, file permission audit, wp-config hardening, server-level changes, monitoring setup. Most sites benefit from a one-time 1-2 day hardening project followed by ongoing monitoring.
Will hardening break my WordPress site?
When done carefully — no. Each hardening change is tested individually. Risk areas: aggressive WAF rules can block legitimate traffic, 2FA enforcement without grace period locks users out, file permission errors can cause WordPress to crash. Stage changes, monitor for breakage, have rollback ready. Done thoughtfully, hardening should be invisible to users.
Do I need to harden every WordPress site?
Yes — every public WordPress site is constantly probed. The level of hardening varies. Brochure sites: basic hardening (2FA, WAF, updates). Ecommerce / member sites: comprehensive hardening (everything in this guide). High-revenue / regulated industry: enterprise hardening + ongoing monitoring + incident response retainer. The cost of NOT hardening is one compromise away from existential damage.
Tooling — FAQs
Wordfence vs Sucuri vs MalCare — which security plugin?
Wordfence (free or Premium $99/yr) — best comprehensive WordPress security plugin in 2026. WAF + malware scanning + login security + monitoring all in one. Sucuri ($199.99+/yr) — strong but expensive; pairs with their CDN/WAF service. MalCare ($99/yr) — focused on malware scanning + cleanup. For most sites, Wordfence Premium is the right default. Layer with Cloudflare WAF for edge protection.
How many security plugins should I have active?
One. Maybe two. Multiple security plugins conflict, double-process traffic, slow the site, and can confuse the WordPress security model. The pattern: one comprehensive plugin (Wordfence) + edge WAF (Cloudflare). For specific needs, single-purpose plugins (WP 2FA for two-factor) are fine. Avoid stacking 5 different “security” plugins.
Should I use a security plugin if I have a managed WordPress host?
Managed hosts (Kinsta, WP Engine, Pressable) ship with built-in security — automatic core updates, server hardening, WAF rules. You still benefit from a security plugin for application-level protection, file integrity monitoring, and 2FA. The combo: managed host’s server security + plugin’s application security = layered defense.
Want professional WordPress hardening done right?
Hardening means more than installing a security plugin — it means file permissions tightened, wp-config secrets moved out of webroot, admin paths obscured, 2FA enforced, login rate-limited, REST API locked down, and CSP headers configured. I harden WordPress sites against the actual attack patterns that hit production every day, not the imaginary ones.
See my WordPress security audit & hardening service
