Title: WP Hardening (discontinued) Author: WebProtect.ai Published: 27 de octubre de 2019 Last modified: 13 de septiembre de 2024 --- Search plugins ![](https://ps.w.org/wp-security-hardening/assets/banner-772x250.png?rev=2802042) This plugin **hasn’t been tested with the latest 3 major releases of WordPress**. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress. ![](https://ps.w.org/wp-security-hardening/assets/icon-256x256.jpg?rev=3115655) # WP Hardening (discontinued) By [WebProtect.ai](https://profiles.wordpress.org/astrasecuritysuite/) [Download](https://downloads.wordpress.org/plugin/wp-security-hardening.1.2.8.zip) * [Details](https://es-pr.wordpress.org/plugins/wp-security-hardening/#description) * [Reviews](https://es-pr.wordpress.org/plugins/wp-security-hardening/#reviews) * [Installation](https://es-pr.wordpress.org/plugins/wp-security-hardening/#installation) * [Development](https://es-pr.wordpress.org/plugins/wp-security-hardening/#developers) [Support](https://wordpress.org/support/plugin/wp-security-hardening/) ## Description WP Hardening is a tool which performs a real-time security audit of your website to find missing security best practices. Using our ‘Security Fixer’ you can also fix these with a single click from your WordPress backend. ### Discontinuation Notice **IMPORTANT: This plugin is discontinued** This is to inform you that this plugin is no longer being maintained or updated. We have placed a discontinuation request with the WordPress team, and the plugin will soon be ‘closed’ for new installations. This plugin was launched as a side project and has sadly reached the end of its journey. Thank you for your understanding and for using our plugin. We apologize for any inconvenience this may cause. **What This Means for You** 1. **No Further Updates:** There will be no more updates, bug fixes, or new features. 2. **No Support:** Support for this plugin is no longer available. We recommend that you deactivate and delete this plugin from your WordPress site as soon as possible. Please seek alternative plugins to replace the functionality provided by this plugin. ### Features ### Hardening Audit 1. **WordPress Version Check** It checks if your website is on the latest version or not. 2. **Checking Outdated Plugins** It checks if your website is running the updated plugins or not. 3. **Checking PHP Version** WP Hardening also checks if your website is running on a secure version of PHP. 4. **Checking File & Folder Permissions** WP Hardening also checks if your website is built on the secured version of PHP or not. 5. **Database Password Strength** We check the strength of passwords used on your database. Not having a secured password can become an easy target for Brute-Force attacks. 6. **Checking Firewall Protection** We’ll check if your website is being protected by a firewall or not. Firewalls leverage a great monitoring and filtering system on your website. ### Security Fixers **Admin & API Security** 1. **Stop User Enumeration** Hackers & bad bots can easily find usernames in WordPress by visiting URLs like _yourwebsite.com/?author=1_. This can significantly help them in performing larger attacks like Bruteforce & SQL injection. 2. **Change Login URL** Prevent admin password brute-forcing by changing the URL for the wp-admin login area. You can change the url only when this fixer is disabled. 3. **Disable XMLRPC** XMLRPC is often targeted by bots to perform brute force & DDoS attacks (via pingback) causing considerable stress on your server. However, there are some services which rely on xmlrpc. Be sure you definitely do not need xmlrpc before disabling it. 4. **Disable WP API JSON** Since 4.4 version, WordPress added JSON REST API which largely benefits developers. However, it’s often targeted for bruteforce attacks just like in the case of xmlrpc. If you are not using it, best is to disable it. 5. **Disable File Editor** If a hacker is able to get access to your WordPress admin, with the file editor enabled it becomes quite easy for them to add malicious code to your theme or plugins. If you are not using this, it’s best to keep the file editor disabled. 6. **Disable WordPress Application Passwords** WordPress application passwords have full permissions of the user that generated them, making it possible for an attacker to gain control of a website by tricking the site administrator into granting permission to their malicious application. **Disable Information Disclosure & Remove Meta information** 1. **Hide WordPress version number** This gives away your WordPress version number making life of a hacker simple as they’ll be able to find targeted exploits for your WordPress version. It’s best to keep this hidden, enabling the button shall do that. 2. **Remove WordPress Meta Generator Tag** The WordPress Meta tag contains your WordPress version number which is best kept hidden 3. **Remove WPML (WordPress Multilingual Plugin) Meta Generator Tag** This discloses the WordPress version number which is best kept hidden. 