WordPress Security Hardening: Complete Guide to Securing Your WP Site

WordPress powers over 43% of the web, which makes it the single largest target for automated attacks. Brute force login attempts, vulnerable plugins, compromised admin accounts, and file inclusion exploits account for the vast majority of WordPress security incidents. The good news is that a focused set of hardening measures can eliminate 95% of common attack vectors without requiring expensive security services.

Securing User Accounts and Permissions

User account compromise is the most common entry point for WordPress attacks. Start by auditing every user account on your site using the Users screen and WP-CLI. Remove inactive accounts, change weak passwords, and enforce role-based access:

wp user list --field=ID | xargs -I {} wp user meta update {} use_ssl 1
wp role create content_editor 'Edit Posts, Upload Files, Moderate Comments'

Enforce strong password policies using a plugin like WPassword or through your hosting control panel. Disable the default admin username if it still exists — create a new administrator account with a unique name and delete the old one. Enable Two-Factor Authentication (2FA) for all administrator and editor accounts using a plugin like Two-Factor or Wordfence.

File Permissions and Ownership

Improper file permissions give attackers write access to critical WordPress files. The correct WordPress file permissions model is:

• All files: 644 (owner write, group/other read)
• All directories: 755 (owner write/execute, group/other read/execute)
• wp-config.php: 600 or 440 (restrict access to owner and web server user only)
• uploads directory: 755 (directories) / 644 (files)

Run this command to reset permissions correctly:

find /var/www/html -type f -exec chmod 644 {} \;
find /var/www/html -type d -exec chmod 755 {} \;
chmod 600 /var/www/html/wp-config.php
chown -R www-data:www-data /var/www/html/

Never set file permissions to 777. If a plugin or theme requests writable files, investigate why — legitimate requirements are rare.

Database Security Hardening

The WordPress database stores all sensitive data including hashed passwords, user emails, and session tokens. Protect it by changing the default wp_ table prefix during installation or using a plugin to rename it after the fact:

// wp-config.php
$table_prefix = 'snw_' . bin2hex(random_bytes(4)) . '_';

Use parameterized database queries for any custom $wpdb operations and ensure your WordPress installation uses the mysqli database driver (not the deprecated mysql driver). Enable SSL for database connections if your hosting environment supports it:

define('MYSQL_CLIENT_FLAGS', MYSQLI_CLIENT_SSL);

Login Protection and Brute Force Prevention

Brute force attacks try thousands of username/password combinations per minute. Mitigate these at multiple levels:

1. Limit login attempts — Use Login LockDown or Limit Login Attempts Reloaded to block IPs after 3–5 failed attempts
2. Change the login URL — Use WPS Hide Login or a custom rewrite rule to move wp-login.php to a custom URL
3. Disable XML-RPC — XML-RPC is a common vector for brute force amplification attacks. Disable it by adding to your .htaccess or using a plugin:

# Block XML-RPC
<Files xmlrpc.php>
  Require all denied
</Files>

4. Disable application passwords if you do not need them — add define('WP_APPLICATION_PASSWORDS', false); to wp-config.php

Web Application Firewall and .htaccess Hardening

A Web Application Firewall (WAF) filters malicious traffic before it reaches your WordPress installation. Cloudflare's WAF offers a free rule set that blocks SQL injection, XSS, and file inclusion attempts. For server-level protection, add these rules to your .htaccess:

# Block wp-includes direct access
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]

# Block PHP execution in uploads
<Directory "/var/www/html/wp-content/uploads">
  php_flag engine off
</Directory>

# Protect wp-config.php
<Files wp-config.php>
  Require all denied
</Files>

Plugin and Theme Security

Vulnerable plugins account for over 50% of WordPress security breaches. Keep every plugin and theme updated — enable automatic updates for minor releases:

define('WP_AUTO_UPDATE_CORE', 'minor');

Delete unused plugins and themes entirely (not just deactivate). A deactivated plugin can still be exploited. Subscribe to Patchstack or WPScan for vulnerability notifications, and set up a staging environment to test plugin updates before deploying to production.

Malware Scanning and Incident Response

Even with hardening, monitor your site for signs of compromise. Schedule automated scans with plugins like Wordfence or Sucuri Security that check core file integrity, database suspicious content, and known malware signatures. Set up file integrity monitoring for critical files:

md5sum /var/www/html/wp-includes/version.php >> /var/log/wp-integrity.log

Create a documented incident response plan: (1) Take the site offline with a maintenance page, (2) Rotate all passwords and API keys, (3) Restore from a clean backup, (4) Identify and patch the vulnerability, (5) Scan for backdoors before re-enabling the site.

Backup Strategy

Every hardening measure is useless if you cannot restore. Implement the 3-2-1 backup rule: three copies of your data, on two different media types, with one copy offsite. Automate daily database backups with WP-CLI and weekly full backups with a plugin or server-level cron job:

0 3 * * * wp db export /backups/wp-$(date +\%Y\%m\%d).sql --path=/var/www/html

Security is not a one-time configuration. SoniNow's WordPress security team provides ongoing hardening, monitoring, and incident response for WordPress sites of all sizes. Contact us for a security audit.