WordPress Hardening: A Complete Guide

Updated on: February 17, 2022

WordPress Hardening: A Complete Guide

WordPress powers more than 350 million websites today. With a market share of over 38%, it has especially been a boon to newbies who can create a blog or any other website in just a matter of a few clicks.

With its ready-to-use features and simple interface, WordPress has surely revolutionized the way we create and manage websites. No wonder, this has also thrown it before the lurking eyes of malicious actors. In this blog, we explain how you can ensure your WordPress website’s security through WordPress hardening.

Related Guide – WordPress Hack Removal

The dire need for WordPress security is further proved by the fact that over 90% of all website attacks target WordPress websites. This is way too high compared to its successor, Magento, which suffers only 4% of these attacks and stands at second in the list.

One reason behind this disproportional targeting is of course! the vast usage and data that WordPress websites hold. Another is the fact that more than 70% of all WordPress websites are ill-manged and super vulnerable; thus a gold mine for hackers. This is because the average WordPress user is either a blogger or a hobbyist website owner who is either unaware of security know-how or is not so hands-on with the technicalities of website security and conveniently avoids indulging in that. This needs to change and we explain how in this blog. Read on to find out.

What is website security?

Website security does not mean a completely secure system, which is practically impossible to create or maintain. It is more risk reduction than risk elimination. It includes using all resources at your disposal to improve your position to reduce the chances of getting hacked and make your online assets secure.

There are no quick fixes to achieve complete website security. However, you can take basic precautions and safety measures to keep your website safe from attackers. Most of the cyber-attacks exploit basic security lapses within websites which could be avoidable. This guide will help you understand the basics of WordPress security and steps to WordPress hardening. Read on to find out how you can better protect your website.

Get the ultimate WordPress security checklist with 300+ test parameters

Steps to WordPress hardening

1. Get a good host

Choosing a  secure hosting provider will ensure that their servers are properly secured and so your hosted website/s. While, opting for a cheaper or a shared hosting provider might only offer your website a basic security protocol and also you will be sharing the server with the multiple sites hosted. In such a case, any vulnerability in the server can impact all websites hosted on it, leaving a single-point-of-failure for your site.

It is always advised to invest in a dedicated hosting provider for your website for better security options so that will also help in providing WordPress hardening for your site. A good dedicated hosting provider takes care of the physical security of your data, cabling, power, and cooling of infrastructure, routers for the network, server applications, and virtual machines.

Related Guide – WordPress Malware Removal

The primary goal of a hosting provider is generally to provide hosting to their customers but not taking blame of any security incidents happening on the hosted website. Basically, it takes care of everything below that layer. You will still need to maintain security protocols and steps for your WordPress hardening. This complete guide will help you to do that.

2. Be up-to-date: For your website’s security

More than 54% of WordPress vulnerabilities are due to outdated plugins and older versions (source?). Whenever vulnerabilities are discovered in core WordPress code, the WordPress team provides patches and updates to fix those issues. If you are using older versions, then it is at risk of getting hacked through known or discovered security gaps. Updating your WordPress versions will protect against such known security threats and attacks.

Plugins can become vulnerable if they are not updated regularly. Most of the premium plugins provide regular security updates and patches which ensure that they do not become security liabilities for your WordPress website. It is advised to avoid using plugins that are not updated periodically, as they will not have proper support and security features. Majority of the time they are potential entry points for attackers.

Keeping everything up-to-date is an important step in WordPress hardening. You will find the latest version on the official website of WordPress here. After version 3.7, WordPress updates automatically. You can also use the dashboard to get the status of updates for plugins and extensions. Additionally, to configure automatic updates, insert this code into the “wp-config.php” file:

define( 'WP_AUTO_UPDATE_CORE', true );

For plugins and themes:

add_filter( 'auto_update_plugin', '_return_true' );
add_filter( 'auto_update_theme', '_return_true' );

3. Strong Passwords: A basic in WordPress hardening

It can’t be stressed enough how important a strong password is for WordPress hardening. Always change the default passwords from all accounts, since they can be easily guessed and compromise your account. A good practice is to have a strong phrase with alphanumeric characters. Passwords are generally cracked using brute-force techniques. Attackers use programs that can churn out numerous combinations and check if they are correct. Longer the password, more time will it take to guess, as it increases complexity and number of combinations exponentially.

Try using different passwords for different accounts and change your passwords periodically. Two-factor authentication has become the new security standard, as it provides additional levels of security. Enforce it for all accounts, i.e., for website users too.

4. Running your website on HTTPS 

HTTPS has become an important step for WordPress hardening. It is being used extensively by today’s websites for keeping encrypted communication between websites and its visitors, especially for financial transactions. HTTPS encrypts all data between browser and web server to prevent man-in-middle attacks, snooping and capturing important information.

