10 Ways to Harden WordPress

The iThemes Security Plugin includes 10 ways to harden WordPress. After installing and activating iThemes Security, visit the Settings tab to activate these feature designed to harden your WordPress site.

10 Ways to Harden WordPress with iThemes Security

1. Strong Passwords
   With iThemes Security, you can force users to use strong passwords as rated by the WordPress password meter. WordPress password security is the simplest way to harden WordPress.
2. Hide The WordPress Login URL
   iThemes Security allows you to change the WordPress login page URL (wp-login.php, wp-admin, admin and login), making it harder to find by automated attacks. Changing the default WordPress admin URL also makes it easier for users unfamiliar with the WordPress platform.
3. 404 Detection 
   404 detection in iThemes Security looks at a user who is hitting a large number of non-existent pages and getting a large number of 404 errors. 404 detection assumes that a user who hits a lot of 404 errors in a short period of time is scanning for something (presumably a vulnerability) and locks them out accordingly. This also gives the added benefit of helping you find hidden problems causing 404 errors on unseen parts of your site.
4. Away Mode
   As most sites are only updated at certain times of the day, it is not always necessary to provide access to the WordPress dashboard 24 hours a day, 7 days a week. The options below will allow you to disable access to the WordPress Dashboard for the specified period. In addition to limiting exposure to attackers, Away Mode is also useful to disable site access based on a schedule for classroom or other reasons.
5. Ban Users
   The Banned Users feature in iThemes Security allows you to completely ban hosts and user agents from your site without having to manage any configuration of your server. Any IP addresses or user agents found in a customizable list will not be allowed any access to your site.
6. Brute Force Protection
   If one had unlimited time and wanted to try an unlimited number of password combinations to get into your site they eventually would, right? This method of attack, known as a brute force attack, is something that WordPress is susceptible to by default, as the system doesn’t care how many attempts a user makes to login. Using WordPress brute force protection to limit logins will ban the host user from attempting to login again after the specified bad login threshold has been reached.
7. File Change Detection
   Even the best security solutions can fail. How do you know if someone gets into your site? You will know because they will change something. The File Change detection feature in iThemes Security will tell you what files have changed in your WordPress installation, alerting you to changes not made by yourself. Unlike other solutions, the iThemes Security plugin will look only at your installation and compare files to the last check instead of comparing them with a remote installation thereby taking into account whether or not you modify the files yourself
8. Malware Scanning
   iThemes Security provides a WordPress malware scan powered by Sucuri SiteCheck. The scan checks for known malware, blacklisting status, website errors, and out-of-date software.
9. Secure Socket Layers (SSL)
   iThemes Security gives you the option of turning on SSL (if your server or host supports it) for all or part of your site. By enabling the options in the plugin, you can automatically use SSL for major parts of your site such as the login page, the admin dashboard or the site as a whole. You can also turn on SSL for any post or page by editing the content and selecting “Enable SSL” in the publishing options of the content in question.
10. Disable XML-RPC
    WordPress’s XML-RPC feature allows external services to access and modify content on the site. Common example of services that make use of XML-RPC are the Jetpack plugin, the WordPress mobile app, and pingbacks. If your WordPress site does not use a service that requires XML-RPC, we recommend using the “Disable XML-RPC” setting to prevent attackers from using the XML-RPC feature to brute force attack the site