WP Hardening by Astra Security is a tool which performs a real-time security audit of your website to find missing security best practices. Using our ‘Security Fixer’ you can also fix these with a single click from your WordPress backend
It is a task to achieve the basic WordPress security measures without using multiple plugins. Ironically, using many plugins there is a higher chance of the site being compromised. Multiple plugins also ask for better maintenance, updates, which many webmasters failed to comply. WP Hardening plugin solves this problem and more.
WP Hardening is a one-stop solution to implement security recommendations for your WordPress website. It is effortless to use and works efficiently from your WordPress backend.
Astra Security is a Techstars company & the winner of the French Tech Ticket Program. Awarded as The Most Innovative Security Company at the Global Conference on Cyber Security.
Astra’s vision is to make cyber security a five minute affair for businesses
Astra’s promise to a business owner is that their business would be secure without any ifs or buts. If a business is using Astra, they will be secure – no questions asked.
- WordPress Version Check
It checks if your website is on the latest version or not.
- Checking Outdated Plugins
It checks if your website is running the updated plugins or not.
- Checking PHP Version
WP Hardening also checks if your website is running on a secure version of PHP.
- Checking File & Folder Permissions
WP Hardening also checks if your website is built on the secured version of PHP or not.
- Database Password Strength
We check the strength of passwords used on your database. Not having a secured password can become an easy target for Brute-Force attacks.
- Checking Firewall Protection
We’ll check if your website is being protected by a firewall or not. Firewalls leverage a great monitoring and filtering system on your website. Check out the features of Astra firewall here.
- Stop User Enumeration Hackers & bad bots can easily find usernames in WordPress by visiting URLs like yourwebsite.com/?author=1. This can significantly help them in performing larger attacks like Bruteforce & SQL injection.
- Change Login URL Prevent admin password brute-forcing by changing the URL for the wp-admin login area. You can change the url only when this fixer is disabled.
- Disable XMLRPC XMLRPC is often targeted by bots to perform brute force & DDoS attacks (via pingback) causing considerable stress on your server. However, there are some services which rely on xmlrpc. Be sure you definitely do not need xmlrpc before disabling it. If you are using Astra firewall, then you’re safe against xmlrpc attacks automatically.
- Disable WP API JSON Since 4.4 version, WordPress added JSON REST API which largely benefits developers. However, it’s often targeted for bruteforce attacks just like in the case of xmlrpc. If you are not using it, best is to disable it.
- Disable File Editor If a hacker is able to get access to your WordPress admin, with the file editor enabled it becomes quite easy for them to add malicious code to your theme or plugins. If you are not using this, it’s best to keep the file editor disabled.
- Disable WordPress Application Passwords WordPress application passwords have full permissions of the user that generated them, making it possible for an attacker to gain control of a website by tricking the site administrator into granting permission to their malicious application.
Disable Information Disclosure & Remove Meta information
- Hide WordPress version number
This gives away your WordPress version number making life of a hacker simple as they’ll be able to find targeted exploits for your WordPress version. It’s best to keep this hidden, enabling the button shall do that.
- Remove WordPress Meta Generator Tag
The WordPress Meta tag contains your WordPress version number which is best kept hidden
- Remove WPML (WordPress Multilingual Plugin) Meta Generator Tag
This discloses the WordPress version number which is best kept hidden.
- Remove Slider Revolution Meta Generator Tag
Slider revolution stays on the radar of hackers due to its popularity. An overnight hack in the version you’re using could lead your website vulnerable too. Make it difficult for hackers to exploit the vulnerabilities by disabling version number disclosure here
- Remove WPBakery Page Builder Meta Generator Tag
Common page builders often are diagnosed with a vulnerability putting your website’s security at risk. With this toggle enabled, the version of these page builders will be hidden making it difficult for hackers to find if you’re using a vulnerable version.
- Remove Version from Stylesheet
Many CSS files have the WordPress version number appended to their source, for cache purposes. Knowing the version number allows hackers to exploit known vulnerabilities.
- Remove Version from Script
Many JS files have the WordPress version number appended to their source, for cache purposes. Knowing the version number allows hackers to exploit known vulnerabilities.