To enable HTTPS on your WordPress website, you will need to get an SSL certificate from a reputable provider such as these. Follow the below steps after HTTPS is enabled on your website:

  • Sign into WordPress account and go to WordPress general settings
  • Update your WordPress address, to begin with, “HTTPS” instead of “HTTP”
  • Update your website address to start with “HTTPS instead of “HTTP”
  • Save the changes

Then edit your “.htaccess” file and add these lines at the top:

RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$$1[R,L]

Also, add the below line to the “wp-config.php” file and save it:

define('FORCE_SSL_ADMIN', true);

After this, your website will load with HTTPS.

5. Using SFTP and SSH

To transfer files and administer websites, FTP (File Transfer Protocol) is used. It has been replaced by the more secure SFTP. Compared to FTP which send files across the network without any encryption, SFTP encrypts all files and credentials when sending it over the network. You will find SSH installed on most servers so it is easy to use SFTP for WordPress hardening.

Using FTP will make your files and credentials vulnerable, especially while you’re using public networks, and can be captured by attackers. Once the hackers get your credentials, they can get access to your entire website. So always use SFTP to protect your credentials and for any type of file transfers or while using commands.

6. File Permissions

Not everyone needs to access all files on your WordPress website. If your site visitors have access to the core files then the attackers can use this vulnerability to take control. You can protect these files by using suitable file permissions and ensure a better WordPress hardening.

Wordpress File/Folder Permissions
WordPress file permission; Source: Astra Security

Below are a few main categories of files and folder:

  • Root WordPress directory: Files should be writable by you
  • WordPress administration area (/wp-admin/): All files writable by only you
  • Application logic of WordPress (wp-includes/): All files should be writable by only you
  • Content supplied by the user (/wp-content/): Files should be writable by you and the webserver
  • Theme files (wp-content/themes/): Files writable by either you or web server
  • Plugin files (wp-content/plugins/): All files writable by the only user

Recommended file permissions:

  • Wp-admin: 755
  • Wp-content: 755
  • Wp-content/themes: 755
  • Wp-content/plugins: 755
  • Wp-content/uploads: 755
  • Wp-config.php: 644
  • .htaccess: 644
  • Other files: 644

7. Backing up your website

Having a clean backup of your WordPress website will serve its purpose if your website gets hacked or defaced. You can use these backups to quickly replace your infected website with a clean copy. Most hosting providers provide automatic backup options, which store a copy of your website periodically.

However, while creating a backup, you need to be careful of data integrity. You can do this by ensuring to encrypt your backup, store an independent record of hashes for each backup, and storing your backups in read-only storage devices. Having a periodic plan to backup your entire website including core files and databases) will ensure that you have an uncompromised version of your website.

8. Protecting your WordPress site with a Firewall

The above steps will help in WordPress hardening, however, to have complete protection against attacks you need a strong firewall. A firewall should have the following features:

  • Malware scanner: Your firewall should be able to detect and remove malware from your website
  • Login protection from brute force attacks
  • Protection against attacker reconnaissance techniques. For example, protect your usernames from attackers
  • A fully-featured Web Application Firewall with regular updates
  • Password auditing and two Factor Authentication
  • Advanced blocking techniques to counter the latest threats and new methods of attacks

Apart from these, there are several other parameters a strong firewall should have. There are numerous such services on the internet, Astra Security is one of them. With their wide variety of security tools in their arsenal, Astra Security offers complete protection to your website. If you want to monitor how your security service is performing, our dashboard will show you all necessary data such as the number of attacks blocked. Numerous testimonials from satisfied users are proof of Astra Security’s excellent work.

Astra Web App Pentest


Security of a website is an ongoing process. There is no definite solution for a completely secure website. WordPress hardening is a combination of basic security protocols and a strong firewall. An attack can bring down your website and cause you losses on multiple fronts. And we understand how much effort goes into creating and maintaining a website.

We at Astra Security are here to help you protect your website and ensure that you spend your time working on your website rather than worrying about it.

Was this post helpful?

Aakanchha Keshri

Aakanchha is a technical writer and a cybersecurity enthusiast. She is an avid reader, researcher, and an active contributor to our blog and the cybersecurity genre in general. To date, she has written over 200 blogs for more than 60 domains on topics ranging from technical to promotional. When she is not writing or researching she revels in a game or two of CS: GO.
Notify of

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Inline Feedbacks
View all comments

Psst! Hi there. We’re Astra.

We make security simple and hassle-free for thousands
of websites and businesses worldwide.

Our suite of security products include a vulnerability scanner, firewall, malware scanner and pentests to protect your site from the evil forces on the internet, even when you sleep.

earth spiders cards bugs spiders

Made with ❤️ in USA France India Germany