WordPress Hardening: 12 Ways to Harden Security of Your Website

Oct 16, 2019

WordPress Hardening: 12 Ways to Harden Security of Your Website

Oct 16, 2019

When we create a website, many don’t pay heed to security because there is a notion that hackers only target large and popular sites. But in reality, hackers target sites that are simply easy to hack. So big or small, popular or not, WordPress security hardening is something you should implement right from the start.

Most hackers target WordPress sites that are easy to hack, regardless of whether they are big or small, old or new, popular or not. Once inside, they use the website to carry out a number of malicious acts that are harmful to you and your users.

Unfortunately, it’s only when we face a hack do we realize the importance of having a site security plan. Here, we’ll discuss the ways in which we can tighten up the security of our websites so that it becomes really hard for hackers to get in.

Note: Usually, hackers look for websites with minimal or no security at all such as a personal WordPress blog or an NGO website. If you have security measures in place, they’ll move on to an easier target. As a result your website will be safe.

Every website, big or small, needs to implement a robust security plan. There are many measures you can take to make your website rock solid. If you want to harden your site immediately, install MalCare, and it will take care of everything for you. No worries, no hassle!

However, the security of your website should be a top priority. It is important to come back and learn more about WordPress Hardening, because the consequences of not having them in place are severe.

What is WordPress Website Hardening?

Website hardening in simple terms means putting rock-solid security measures in place. While we do need a WordPress security plugin to scan and clean our website, we also need to take hardening measures beyond that to make it robust.

To metaphorize this, think of your website as a house you built. You want to keep the house on display for visitors, but safe from burglars who can come in unauthorized and steal things or destroy your house. An open window or unlatched door might lead to such a disaster.

thief stealing


Therefore, to protect it from the enemy, you will need to seal all these entry points, put grills on windows, install a security alarm system, and even restrict access only to authorized family members.

We need to apply the same principles to our websites. Here, we give you 12 important steps to take to fortify your website.

Benefits of hardening your WordPress Website

1. Seal known vulnerable areas

Hardening measures enable you to lock vulnerable entry points that you don’t use anyway. And in this way, hackers are unable to access your site from these known areas and you can stay protected.

2. Optimize performance

Hackers use your website to run malicious activities. They need to use your website’s resources to carry them out. This will overload your server and bring down the performance of your site.

Once you harden your site, you will be protected from hackers and you can focus on ensuring your website runs at its best performance level.

3. Avoid Google Blacklisting

If your website gets hacked, chances are Google will blacklist your website. This is because Google puts the user’s experience and satisfaction above all.

Hacked WordPress sites put users at potential risk of having their information stolen or downloading malicious content/software.

To remove Google Blacklist, it is a long procedure and it’s best to avoid it altogether.

4. Avoid web host suspension

Similar to Google, WordPress hosts such as Hostgator, Siteground, or Bluehost will also suspend your site if they find out you’re hacked.

Web hosts regularly scan the websites they have on their web servers. In case of shared hosting, if malware is found, your account will be suspended to protect other websites they have on the same server.

Another reason they suspend your account is your hacked WordPress website would exceed the server resource limit allowed.

If you choose not to harden your website, not only could you face the consequences mentioned above, you also stand to lose traffic and potential customers. You could face suspension by your ad partner. And lastly, it goes without saying, you’ll experience a drop in revenue.

12 ways for hardening your WordPress website

There are different levels of security you can implement on your website. The list of measures is a long one. Here, we’ve covered the most important steps you need to start taking immediately to keep hackers away.

Tip: Before you make any changes, take a backup of your website. It’s best to have WordPress backups in case anything goes wrong.

1. Implement 2-Factor Authentication

One of the most common ways hackers break into websites is through the login page. They use a technique called brute force attacks wherein they use bots to guess the login credentials of a website. Another way hackers can get in is if your data was leaked from another website. Hackers are aware that many people use the same username and password for multiple accounts across the internet, and hence, it becomes easier to play the guessing game!

To protect yourself, you can add a two-factor verification for every user – whether they are Super Admin, Administrator, Editor, Author, Contributor, or a Subscriber.

Many websites, Gmail for example, give users the option of 2-step verification to log in to their accounts. This will require a user to provide their login details first, and then enter a password that is generated in real-time (usually a one-time password sent to the registered phone number). It makes your account harder for hackers to crack or gain access to your WordPress dashboard.


two factor authentication

2-Factor Authentication makes it harder for hackers


You can implement the same technology on your website to make it more secure. A popular app for the same is Google authenticator that generates a password every 30 seconds. You can also use a secret code that only the user knows or is sent to their email or phone number.

