WordPress Hardening
One click. Production-grade security.
The 10 security checks
Each connected WordPress site is continuously evaluated against these checks:
| # | Check | Severity | What it does |
|---|---|---|---|
| 1 | XML-RPC Disabled | High | Blocks the xmlrpc.php brute-force attack surface |
| 2 | Debug Mode Off | High | Hides PHP errors that leak paths and config |
| 3 | Directory Browsing Blocked | Medium | Prevents auto-indexing of folders |
| 4 | PHP Blocked in Uploads | Critical | Stops webshell uploads via /wp-content/uploads/ |
| 5 | File Editor Disabled | High | Removes the plugin/theme code editor in wp-admin |
| 6 | WP Version Hidden | Low | Strips the WP version from page sources |
| 7 | Force HTTPS | High | Redirects HTTP → HTTPS, sets secure cookies |
| 8 | Security Headers | Medium | HSTS, X-Frame-Options, CSP, Referrer-Policy |
| 9 | No Fatal Errors | High | Aggregated from WP error log |
| 10 | No Vulnerable Plugins | Critical | Cross-references installed plugins against WPVulnDB |
How to use it
- Install the SecureCheap plugin on your WordPress site (one-line installer)
- Connect it with your activation code from the dashboard
- Go to Infrastructure → WP Hardening
- Click Apply All Fixes on any site card, or fix individual checks
Every fix is queued, applied by the plugin, then verified back. The check only shows green after the plugin confirms the change took effect.
Per-site automation
Bulk operations work across all connected sites — apply a fix to your whole fleet in one action.
API
GET /api/v1/wp/admin/hardening-center
POST /api/v1/wp/admin/:siteId/harden-all
POST /api/v1/wp/admin/:siteId/harden/xmlrpc
POST /api/v1/wp/admin/:siteId/harden/block-php-uploads