Tips for Hardening WordPress

NOTE: This article is offered to help customers who are attempting to fix a common problem. We have found this solution to be helpful, but it is not a guaranteed fix, and it is not our area of expertise. If this does not fix your problem or breaks your website please consult a web developer professional for further assistance. We do not guarantee anything provided here, or on any referred websites. We only offer this as a suggestion to help our customers gain a better understanding of their websites security.


It is commonly suggested that your .htaccess & wp-config.php file has the following file permissions: 444


You will want to place this .htaccess file in your root web directory, commonly this is the public_html folder. This file should have 444 file permissions. Then you will want to add the following section above the “# BEGIN WORDPRESS” line in your .htaccess file.
# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
Then you will want to add this to the end of your .htaccess file after the “# END WORDPRESS” line.
# Custom WordPress Security
<Files ".user.ini">
<IfModule mod_authz_core.c>
        Require all denied
<IfModule !mod_authz_core.c>
        Order deny,allow
        Deny from all
<Files wp-config.php>
    order allow,deny
    deny from all
Options -Indexes
# END Custom WordPress Security
This last part of the .htaccess file is optional, and is only recommended if you wish to only be able to login to your wordpress website from a specific IP or specific range of IP addresses. If you do not know what your IP address is, you can go to or to learn your Public IP. You would place this section of code right after the “# Custom WordPress Security” line.
Note: Make sure to replace ( with your public IP address
<Files "wp-login.php">
    Order deny,allow
    Deny from all
    # Your Public IP Nickname
    Allow from (


Please note that doing this step will prevent you from using the EDITOR feature in the wordpress dashboard to edit system files directly. You will still be able to edit pages and settings and the likes, but you cannot use the advanced editor when viewing plugins directly or themes directly. If you find that you lose access to something you used to be able to do in wordpress after enabling this, please go back and remove this code. To better protect against further exploits in your wordpress website, you can add the following code to your wp-config.php file. Do not put this at the end, but instead above the “/* That’s it! You stop editing here */” line which is close to the end but not quite.
/* Disable Editing in Dashboard */
define('DISALLOW_FILE_EDIT', true);


There is a known vulnerability in wordpress where someone can discreetly brute force your logins and get into your wordpress website without setting of alarms. More information on this can be found here. You can add the following code to this very end of this file wp-includes/functions.php :
 * CloudFlare XML-RPC Anti-DDOS
 * This disables the multicall of the XML-RPC via a single HTTP stream so usernames and passwords can't be bruteforced steathily
function mmx_remove_xmlrpc_methods( $methods ) {
    unset( $methods['system.multicall'] );
    return $methods;
add_filter( 'xmlrpc_methods', 'mmx_remove_xmlrpc_methods');


If you would like more details about the security steps taken above, more in-depth guides, or more information in general you can find more details here. It is also recommended that you install security oriented plugins in WordPress that protect against Brute Force attempts, offer firewall protection, and protect against bot attacks. Some examples would be: Loginizer, Sucuri Monitoring or Wordfence, Google reCAPTCHA.