2. Limit Login Attempts

There’s a reason why websites, especially banks, give users only three attempts to get their username and password right. After that, they are given the option of ‘Forgot password’ or they can even get locked out of their accounts. The image below is an example of a warning that is generated and displayed on the login screen when the user has attempted to login with wrong credentials.


failed attempts


This is essentially to eliminate bruteforce attacks and reduce the success of hackers and fraudsters.

By default, WordPress allows an unlimited number of login attempts. Enabling limited login attempts on your website increases its security and ensures hackers can’t try thousands of combinations to get in. There are three ways in which you can limit login attempts on your website.

  • By manually inserting code in the functions.php file. You need to add a WordPress action and hook filter with a corresponding callback function. This method is technical and risky. If you aren’t savvy with coding, it’s best not to attempt this.
  • You can add a plugin like Limit Login Attempts Reloaded.
  • If you aleady have the MalCare security plugin active on your website, you automatically have limited login protection against failed attempts. The plugin implements captcha-based protection that will prevent bad bots from accessing your site.

3. Block PHP Execution in Untrusted Folders

This is a bit technical but let’s try to simplify it as much as possible. First, you need to know PHP is a scripting language that is used in web development. A PHP function is a block of code written in a program that can be executed to perform a certain task.

Next, your WP website is made up of files and folders. However, only certain files and folders use php functions.

Once a hacker gains access to your website, they can create their own folders, or they can insert their PHP functions into your existing ones.

To prevent such a hack, you can block the execution of PHP functions from any unknown folder. And you can also disable the PHP executions in places where it doesn’t need to happen.

For this, simply follow the steps below:

Caution: Meddling with the backend files and database tables of WordPress is risky business and can cause your site to break. It requires technical knowledge. If you don’t know what you’re doing, it’s best to get professional help.

How to Block PHP Execution

1. Access your website’s files via cPanel > File Manager. If you don’t have access to cPanel, you can use an FTP client like FileZilla. You’ll need your FTP credentials to access your files.

2. Go to public_html and you’ll see three folders called wp-includes, wp-admin, and wp-content, like so:


wp includes, content and admin


3. Next, look for the .htaccess file. If it doesn’t exist, you can create one by opening a text editor like Notepad and saving it as .htaccess.

4. You need to paste the following code in your .htaccess file.

<Files *.php>
deny from all

5. If you’re creating a new file, you need to upload it to two folders:


This will alter the file permissions and prevent any PHP file from running in these directories. If this is all too technical, security plugins like MalCare automate this for you. To block PHP executions and implement other hardening measures using Malcare, we’ve detailed the steps in the next section.


4. Disable File Editor

If a hacker gets access to an WordPress Administrator account, they can take full control of your website. From the dashboard, they can edit the coding of your theme and plugins through the option of “Editor”. They can also upload their own scripts to display their content, deface your site, spam your users, etc. The most common hacks that occur through these editors include SQL injections and SEO Spam hacks.

To find the editor, go to Appearance > Editor. And Plugins > Plugin Editor like so:


disabling file editor


To disable the editor, you need to access your wp-config file. The same way we accessed the website’s files using File Manager or FTP can be used here as well.

The next part requires technical coding knowledge and comes with potential risk of breaking your site if not done correctly. If you don’t know what you’re doing, it’s best not to attempt it even though it seems so easy. We recommend using the ‘Disable file editor’ feature in MalCare. 

If you wish to carry on with the manual method, we’ve detailed the steps you need to carry out.

1. In your File Manager, find your wp-config file and right-click to get the ‘Edit’ option.


editing wp-config file


2. Here, you will see more information about it and you can select ‘disable encoding check’. Then proceed to ‘Edit’.


disable encoding check


3. Now, it opens up your wp-config file and leaves you wondering what to do next! Don’t stress. Scroll down and find the line:

/* That’s all, stop editing! Happy publishing. */

Above this, paste the following code

define( ‘DISALLOW_FILE_EDIT’, true );

Save changes and close the editor.


inserting code in wp-config file


4. Return to your dashboard and you’ll see that you no longer get the editor option.


check for edit option


Note: If you do not have access to cPanel, you can download your wp-config file via FTP. Open it in any text editor and add the line of code. Upload it back to the website the same way you downloaded it. You can overwrite the old file.

