Why quick hardening matters
Most attacks target outdated sites and weak logins. One hour of hardening blocks the common paths. Start with these basics and you will already be safer than most sites.
Step-by-step
Update core, themes, and plugins
Run updates, remove unused themes/plugins, and enable auto-updates for security releases.
Strengthen logins
Use strong passwords, limit admin accounts, change the login URL, and enable MFA via a security plugin or Aegis/Authenticator.
Install a firewall/security plugin
Use Wordfence, All-In-One Security, or your host’s WAF. Turn on basic firewall rules, rate limiting, and bot protection.
Harden basic settings
Disable file editing in wp-admin, restrict XML-RPC (or block it), and set correct file permissions via your host.
Backups and alerts
Enable daily backups with offsite storage, and turn on email alerts for failed logins, file changes, and malware scans.
Spam and brute-force protection
Enable reCAPTCHA/hCaptcha on forms and comments. Add login throttling and lockouts for repeated failures.
Checklist
- Site fully updated; unused themes/plugins removed
- Strong passwords and MFA enabled
- Firewall plugin active with rate limits
- File editing disabled; XML-RPC restricted
- Backups running with offsite storage
- Spam and brute-force protection on forms
FAQ
Do I need a paid security plugin?
Free tiers cover basics. Paid tiers add malware cleanup and better WAF, but start with free if budget is tight.
Should I disable XML-RPC?
If you do not use Jetpack or remote publishing, disable or restrict it. It is a common brute-force target.
Is changing the login URL necessary?
It reduces noise from bots. Combine with MFA and rate limits for better protection.
Final thoughts
Security is a habit. Start with these one-hour basics: updates, MFA, firewall, backups, and spam/brute-force protection. Revisit monthly and you will stay ahead of most threats.