Most WordPress sites get hacked not because they were specifically targeted, but because they were easy. Default installations leave several settings in place that make the job simpler for automated bots and brute-force tools scanning millions of sites every day. The good news is that tightening those weak points takes less than an hour.
Security hardening is the process of adjusting your WordPress setup to reduce the surface area for attack. Whether you’ve just installed WordPress or are working through the step-by-step process of building a WordPress website from scratch, running through this checklist before going live is one of the most important things you can do. A hardened site doesn’t become impenetrable — no site is — but it gets passed over in favour of softer targets, and that’s the practical goal.
I run through these steps on every site I build before handing it to a client. They cover the settings that matter most and that beginners most commonly miss.
Quick Answer
To harden WordPress security after installation: update core, themes, and plugins; change the default admin username; use a strong password; limit login attempts; enable two-factor authentication; set correct file permissions; disable XML-RPC; install a firewall plugin; and protect wp-config.php. Each step closes a known attack path.
Why This Matters
A fresh WordPress installation is functional but not particularly hardened. The default configuration is built for broad compatibility, not maximum security. Bots scan for sites running outdated software, weak login credentials, and exposed configuration files continuously — and they find them.
Common attack paths on unhardened sites include brute-force login attacks, exploitation of vulnerabilities in outdated plugins, and direct access to sensitive files like wp-config.php. These steps close those gaps methodically.
How to Harden WordPress Security After Installation
Keep Everything Updated
The single most effective security measure is keeping WordPress core, themes, and plugins updated. The majority of successful WordPress hacks exploit known vulnerabilities in outdated software — vulnerabilities for which patches already exist.
Enable automatic updates for minor core releases in Dashboard → Updates. For plugins and themes, review and apply updates at least weekly. Remove anything you’re not actively using — inactive plugins still represent risk if they contain vulnerabilities.
Use a Strong Admin Username and Password
If you used “admin” as your username during installation — the historical default — change it immediately. Go to Users → Add New, create a new administrator account with a distinct username, log in with the new account, then delete the original admin user and reassign its content.
Use a password manager to generate a random password of at least 20 characters. Weak or reused passwords remain the most common entry point on hacked sites.
Limit Login Attempts
WordPress allows unlimited login attempts by default, making automated password guessing straightforward. A login-limiting plugin changes this — after a set number of failed attempts from an IP address, further attempts are blocked for a defined period.
Limit Login Attempts Reloaded handles this with minimal configuration beyond installation. Set the threshold to three or five failed attempts before triggering a lockout.
Enable Two-Factor Authentication
Two-factor authentication adds a second layer to your login — even if someone has your password, they can’t get in without the second factor. Use a plugin such as WP 2FA or Wordfence Login Security to set up authenticator app-based 2FA for all administrator accounts.
This is one of the most effective single changes you can make. Even a compromised password becomes useless to an attacker without access to your phone or authenticator app.
Set Correct File Permissions
WordPress file permissions control which processes can read or write to your files. Incorrect permissions — particularly files set to 777 — can allow unauthorised modification of your site’s content and code.
The correct settings are:
- Directories: 755
- Files: 644
- wp-config.php: 600 or 640
You can check and adjust these via cPanel’s File Manager or via FTP. Most managed WordPress hosts set these correctly by default; shared hosting environments sometimes do not.
Disable XML-RPC
XML-RPC is a remote access protocol built into WordPress that has been exploited for amplified brute-force attacks. Most sites don’t need it — it’s only required if you use a mobile app or remote publishing tool to post to your site.
The simplest method is a dedicated plugin like Disable XML-RPC. Most security firewall plugins also include this as a toggle, so check your security plugin settings before installing a second plugin for this purpose.
Install a Firewall Plugin
A WordPress firewall plugin filters malicious requests before they reach your site. Plugins like Wordfence or Solid Security provide a web application firewall, malware scanning, and login security in one package.
After installation, run the setup wizard and enable the firewall in learning mode for a day or two before switching to enforcement mode. This avoids accidentally blocking legitimate traffic from your own admin activity.
Protect wp-config.php
The wp-config.php file contains your database credentials and security keys. Add the following rule to your .htaccess file to block direct web access to it:
<files wp-config.php>
order allow,deny
deny from all
</files>This prevents access to the file even if directory permissions are misconfigured.
Change the Default Login URL
The WordPress login page lives at /wp-login.php and /wp-admin/ by default. Automated tools know this and continuously hammer these addresses with login attempts. A plugin like WPS Hide Login moves the login page to a custom URL of your choice, which significantly reduces bot traffic hitting your login form.
Practical Tips
Run through this checklist before a site goes live, not after. Retrofitting security on an active site with existing content and users is more disruptive and easier to miss steps on.
Document the changes you make — particularly the custom login URL and any database prefix changes — somewhere secure. You’ll need them for future maintenance and troubleshooting.
In most sites I build, a combination of login hardening, a good firewall plugin, and keeping everything updated handles the vast majority of real-world threats. The WordPress hardening documentation covers additional server-level steps worth reading if you have hosting control panel access.
Common Mistakes
Skipping updates because they feel risky. Updates do occasionally break things — which is exactly why you take a backup before applying them. Avoiding updates entirely is far more dangerous long-term.
Installing a security plugin and assuming the job is done. A firewall plugin reduces risk; it doesn’t eliminate it. The manually managed steps — strong passwords, correct file permissions, removing unused plugins — still matter and no plugin handles them for you.
Leaving unused themes installed. WordPress ships with default themes that accumulate vulnerabilities over time. Delete any theme you’re not actively using, including the bundled ones.
Hardening vs Ongoing Security Monitoring
Security hardening is preventive — it reduces the number of ways an attacker can get in. It’s distinct from ongoing monitoring, which involves watching for signs that a breach has already occurred.
For most small sites, hardening plus a security plugin that includes malware scanning covers both adequately. Larger sites or those handling sensitive data benefit from dedicated monitoring services or a managed WordPress host with built-in security scanning. Hardening is always the right starting point, regardless of site size.
Conclusion
Work through these steps right after installing WordPress and before you start building. Updating everything, changing the default admin username, setting a strong password, limiting login attempts, and installing a firewall plugin takes under an hour — and that hour makes your site significantly harder to compromise than most sites on shared hosting.
Etienne Basson works with website systems, SEO-driven site architecture, and technical implementation. He writes practical guides on building, structuring, and optimizing websites for long-term growth.