A hardened WordPress site is one where every attack surface is minimized, every configuration is intentional, and no default settings are left exposed. This checklist covers the most important hardening steps, ordered from easiest to most technical.
WordPress hardening 15 step checklist: 1. Keep Everything Updated
WordPress core, plugins, and themes must be updated as soon as security patches are released. Enable automatic updates for minor core releases and use a security plugin that alerts you to outdated components.
WordPress hardening 15 step checklist: 2. Use Strong Passwords and 2FA
Weak passwords are the number one cause of WordPress site compromises. Enforce strong passwords for all users and enable Two-Factor Authentication Two-Factor Authentication guide (2FA) for administrator accounts. Trusti Security provides 2FA with multiple methods including authenticator apps and email codes.
3. Change the Admin Username
If your admin username is still “admin” or similar, change it. Attackers target known usernames because they eliminate half the login equation. Trusti Security can detect users with common usernames and help you create a new admin account.
4. Disable File Editing
Add this to wp-config.php to prevent administrators from editing plugin and theme files through the WordPress admin dashboard. This stops an attacker who gains admin access from injecting malicious code through the file editor.
define(DISALLOW_FILE_EDIT, true);5. Limit Login Attempts
Brute-force attacks are automated and relentless. Limit the number of failed login attempts before blocking the IP address. Trusti Security’s Brute Force Protection module handles this automatically with configurable thresholds and temporary or permanent bans.
6. Change the Login URL
Moving wp-admin to a custom URL eliminates automated attacks against the default login page. Trusti Security’s Custom Admin URL feature renames the login page and blocks access to the original wp-admin and wp-login.php.
7. Enable a Web Application Firewall
A WAF blocks malicious requests before they reach WordPress. Trusti Security’s Firewall detects SQL injection, XSS, RFI, and other common attack patterns at the application level.
8. Verify WordPress Core Files
Use Core Integrity Scanner (built into Trusti Security) to compare your WordPress files against official checksums. Any modified file is flagged for investigation.
9. Set Correct File Permissions
Directories should be 755, files should be 644, and wp-config.php should be 600 or 640. Read our WordPress File Permissions guide for detailed instructions.
10. Disable XML-RPC (or Restrict It)
XML-RPC is a legacy protocol that is heavily targeted by brute-force attacks. Trusti Security can disable XML-RPC entirely or restrict it to specific IP addresses. The CrawlerX botnet specifically targeted XML-RPC endpoints for distributed brute-force attacks.
11. Protect wp-config.php
Move wp-config.php above the web root if possible. If not, secure it with .htaccess rules. See our wp-config.php security guide for detailed instructions.
12. Secure .htaccess
Block direct access to sensitive files, disable directory browsing, and block malicious user agents. Read our .htaccess security guide for the complete rule set.
13. Enable Activity Logging
Know what is happening on your site. Trusti Security’s Activity Logging tracks user logins, post changes, plugin activations, and settings modifications. If something goes wrong, the log tells you what happened and when.
14. Regular Backups
Automated daily backups with off-site storage. Test your restore process at least once per quarter.
15. Use a Staging Environment
Test updates and changes on a staging site before deploying to production. Read our staging site guide for setup instructions.