Hardening WordPress

According to current statistics WordPress is the most used CMS system worldwide with a market share of about 63% (June 2020). For this reason, most attacks are concentrated on WordPress pages. Because WordPress is a little bit neglecting the topic “security”, it is very hard to notice some of these attacks. Even with successful attacks, it often takes days until a site administrator discovers them.

But this general security problem can be counteracted with a simple plugin: All In One WP Security & Firewall


The installation of the plugin is done as usual via the menu “Plugins – Install”.

After installation, the item “WP Security” appears in the menu.


The first element in “WP Security” is the “Dashboard”. Here you get a first overview of the most important security topics and also an estimation of the settings made.

WP Security Dashboard

Security Configuration

Because the plugin All In One WP Security & Firewall offers a lot of different configuration options, I present you a small summary of the – in my opinion – most useful settings, divided into the individual menu items.

Before you use the tool, I recommend to backup the files “.htaccess” and wp-config.php”. Both can be done under “WP Security – Settings”.

User Accounts

Under “User Accounts” can be checked if the user “admin”, which is created by default during installation, is still used.Also whether the display name (e.g. for posts) is the same as the login name.
If something applies here, renaming the user is recommended.

User Login

Under “User Login” you will find everything that is related to the backend login:

  • Maximum number of login attempts until the IP address is blocked.
  • Duration of the lockout.
  • Mail notification when IP addresses are blocked.
  • Log out logged in users automatically after a defined time.

Additionally, it logs which IP addresses have been blocked in the last time, which accounts have successfully logged in and which accounts are currently logged in.

User Registration

If other people are allowed to register on the homepage, it can be defined that all new users first have to be confirmed manually by an administrator. Also a “Captcha” can be activated to prevent bots from performing automatic registrations.

Database Security

Under “Database Security” the used WordPress databases can be renamed, so that they no longer use the WordPress standard.

Under DB Backup it is also possible to define scheduled database backups.

Before changing anything in the database, a backup should first be created via “Database Security – DB Backup”.

Blacklist Manager

If the same IP address tries to log into the backend more often, it can be added to the Blacklist Manager. Afterwards the respective IP address has no access to the homepage anymore.

Brute Force

Under “Brute Force” the registration can be secured much better. The most important point here is the activation of a captcha during the registration process, in order to stop bots here as well.

Login with Captcha

In addition, the login URL can also be changed. By default, the login runs via “https://domain.at/wp-admin”. When the function is activated, the URL can be changed to “https://domain.at/backend”, for example.

SPAM prevention

If you have activated the comment function under Posts, you can activate the “SPAM Prevention”. Bots can also be stopped by using Captcha. Additionally, a maximum number of comments from the same IP address can be defined.

Maintenance & Miscellaneous

Apart from the security topics, the All In One WP Security & Firewall plugin can also activate a maintenance mode to inform the visitor that the homepage is currently under construction.

If you want to protect your posts, you can also activate the copy protection. Afterwards no text can be copied by using “Ctrl+C”.

5 1 vote
Article Rating
Notify of
Newest Most Voted
Inline Feedbacks
View all comments