Back to Tutorials
WordPress Security Hardening Checklist
Complete security guide: file permissions, XML-RPC blocking, security plugins, and Cloudflare WAF configuration.
A multi-layer approach to hardening a WordPress installation — from file permissions to Cloudflare WAF rules.
1. Restrict File & Directory Permissions
Set proper ownership and permissions:
bash
# Protect wp-config.php
chmod 600 wp-config.php
# Standard permissions
find . -type f -exec chmod 644 {} \;
find . -type d -exec chmod 755 {} \;
# After setup, tighten ownership
chown -R your_user:www-data /var/www/html
2. Block XML-RPC
XML-RPC is a common attack vector. Block it in .htaccess:
apache
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
3. Essential Security Plugins
Install and configure:
- WPS Hide Login — Change the login URL
- Disable Comments — Remove attack surface if comments aren't needed
- Limit Login Attempts Reloaded — Brute-force protection
- Sucuri Security — File integrity monitoring and hardening
- Stop User Enumeration — Block
?author=Nattacks - UpdraftPlus — Automated backups
- Wordfence — Firewall + malware scanner
- Disable XML-RPC-API — Belt-and-suspenders XML-RPC blocking
4. Cloudflare WAF Configuration
Country Blocking
Block traffic from countries that don't match your audience using WAF custom rules.
Browser Integrity Check
Enable in Security > Settings to challenge requests without valid user agents.
Hotlink Protection
Enable in Scrape Shield to prevent bandwidth theft.
Backend Protection
Create a WAF rule to restrict admin access:
text
Expression: (http.request.uri.path contains "/wp-admin" or http.request.uri.path contains "/wp-login.php")
Action: Challenge (or Block for non-whitelisted IPs)
Security Level
Set to Medium or High in Security > Settings.
5. WPScan Auditing
Run periodic vulnerability scans:
bash
docker run --network host wpscanteam/wpscan \
--url https://yoursite.com/ \
--api-token=YOUR_TOKEN \
--enumerate p,t,vp
This enumerates plugins (p), themes (t), and vulnerable plugins (vp).