WordPress hardening checklist

WordPress runs roughly 40% of the web, which makes it the favorite target of opportunistic attackers. Most WordPress compromises are entirely preventable with a 30-minute hardening pass. This checklist covers the high-leverage steps in order of impact, applicable to any WordPress site running on your ipxcore cPanel hosting account.

The non-negotiable five

  1. Update everything, weekly. Outdated WordPress core, plugins, and themes are the #1 cause of compromises. Enable automatic updates: in wp-admin → Updates, you can enable auto-updates per-plugin. For your most-trusted plugins, turn auto-updates on.
  2. Delete plugins and themes you don't use. Deactivated isn't enough — the code is still on disk and can still be exploited. Remove anything not actively used.
  3. Use a strong password on every admin account. 16+ characters, generated by a password manager. Never use "admin" as a username.
  4. Enable 2FA on wp-admin. Plugins like Wordfence Login Security, Solid Security, or WP 2FA add this in 5 minutes.
  5. Install a security plugin. Wordfence (free) or Solid Security (paid) handle login limits, file change detection, and known-malware scanning automatically.

If you do only these five things, you've eliminated 90% of common attack vectors.

Hardening wp-config.php

Add the following to wp-config.php (above the /* That's all, stop editing! */ line):

Disable file editing in wp-admin

define('DISALLOW_FILE_EDIT', true);

Prevents an attacker who compromises a low-privilege account from editing theme/plugin code via wp-admin. Forces them to access the filesystem directly — a much higher bar.

Disable plugin/theme installation via wp-admin

define('DISALLOW_FILE_MODS', true);

Most attacks try to install a malicious plugin. This setting prevents it. You'll have to install legitimate plugins via SFTP, but that's a small price.

Force SSL for admin

define('FORCE_SSL_ADMIN', true);

Ensures wp-admin is only accessible over HTTPS, even if the front of the site supports HTTP.

Increase memory limit (per the PHP settings article)

define('WP_MEMORY_LIMIT', '512M');
define('WP_MAX_MEMORY_LIMIT', '512M');

Move wp-config.php out of the web root

WordPress checks the parent directory if it can't find wp-config.php in the web root. Move it from public_html/wp-config.php to /home/yourusername/wp-config.php. Now even if someone accesses your filesystem read-only, they can't pull database credentials.

Locking down wp-admin

Restrict by IP (if you have a static one)

In .htaccess in the wp-admin directory:

<Files admin-ajax.php>
    Allow from all
</Files>

<FilesMatch ".*">
    Order Deny,Allow
    Deny from all
    Allow from 192.0.2.42
</FilesMatch>

Replace 192.0.2.42 with your IP. The admin-ajax.php exception is necessary because frontend code (Contact Form 7, etc.) hits it via AJAX from visitor IPs.

Hide /wp-admin behind a different path

Plugins like WPS Hide Login rename your login URL from /wp-admin to whatever you want (e.g., /control-panel). Bots scanning for /wp-admin won't find your login at all. Effective security through obscurity.

Database hardening

  • Change the table prefix. Default is wp_. Plugins like Brozzme DB Prefix change all table names to a custom prefix (e.g., xq_) in one click. Stops generic SQL injection attacks that assume wp_.
  • Use a database user with minimal privileges. WordPress only needs SELECT, INSERT, UPDATE, DELETE, CREATE, ALTER, DROP, INDEX. Strip the rest.

File permissions

Correct permissions for a WordPress install:

  • Directories: 755
  • Files: 644
  • wp-config.php: 600

From SSH:

$ find /home/USER/public_html -type d -exec chmod 755 {} ;
$ find /home/USER/public_html -type f -exec chmod 644 {} ;
$ chmod 600 /home/USER/public_html/wp-config.php

What to monitor

  • File changes. Wordfence and Solid Security alert when WordPress core, plugin, or theme files are modified outside of an update.
  • Failed login attempts. Wordfence shows top failed-login IPs. If you're seeing 1000+ attempts per day on a small site, you're being scanned aggressively — rate-limit logins.
  • Outbound connections. Hacked WordPress sites often phone home to attacker servers. Wordfence's "Network Activity" view catches this.
  • Site uptime. If your site goes down repeatedly, it may be getting attacked. Tools like UptimeRobot (free) ping every 5 minutes and email on failure.

Recovery if compromised

If despite hardening you discover a compromise, see our full recovering from a hacked website article. Short version: don't panic, don't delete logs, change every credential, restore from clean backup, harden harder.

The honest truth

You can't make WordPress unhackable. You can make it expensive enough to attack that opportunistic bots move on to easier targets. The above checklist accomplishes that — it doesn't stop a determined nation-state attacker, but it stops the bots responsible for 99% of WordPress compromises.

  • WordPress, security, hardening, wp-config, Wordfence
  • 0 Користувачі, які знайшли це корисним
Ця відповідь Вам допомогла?

Схожі статті

Install and configure CSF

This article will walk through how to install and configure CSF (ConfigServer Security &...

Blocked by firewall

Our cPanel servers are running CSF to keep them secure. Some things such as multiple failed...

Enabling free AutoSSL on your cPanel account

Every ipxcore cPanel hosting plan includes free SSL certificates via AutoSSL, powered by Sectigo....

Two-factor authentication for cPanel and WHMCS

Two-factor authentication (2FA) requires both your password and a time-based code from your phone...

Recognizing and recovering from a hacked website

Discovering that your website has been hacked is stressful, but the situation is almost always...