5. Change Security Keys

To log in easily, WordPress stores your credentials so you don’t have to enter your credentials every time you want to login. But what’s important here is that it’s stored in an encrypted form.

If the data is stored in plain text, when a hacker gets ahold of the data, they can just read it. If the data is encrypted, it will look like random text that they cannot use.

To encrypt the data, WordPress has to use something known as security keys and salts. In simple terms, keys are random variables that encode your admin username and password, and salts basically help improve the encryption one step further.

If hackers are able to get their hands on your security keys and salts, they can decipher the encrypted data and hack into your account.

It’s recommended to replace your old keys and salts from time to time. To get a fresh set of keys and salts you can use this link: Secret Key. You will get a page that looks like this:


secret key generator


Now using the same method above, access your files and copy-paste the values that are generated into your wp-config file, here:


pasting code into wp-config file


Here too, since it requires altering the coding, we caution WordPress website owners to not attempt it if they are not tech-savvy. It’s best to use a security plugin that will handle this for you. This ensures you don’t risk breaking your site. We’ve detailed how to change security keys and salts using MalCare a bit later.

6. Make it mandatory to use strong passwords

It goes without saying, an easy password is easy to guess. When you have multiple users handling your website, you need to ensure every user maintains a strong password and also changes it regularly.

Now, this may be easier on a small scale, but when it comes to a bigger team, it would be better to have a software that will automate this for you.

WordPress by default will alert you if you choose a weak password:


creating a weak password


You can choose to override it by checking ‘confirm use of weak password’. By doing so, you are leaving your website vulnerable to attacks. It’s recommended to use a phrase in combination with numbers and symbols to make your password strong as ever.


creating a strong password


To force the users to update their passwords, there used to be plugins like Expire passwords. It would allow you to set a maximum number of days before the password expires. However, most of these plugins have not been updated for a long time, so we wouldn’t recommend using them. Instead, you can use an all-round security solution like MalCare. We’ll delve into the details later.

7. Disallow Plugin Installations

Many times, a user or a client might mindlessly install a plugin without checking its compatibility or credibility. This can lead to a number of problems on your site. You can disable plugin and theme updates and installations in two ways:

By adding a line of code to your wp_config php file

Follow the same method as detailed under the Disable File Editor section. You need to add the following line:


To roll out updates to themes and plugins, and to install new ones, you will need to go back and delete this line of code.

Using a security plugin

The easiest way to enable and disable this function is by using a plugin. If you’re using MalCare, you simply need to click a button to enable it and repeat the same to disable it.

This is an extreme measure but a necessary one in cases where you have to many users handling your site, or in case you would like to limit your client from installing plugins unnecessarily.

8. Keep an Audit Log

This may not be a hardening measure per se, but it is an absolute must-have security measure. Simply install a plugin like WP Security Audit Log which will track everything that happens on your website. And in this way, you will know exactly what your users are doing and when.

This enables you to monitor what’s happening on your website and also gives users accountability for their actions.

The plugin will keep track of everything – logins, logouts, changes made, creations, modifications, deletions, additions, updates, etc. If you are hacked, you can refer to the activity log to identify any suspicious activity or changes made.

You can get instant notifications if there have been any critical changes made to your website. You can also log off or block any user with just a click.

9. Auto logout inactive users

This feature is seen primarily with bank websites and apps that log you out after a period of inactivity. This is to protect your account from any unauthorized access.

Logging out inactive users automatically if they have logged in and not carried out any tasks on the website.

To set this up, you can use a plugin like BulletProof Security. It offers a host of features, one of which is the idle session logout.

10. Set up alerts for suspicious WordPress logins

Hackers are lurking all over the web trying to find security vulnerabilities in websites. As much as you tighten up website security, there’s no telling what new hacking technique may come out next. Hackers are constantly finding ways to bypass security features. We need to be vigilant.

It’s advisable to set up alerts on your website to be notified of any suspicious activity as and when it happens.

To do this you need to use a security plugin like MalCare. It constantly scans your site and alerts you if it detects any malware or anything suspicious.

11. Set up a Web Application Firewall

A firewall will block hackers even before they visit your website. They do this by tracking IP addresses – a numerical identifier assigned to every device that’s connected to the internet.

If the IP has carried out malicious activities before, they’ll be marked and blocked from coming to your site.

You can set up a firewall using a security plugin, which we will talk about in the next section.