4. **Remove Slider Revolution Meta Generator Tag** Slider revolution stays on the radar of hackers due to its popularity. An overnight hack in the version you’re using could lead your website vulnerable too. Make it difficult for hackers to exploit the vulnerabilities by disabling version number disclosure here 5. **Remove WPBakery Page Builder Meta Generator Tag** Common page builders often are diagnosed with a vulnerability putting your website’s security at risk. With this toggle enabled, the version of these page builders will be hidden making it difficult for hackers to find if you’re using a vulnerable version. 6. **Remove Version from Stylesheet** Many CSS files have the WordPress version number appended to their source, for cache purposes. Knowing the version number allows hackers to exploit known vulnerabilities. 7. **Remove Version from Script** Many JS files have the WordPress version number appended to their source, for cache purposes. Knowing the version number allows hackers to exploit known vulnerabilities. **Basic Server Hardening** 1. **Hide Directory Listing of WP includes** WP-includes directory gives away a lot of information about your WordPress to hackers. Disable it by simply toggling the option to ensure you make reconnaissance of hackers difficult **Security Headers** 1. **Clickjacking Protection** Protect your WordPress Website from clickjacking with the X-Frame-Options response header. Clickjacking is an attack that tricks a user into clicking a webpage element which is invisible or disguised as another element. 2. **XSS Protection** Add the HTTP X-XSS-Protection response header so that browsers such as Chrome, Safari, Microsoft Edge stops pages from loading when they detect reflected cross-site scripting (XSS) attacks. 3. **Content Sniffing protection** Add the X-Content-Type-Options response header to protect against MIME sniffing vulnerabilities. Such vulnerabilities can occur when a website allows users to upload content to a website, however the user disguises a particular file type as something else. This can give them the opportunity to perform cross-site scripting and compromise the website. 4. **HTTP only & Secure flag** Enable the HttpOnly and secure flags to make the cookies more secure. This instructs the browser to trust the cookie only by the server, which adds a layer of protection against XSS attacks. ## Screenshots * [[ * This is the main dashboard; you’ll find a concise overview of your website’s present security. Buttons “Start a new audit”, “Security Fixers”, “Request malware cleanup”, “View Help docs”, on the dashboard take you to the respective sections. * [[ * ‘Audit Recommendation’ section on the same page details the audit results. Whereas the “Recommendations” sub-section show improvement areas with links to comprehensive guide to implement those practices. * [[ * ‘Passed test’ sub-section shows already implemented best practices. * [[ * The ‘Security Fixers’ section contains 13 vital security hardening areas. You can optimize these with a single click. * [[ * The first section in the security fixer is of ‘Admin & API Security’. You can find the details of each test by hovering. * [[ * The second & third section are ‘Disable Information Disclosure & Remove Meta information’ & ‘Basic Server Hardening’. ## Installation 1. Visit ‘Plugins > Add New’ in your admin dashboard 2. Search for ‘WP-Hardening’ 3. Install WP-Hardening once it appears 4. Activate it from your Plugins page 5. WP-Hardening button will appear on the bottom left of your admin dashboard ## FAQ ### Is WP hardening plugin free to use? Yes, it is absolutely free. Just download the plugin and activate it from your backend. Run the scan and review the results. ### How does WP Hardening plugin works? WP Hardening scans your website for security recommendations like File Permissions, WordPress Version, Outdated plugins etc. & helps you with proper steps to fix these issues. The ‘Security Fixer’ button help to fix Admin & API security, Disable Information Disclosure & Remove Meta information & Basic Server Hardening. ### Will this plugin help me with malware infected website? No, this plugin will help you harden your WordPress Security. ### How will I get informed about my website’s security? You will get informed instantly after each scan via email. For additional information, subscribe to our newsletter and stay updated. ### Does WP Hardening conflict with other security plugins? No, WP Hardening does not conflict with any security plugin. However, you can get rid of multiple plugins that you have installed to disable XMLRPC, prevent user enumeration, changing admin URL, etc. In case, you face any issues with the WP hardening plugin, feel free to send us a mail. ## Reviews ![](https://secure.gravatar.com/avatar/9cb33c183b399aa279b5f1aa8645bd0179b3c4c0c64e27a6ef825154f54cc348? s=60&d=retro&r=g) ### 󠀁[Moving on](https://wordpress.org/support/topic/moving-on-2/)󠁿 [VForce](https://profiles.wordpress.org/visionforce/) 15 de febrero de 2026 Initially bought a lifetime deal from them about 4-5 years back. It seems sometime in the last 2 years they’ve completely dropped their wordpress security services and are providing REALLY expensive pentesting services whatever that is. But they’ve completely dropped this arm of their business and that’s apparent by their security plugin not being updated in awhile. ![](https://secure.gravatar.com/avatar/d32c59c83c017545e78feb9c2c1bb2c434280ad7be3dde47da32aaa2bd0e4d96? s=60&d=retro&r=g) ### 󠀁[It’s sending e-mails without my