WordPress Hardening

You've spent weeks (or months) designing your new WordPress site. The content is polished, the plugins are configured, and you are finally ready to hit "Publish" and share it with the world. Stop. The moment your website goes live and the DNS propagates, automated bots will begin scanning it within hours. If you haven't locked…

A Brute Force Attack is the simplest yet most effective method hackers use to break into WordPress websites. The concept is straightforward: an automated script (bot) attempts to log in to your site by guessing thousands of username and password combinations every minute. Because WordPress is the most popular CMS in the world, its default…

If you've ever run a security scan on your WordPress site — say, using a tool like FunSentry — you may have seen a warning flag next to something called XML-RPC. The recommendation is almost always the same: disable it. But what exactly is XML-RPC? Why does WordPress include it? And why do security professionals…

Since WordPress 4.7, the REST API has been enabled by default. It powers the Block Editor (Gutenberg), allows "Headless" WordPress setups, and lets plugins communicate with external services. However, by default, the REST API is also publicly accessible. Anyone—including hackers and bots—can query your site’s API endpoints (/wp-json/) to extract data about your users, posts,…

The wp-config.php file is the single most important file in your WordPress installation. It contains your database credentials, authentication keys, and security constants that control how WordPress behaves at its core. Yet most WordPress administrators never touch it after the initial setup — leaving critical security features disabled by default. In this guide, we'll walk…

Cross-Site Scripting (XSS) is one of the oldest and most dangerous vulnerabilities on the web. It happens when a hacker injects malicious JavaScript into your site (e.g., via a comment form or a compromised plugin) to steal visitor data or redirect traffic. While firewalls (WAFs) try to block these attacks at the door, Content Security…

Sensitive Data Exposure consistently ranks in the OWASP Top 10 web application security risks. For WordPress sites, this usually happens not because of complex code vulnerabilities, but due to simple housekeeping errors. Developers and administrators often leave backup files, configuration snippets, or debug logs in publicly accessible directories. These files are invisible to the average…

The robots.txt file is primarily known as an SEO tool—it tells search engine crawlers like Googlebot which parts of your site they should or shouldn't access. However, from a security perspective, robots.txt is often a double-edged sword. While it can help reduce server load from bad bots, it is frequently used incorrectly to "hide" sensitive…

When you run your website through a scanner like FunSentry, Mozilla Observatory, or SecurityHeaders.com, you are often presented with a grade ranging from A+ to F. Seeing a bright red "F" can be panic-inducing. Does it mean you are hacked? Does it mean your site is broken? Not necessarily. A security score is like a…