Most WordPress security guides end at ‘install Wordfence’. That’s useful but incomplete. A security plugin adds a detection layer – it’s not a hardening layer. The hardening happens before the plugin even runs, at the server and application level, and it’s what separates a site that blocks an attack from one that needs cleaning up after one.
1. Disable XML-RPC if you don’t use it. It’s a legacy API that attackers use for brute-force amplification – one request can try hundreds of password combinations. Add add_filter('xmlrpc_enabled', '__return_false'); to functions.php or block it entirely at the server level.
2. Enforce strong passwords and 2FA for all administrators. Brute force is the most common attack vector against WordPress. miniOrange, WP 2FA or Wordfence’s built-in 2FA work well. Require it for editor roles and above.
3. Limit login attempts. Three failed logins should trigger a temporary IP block. Fail2Ban at the server level is more effective than a plugin – it blocks the IP before WordPress even loads.
4. Move wp-config.php above the webroot. WordPress looks for it one directory up automatically. An attacker who exploits a path traversal vulnerability can’t reach it.
5. Set correct file permissions. Directories at 755, files at 644, wp-config.php at 600. Never 777 on anything – that grants world-write access and is a malware foothold waiting to happen.
6. Use a Web Application Firewall (WAF). Cloudflare’s free plan blocks the most common exploit patterns before they hit your server. Combined with a plugin-level firewall, you have two layers. One attacker, two walls.
7. Keep PHP current. PHP 7.4 and below are end-of-life and no longer receive security patches. Running PHP 8.2+ improves both security and performance. Test in staging first – some older plugins don’t support PHP 8 yet.
8. Disable the file editor in wp-admin. Add define('DISALLOW_FILE_EDIT', true); to wp-config.php. If an attacker gains admin access, this stops them from inserting malicious code directly through the dashboard.
9. Monitor for file changes. A hash-based file integrity monitor alerts you when core WordPress files change unexpectedly – a reliable indicator of compromise. Wordfence and iThemes Security both offer this. Configure alerts to go to an email you actually check.
10. Run regular malware scans – not just on demand. Daily automated scans with alerts beat manual quarterly checks. Malware often sits dormant for weeks before activating. The sooner you catch it, the simpler the cleanup.
