mDiv.plmDiv.pl
ServicesHostingCarePricingContact
Get a quote
price your peace of mind
ServicesHostingCarePricingContactProject quote
mDiv.plmDiv.pl
arrow_backKnowledge base
Security10 min read2026-04-15

Securing WordPress. A checklist for administrators

WordPress hardening from the ground up: updates, 2FA, security headers, file permissions, wp-login, XML-RPC, REST API and monitoring. Concrete commands and configurations.

A combination padlock against a server background

WordPress powers more than 40% of websites. That makes it the most frequent target of attacks — not because it is unsafe, but because it is popular. Most break-ins are down to administrator negligence, not flaws in WordPress itself.

Below you will find concrete steps for securing a WordPress installation that I apply with every client.

1. Updates — the first and most important step

More than 50% of WordPress break-ins stem from outdated plugins. As soon as a plugin author patches a vulnerability and ships an update, information about the flaw becomes public. Bots start scanning the internet for un-patched installations within hours.

# Check for available updates
wp core check-update
wp plugin list --update=available
wp theme list --update=available

# Update everything
wp core update
wp plugin update --all
wp theme update --all

Recommendation: Automatic updates for smaller plugins. Update major plugins (WooCommerce, Elementor) manually after testing on staging.

2. Strong login credentials

  • Administrator login: change admin to something unique
  • Password: at least 16 characters, generated randomly (e.g. by a password manager)
  • Do not reuse the same password for wp-admin, FTP, the database and the hosting panel
# Change a password via WP-CLI
wp user update admin --user_pass="$(openssl rand -base64 24)"

3. Two-factor authentication (2FA)

2FA eliminates 99% of brute-force attacks. Even if someone learns the password, they will not get in without the code from your phone.

Recommended plugins:

  • Two-Factor (official, minimalist)
  • WP 2FA (more options, can be enforced on users)

Supported methods: TOTP (Google Authenticator, Authy), hardware keys (YubiKey), backup codes.

4. Restrict access to wp-login.php

Limit login attempts

# Install the Limit Login Attempts Reloaded plugin
wp plugin install limit-login-attempts-reloaded --activate

Change the login URL (optional)

# WPS Hide Login changes /wp-login.php to a custom address
wp plugin install wps-hide-login --activate

Restrict by IP (if you have a static IP)

In .htaccess:

<Files wp-login.php>
    Order Deny,Allow
    Deny from all
    Allow from 123.45.67.89
</Files>

5. Disable XML-RPC

XML-RPC is the old WordPress API and the most common vector for brute-force and DDoS attacks. If you do not use the WordPress mobile app or Jetpack, switch it off:

In .htaccess:

<Files xmlrpc.php>
    Order Deny,Allow
    Deny from all
</Files>

Or in functions.php:

add_filter('xmlrpc_enabled', '__return_false');

6. File and directory permissions

# Directories: 755
find /var/www/wordpress -type d -exec chmod 755 {} \;

# Files: 644
find /var/www/wordpress -type f -exec chmod 644 {} \;

# wp-config.php: 600 (owner only)
chmod 600 wp-config.php

# .htaccess: 644
chmod 644 .htaccess

wp-config.php with 600 permissions is readable only by the web server. Nobody else on the server can read your database passwords.

7. Security headers

Add to .htaccess or your server configuration:

Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-XSS-Protection "1; mode=block"
Header set Referrer-Policy "strict-origin-when-cross-origin"
Header set Permissions-Policy "camera=(), microphone=(), geolocation=()"

8. Disable the in-dashboard file editor

WordPress ships with a built-in editor for theme and plugin files. If someone takes over an admin account they can edit PHP straight from the browser. Disable it:

// wp-config.php
define('DISALLOW_FILE_EDIT', true);

9. Hide the WordPress version

Exposing the WordPress version in meta tags and RSS headers makes it easier for attackers to pick the right exploit:

// functions.php
remove_action('wp_head', 'wp_generator');

10. Monitoring and scanning

Scan the site regularly for malicious code and unauthorised changes. Tools:

  • Wordfence: firewall and malware scanner (the free version is enough)
  • WP-CLI checksum: verifies the integrity of core files:
wp core verify-checksums
wp plugin verify-checksums --all

If the output contains Warning: File was modified, someone has changed WordPress files. Investigate or restore from backup.

Summary checklist

  • WordPress, plugins and themes are up to date
  • Strong, unique password and 2FA on the admin account
  • Login attempt limiting is active
  • XML-RPC is disabled
  • File permissions: 644/755, wp-config.php: 600
  • In-dashboard file editor is disabled
  • Security headers are configured
  • Unused plugins and themes are removed (deleted, not just deactivated)
  • Regular malware scanning
  • Automated, off-site, tested backups

Need help?

I can handle it for you — safely, with backups, and without downtime.

Get in touch
mDiv.plmDiv.pl

Your project in good hands

Company

  • Services
  • Contact
  • Knowledge base
  • Service status

Services

  • Pricing
  • Project quote
  • Care

Information

  • Terms
  • Privacy Policy
  • GDPR

Contact

mDiv.pl - Mirosław Parcz

Pl. Konstytucji 3 Maja 3/55

32-300 Olkusz, Poland

Phone:+48 696 46M4I7R3E5K

VAT ID: PL6371987110

© 2026 mDiv.pl. All rights reserved.

Design & build: mDiv.pl