Basic Server Hardening
- Hide Directory Listing of WP includes
WP-includes directory gives away a lot of information about your WordPress to hackers. Disable it by simply toggling the option to ensure you make reconnaissance of hackers difficult
- Clickjacking Protection
Protect your WordPress Website from clickjacking with the X-Frame-Options response header. Clickjacking is an attack that tricks a user into clicking a webpage element which is invisible or disguised as another element.
- XSS Protection
Add the HTTP X-XSS-Protection response header so that browsers such as Chrome, Safari, Microsoft Edge stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
- Content Sniffing protection
Add the X-Content-Type-Options response header to protect against MIME sniffing vulnerabilities. Such vulnerabilities can occur when a website allows users to upload content to a website, however the user disguises a particular file type as something else. This can give them the opportunity to perform cross-site scripting and compromise the website.
- HTTP only & Secure flag
Enable the HttpOnly and secure flags to make the cookies more secure. This instructs the browser to trust the cookie only by the server, which adds a layer of protection against XSS attacks.
- Visit ‘Plugins > Add New’ in your admin dashboard
- Search for ‘WP-Hardening’
- Install WP-Hardening once it appears
- Activate it from your Plugins page
- WP-Hardening button will appear on the bottom left of your admin dashboard
Is WP hardening plugin free to use?
Yes, it is absolutely free. Just download the plugin and activate it from your backend. Run the scan and review the results.
How does WP Hardening plugin works?
WP Hardening scans your website for security recommendations like File Permissions, WordPress Version, Outdated plugins etc. & helps you with proper steps to fix these issues. The ‘Security Fixer’ button help to fix Admin & API security, Disable Information Disclosure & Remove Meta information & Basic Server Hardening. For more security practices you can check our detailed step by step guide on WordPress Security
Will this plugin help me with malware infected website?
No, this plugin will help you harden your WordPress Security. However, you can opt for malware cleanup & firewall from within the plugin offered by Astra Security. You can also follow our Hack Removal Guide to scan & fix your website.
How will I get informed about my website’s security?
You will get informed instantly after each scan via email. For additional information, subscribe to our newsletter and stay updated.
Does WP Hardening conflict with other security plugins?
No, WP Hardening does not conflict with any security plugin. However, you can get rid of multiple plugins that you have installed to disable XMLRPC, prevent user enumeration, changing admin URL, etc. In case, you face any issues with the WP hardening plugin, feel free to send us a mail.
What level of support will I get?
You can contact our team via
mail. Besides, we also have an extensive repository of knowledge bases to help you save time.
Will this plugin help me to fix issues?
You will find a comprehensive step by step guides in the recommendation to fix the detected issues. The ‘Security Fixer’ option will help you to fix most of the security recommendations by just a click. If you have any questions contact us over mail
What are the malware issue that Astra Security Suite can help me to fix?
Astra’s WordPress security suite can help you to fix & prevent the below mentioned attacks.
- Brute force attacks
- Pharma hack
- Spam Link Injection
- WordPress redirect hack
- Japanese keyword hack
- SEO spam hack
- XSS or cross-site scripting hack
- WP-VCD Malware
- SQL injection
- Credit Card Malware Hack
- Google Blacklist hack
- Google Adwords Account Suspension
- Cookie stealing & session hijacking
- WP phishing hack
- Favicon.ico malware hack
- WP-Feed.php & WP-Tmp.php
- WP Backdoor hack
- Coinhive hack (Crypto Mining Malware)
- WordPress deface hack
- Deceptive Site Ahead
- Monetization Hack (monit.php)
What are the terms & conditions?
Here are the Terms & Conditions of the Service.
Where can I see customer testimonials of Astra Security?
Trustpilot & Capterra are two platforms where you can see Astra Security testimonials.
Contributors and Developers
“WP Hardening – Fix Your WordPress Security” is open source software. The following people have contributed to this plugin.Contributors
Translate “WP Hardening – Fix Your WordPress Security” into your language.
Interested in development?
Browse the code, check out the SVN repository, or subscribe to the development log by RSS.
1.2 – January 31, 2020
* Improvement: Add security headers to the HTTP response * Improvement: Changing the frequency of Hardening audits * Improvement: Configure emails to be sent to upto 15 people * Fix: jQuery bug on fixers page
1.1 – March 31, 2020
* Initial public release of WP Hardening Plugin.