permission!!!](https://wordpress.org/support/topic/its-sending-e-mails-without-my-permission/)󠁿 [Murat](https://profiles.wordpress.org/mdogancay/) 15 de julio de 2024 It is sending me stupid e-mails from my own e-mail account without my permission! ![](https://secure.gravatar.com/avatar/abe41dca927c9e09fb29cfbb01499a97554923aa4f3ea24a80adc479f1995201? s=60&d=retro&r=g) ### 󠀁[Dead plugin](https://wordpress.org/support/topic/dead-plugin-43/)󠁿 [8bit7](https://profiles.wordpress.org/8bit7/) 26 de febrero de 2024 No support answers in forever, not even sure the devs come to the support forum anymore. No updates in forever and don’t expect any. The developers have moved on and now that this plugin is aging it’s causing errors and there’s no hope for a fix. Really a shame because this was the best lightweight wp security plugin. ![](https://secure.gravatar.com/avatar/772e727042bf83a345ec0f93ae94e40f2ebb6904e0d0161a73284e8f24afde8b? s=60&d=retro&r=g) ### 󠀁[WP Hardening does not accept WP 6.2](https://wordpress.org/support/topic/does-not-accept-wp-6-2/)󠁿 [Agfuente](https://profiles.wordpress.org/agfuente/) 3 de abril de 2023 If you did the update for WP 6.2., the creating new post post command will not work. Desactive the extension «wp hardening» and it will be possible again. Regards ![](https://secure.gravatar.com/avatar/77cd5a4bbec4bcaa992d6b94821f1e812a14b39621b07e3260c21eb1c18de828? s=60&d=retro&r=g) ### 󠀁[I like it – However ..](https://wordpress.org/support/topic/i-like-it-however/)󠁿 [Krammig](https://profiles.wordpress.org/krammig/) 10 de septiembre de 2021 1 reply Overall it is quite a decent plugin. I like the way it apples some practical protection right at install time, namely, API JSON lockdown etc. However – the File Permission Checker – is pretty useless. A big list of files/folder with 775 664 etc listed. So, big deal. What it is missing here obviously is a Click to Fix type function. For a user to then have to wade through the list and modify one by one via some other process is a pain and just not practical. Looking forward to the next version that is a bit more polished. ![](https://secure.gravatar.com/avatar/3cb900aa3c43d4bef2705ee1334997997d16606470e78f3c21e905a1ffaf2049? s=60&d=retro&r=g) ### 󠀁[Reccomending php 7.4 ?](https://wordpress.org/support/topic/reccomending-php-7-4/)󠁿 [thesquiffy](https://profiles.wordpress.org/thesquiffy/) 27 de febrero de 2021 2 replies Hi, Check for active PHP version Your current PHP version (8.0) is outdated and can invite hackers. Steps to Fix: Move to the latest and secured version (7.4) with this guide here. Are you really reccomending php 7.4 in place of php 8.0 ? [ Read all 20 reviews ](https://wordpress.org/support/plugin/wp-security-hardening/reviews/) ## Contributors & Developers “WP Hardening (discontinued)” is open source software. The following people have contributed to this plugin. Contributors * [ WebProtect.ai ](https://profiles.wordpress.org/astrasecuritysuite/) [Translate “WP Hardening (discontinued)” into your language.](https://translate.wordpress.org/projects/wp-plugins/wp-security-hardening) ### Interested in development? [Browse the code](https://plugins.trac.wordpress.org/browser/wp-security-hardening/), check out the [SVN repository](https://plugins.svn.wordpress.org/wp-security-hardening/), or subscribe to the [development log](https://plugins.trac.wordpress.org/log/wp-security-hardening/) by [RSS](https://plugins.trac.wordpress.org/log/wp-security-hardening/?limit=100&mode=stop_on_copy&format=rss). ## Changelog #### 1.2 – January 31, 2020 ``` * Improvement: Add security headers to the HTTP response * Improvement: Changing the frequency of Hardening audits * Improvement: Configure emails to be sent to upto 15 people * Fix: jQuery bug on fixers page ``` #### 1.1 – March 31, 2020 ``` * Initial public release of WP Hardening Plugin. ``` ## Meta * Version **1.2.8** * Last updated **2 años ago** * Active installations **10.000+** * WordPress version ** 4.3 or higher ** * Tested up to **6.0.11** * PHP version ** 5.3 or higher ** * Language * [English (US)](https://wordpress.org/plugins/wp-security-hardening/) * Tag * [discontinued](https://es-pr.wordpress.org/plugins/tags/discontinued/) * [Advanced View](https://es-pr.wordpress.org/plugins/wp-security-hardening/advanced/) ## Ratings 4 out of 5 stars. * [ 13 5-star reviews ](https://wordpress.org/support/plugin/wp-security-hardening/reviews/?filter=5) * [ 1 4-star review ](https://wordpress.org/support/plugin/wp-security-hardening/reviews/?filter=4) * [ 2 3-star reviews ](https://wordpress.org/support/plugin/wp-security-hardening/reviews/?filter=3) * [ 0 2-star reviews ](https://wordpress.org/support/plugin/wp-security-hardening/reviews/?filter=2) * [ 4 1-star reviews ](https://wordpress.org/support/plugin/wp-security-hardening/reviews/?filter=1) [Your review](https://wordpress.org/support/plugin/wp-security-hardening/reviews/#new-post) [See all reviews](https://wordpress.org/support/plugin/wp-security-hardening/reviews/) ## Contributors * [ WebProtect.ai ](https://profiles.wordpress.org/astrasecuritysuite/) ## Support Got something to say? Need help? [View support forum](https://wordpress.org/support/plugin/wp-security-hardening/) ## Donate Would you like to support the advancement of this plugin? [ Donate to this plugin ](https://www.webprotect.ai)