Skip to main content

Hardening WordPress - Part 2

·2 mins

This is a more technical look at security than the article on WordPress security that I wrote a few years ago. Although all of that is still relevant, here are a few more tips to turn your security up to the next level.

Disable file editing in WordPress #

By default, WordPress gives Administrators the power to edit files in Themes and Plugins through its own built-in editor. Although it gives you fair warning about the danger of making changes to files, you can easily dive in and start making changes whether you know what you’re doing or not.

There’s a simple one-liner that will turn this feature off.

You’ll need to access your wp-config.php file and add this line.

define( ‘DISALLOW_FILE_EDIT’, true );

Remove the login error hints #

When you make a mistake logging into WordPress it tries to help you narrow down the issue to the username or password. In doing so, it can let bots know which email addresses have an account on your site and which don’t. This in itself can be a security risk, and can be disabled by adding this function to your function.php file.

function jrc_hide_login_errors() {
   return ‘Uh oh! Something went wrong!;
add_filter( ‘login_errors’, ‘jrc_hide_login_errors’ );

Screenshot of a hidden login hint
Hidden Login hint

Stop Broadcasting your WordPress version number #

One simple way to keep your WordPress site secure is to always make sure that it’s up-to-date with the latest version. There are times when you may need to hold off on updating because of a plugin, or custom code that needs to catch up before making the switch. In the mean time, you may be broadcasting vulnerabilities simply by exposing the WordPress version in your code. In order to hide this use the following code snippet in your function.php file.

// Remove WordPress version number from head section
remove_action(‘wp_head’, ‘wp_generator’);

// Remove WordPress version number from RSS feed
function jrc_remove_version_from_rss() {
  return ‘’;
add_filter(‘the_generator’, ‘jrc_remove_version_from_rss’);

Two-factor Authentication (2FA) or Multi-factor Authentication (MFA) #

The iThemes security Plugin is the easiest way to integrate 2FA into your website. Go through the step-by-step process provided by the plugin and users will be able so simply opt-in to MFA.

example of the two-factor authentication screen from iThemes
Setup Two-Factor Authentication