tanjilahmed87@gmail.com

WordPress6 min read

Hardening WordPress for Client Sites That Handle Real Traffic

WordPress's security reputation is mostly a plugin and configuration problem. A hardened, well-maintained install is genuinely solid.

Tanjil Ahmed

Lead Software Engineer · Notionhive

WordPress powers a huge share of the web, which makes it a huge share of the attack surface scanners probe automatically — and it earns a security reputation that's mostly about unpatched plugins and default configurations, not the core software itself.

  • Disable file editing from the admin dashboard (`DISALLOW_FILE_EDIT`) — it removes a common post-compromise persistence method.
  • Limit login attempts and enforce 2FA for every admin-level account, without exception for 'just one client contact.'
  • Keep plugin count deliberately small and audited — every plugin is a piece of code you didn't write, running with real privileges.
  • Web application firewall at the edge (Cloudflare or similar) blocks the automated scanning traffic before it ever reaches PHP.

Every WordPress breach I've cleaned up traced back to an outdated plugin or a shared, unrotated admin password — never to a flaw in WordPress core itself. Hardening WordPress is mostly operational discipline, applied consistently, not exotic security engineering.

I've never cleaned up a WordPress breach caused by WordPress core. I've cleaned up plenty caused by an unpatched plugin nobody was watching.