12. SSL Certificate

When you or a visitor accesses your website, data is transferred to the server and back. This is known as server-client communication which can sometimes bear sensitive data like IDs, passwords or credit card information.

If transferred in plain text, hackers might be able to get their hands on the data and use it. To avoid this, we need SSL.

SSL stands for Secure Sockets Layer which encrypts this data before it’s transferred. It’s then deciphered and provided to the end-user.

Once you enable the SSL, you will need to migrate your website from HTTP to HTTPS. Your website will also get a padlock icon in the address bar.

Getting an SSL certificate for your website was expensive and difficult once upon a time. But now you can get it for free and quite easily using Let’s Encrypt.

Once you implement these measures, you’ll have a hardened WordPress site. But taking on all these measures seems like be quite a task. You may need multiple plugins to apply these security protocols. Many people, especially if they aren’t tech-savvy, are deterred because it’s too much work and it seems complicated.

But these are measures that you just can’t ignore when it comes to the security of your WordPress site. Luckily, there’s an easier way.


Apply Website Hardening Using a Plugin

To make things quick and simple, there are security plugins that combine the website hardening measures you need to implement on your website. So now, you don’t have to worry about spending a lot of time figuring out the technical aspects of it.

However, not all plugins offer the same convenience and benefits. There are quite a few plugins out there, but we recommend MalCare simply because it gets the job done quick and easy in just a few clicks.




Once you install the plugin, your website is already secured. Here’s how:

    • It will scan your website regularly and check for any suspicious activity.
    • It puts up a proactive firewall that blocks malicious traffic from visiting your site.
    • In case it finds any malware present on your website, the plugin will notify you.
    • You can instantly clean malware or hack if your website is under attack.


site checking results


Now coming to hardening measures, there are different levels of website hardening you can implement on your website. These measures are optional because not all website owners will want to execute these security measures on their site. You can choose what to do according to your needs.

The three levels of website hardening you can implement are:

1. Essentials


Blocking Php execution


This enables you to block PHP execution in untrusted folders. You can also disable file editing. As we discussed earlier, this is a step you absolutely should take.

Under normal circumstances, you wouldn’t actually meddle with the files and folders of WordPress. You would only operate your website from the wp-admin dashboard. You also don’t need to edit anything in the files editor of themes and plugins. Disabling them closes some of the doors hackers can use to attack your site.

2. Advanced


blocking plugin or theme installation


You can block plugin and theme installations which means no one can install new ones on your website. This measure is a bit extreme and should be taken only if you suspect a hack or you have too many people working on the website. If you want to install a new plugin/theme, you will need to disable this from the MalCare dashboard.

3. Paranoid


change security keys


Here, you can change security keys and reset the passwords for all users. Many times, WordPress websites are operated by a team of people, with each person having their own login. This gives more room for hackers to guess credentials and access your site.

It’s important to change all security keys and passwords at regular intervals. If you have a large team, this helps automate the process and make it faster.

In case you’re recovering from a hack, this is an essential step to take to ensure you don’t get hacked again.

Apart from this, you benefit from the following WordPress security features on your website:

    • Limited login attempts.
    • CAPTCHA-based login.
    • Alerts for unauthorized access.
    • An activity log that shows file modifications/updates on your site.
    • It also analyses every IP request to protect you from hacks like brute force attacks.
    • It also prevents common WordPress security threats like SQL injections attacks, SEO spam, and your website being used in DDOS attacks.
WordPress site owners simply can’t afford to ignore website hardening measures. I found an easy way to do it. Click To Tweet


Remember: Always use the latest version of WordPress to ensure your website has all latest security updates and all known vulnerabilities in the WordPress core are sealed. You need to keep your themes and plugins updated as well for the same reasons. To learn more about WordPress updates, we recommend this guide – Updating WordPress.

Conclusion: Build an impenetrable WordPress website

No matter the size of your site, ensure you don’t just build a great website but you also make it secure! The virtual world in which it resides is plagued with bad elements from our real world. Hackers and bad bots are constantly on the prowl for vulnerable prey.

By applying these WordPress website hardening measures, you can be sure hackers will have a very tough time trying to crack your site. When they’ve tried a few times, they’ll move on knowing your website is solid. As a result your website will be safe.


Make your site a hard target

Make your site a hard target


If you’re worried that applying website hardening the manual way will break your site, consider using the MalCare plugin. It takes out the complications and makes it easy for anyone to use. To sum up, we need to implement these measures one way or the other to stay protected against hackers.

hardening wordpress website


Share via
Copy link