My Account

Hardening WordPress Security with AdminEase

Eleven toggles that close the most-exploited WordPress attack surfaces — with explicit notes on what each one actually writes to your server, and what it will break if you flip it without thinking.

Search the docs

⌘ K
Try "heartbeat", "restore from S3", or "WP-

Popular

License activation

WP-CLI install

Restore a backup

Hooks reference

What you'll have when you finish

A WordPress install that no longer leaks its version number, no longer answers XML-RPC requests, no longer lets random visitors enumerate your admin username, no longer serves wp-config.php or .env files when asked, and refuses passwords that a brute-force bot would crack in seconds. Eleven separate hardening measures, all configured from one settings screen, all reversible from the same place.

  • Prerequisites: WordPress 5.0+, PHP 7.4+, Apache or LiteSpeed. Most rules write to .htaccess; Nginx users need equivalent server-block rules, noted where it matters.
  • You'll need access to: a WordPress admin account, and a working backup taken before you start.
  • Time: 15 to 25 minutes if you read the warnings, longer if you skip them.
Before you touch anything Take a full backup. Several of these toggles write to wp-config.php and .htaccess, files that, if corrupted, will lock you out of your own site. AdminEase manages the changes cleanly. Every block it writes is surrounded by named markers (# ADMINEASE_<RULE> BEGIN through # ADMINEASE_<RULE> END in .htaccess, and the same with // comments in wp-config.php), but a backup is non-negotiable on any site that earns money.
The 11-step checklist
  1. Force strong passwords
  2. Disable file editing from the dashboard
  3. Disallow all file modifications (production sites only)
  4. Hide the WordPress version
  5. Hide the PHP version
  6. Disable XML-RPC
  7. Disable or restrict the REST API
  8. Block access to sensitive files
  9. Block directory browsing
  10. Block author enumeration scans
  11. Disable pingbacks and trackbacks

Most "secure your WordPress" guides hand you a list of toggles and stop there. The problem is that several of these toggles will quietly break things you actually use. Gutenberg stops loading, your mobile workflow stops working, plugin auto-updates fail silently, and you will not know which toggle caused it because you flipped six of them at once.

This walkthrough goes the opposite direction. We do them in order, one at a time, with the specific failure mode for each one called out before you enable it. AdminEase groups its settings into tabs. Most of what we will touch lives under WP Admin › AdminEase › Security › Hardening, a few under Security › Access Control, and the password rules under Users › Authentication. Each section below names the exact path.

1. Force strong passwords

The single highest-leverage change in this list. WordPress's built-in password meter suggests strong passwords but does not enforce them. A user with admin rights can still set their password to password123, and on a site with multiple editors at least one will eventually do exactly that.

AdminEase enforces a real policy server-side, applied at three moments: new user registration, password reset, and profile update. The policy can require any combination of: minimum length (default 8, max 64), at least one uppercase letter, at least one lowercase letter, at least one digit, at least one special character. Each rule maps directly to a regex check, so weak passwords are rejected with a specific error message rather than silently downgraded.

Enable it: Go to AdminEase › Users › Authentication › Force strong passwords. Set minimum length to 12 (eight is too short for 2026). Leave all four character-class requirements on. Save.
Pro tip If you manage client sites where staff push back on long passwords, frame it as "12 characters with one symbol" rather than "you need uppercase, lowercase, numbers, and a special character." Same policy, less resistance.

2. Disable file editing from the dashboard

WordPress ships with a built-in code editor at Appearance › Theme File Editor and Plugins › Plugin File Editor. Anyone with admin rights can use it to rewrite functions.php live on a production site. An attacker who phishes a single admin password gets the same capability, which is how a remarkable number of WordPress compromises escalate from "leaked credentials" to "fully backdoored server" in under sixty seconds.

AdminEase disables both editors by writing define('DISALLOW_FILE_EDIT', true); into wp-config.php. It is the standard fix, recommended in WordPress's own hardening documentation, and there is essentially no downside on a properly managed site.

Enable it: AdminEase › Security › Hardening › Disable file edit. Save. Verify by reloading the admin and checking that the "Theme File Editor" submenu is gone.
What it actually does Adds one line to wp-config.php, wrapped in // ADMINEASE_DISALLOW_FILE_EDIT BEGIN / END markers. Reversible: turn the toggle off and the line is removed.

3. Disallow all file modifications (production sites only)

The stricter sibling of the previous toggle. DISALLOW_FILE_MODS blocks all file writes from the admin: no plugin installs, no plugin updates, no theme installs, no theme updates, no core updates. The site becomes read-only from WordPress's perspective.

This is exactly what you want on a production site whose deploys are managed by Git, CI/CD, or a managed-host workflow like WP Engine's Git integration. It is exactly what you do not want on a small site whose owner expects to update Yoast from the dashboard on a Tuesday afternoon.

Enable it: Only on sites where deploys are external. AdminEase › Security › Hardening › Disallow file modifications. Save.
What this breaks Auto-updates. Manual updates from the dashboard. Plugin install. Theme install. If you turn this on and then someone asks "why won't WordPress let me install Akismet," this is the answer. Keep it off unless your deployment pipeline genuinely runs outside WordPress.

4. Hide the WordPress version

By default, WordPress publishes its version number in two visible places that AdminEase addresses: a <generator> element in every RSS feed, and the ?ver=6.5.2 query string appended to enqueued stylesheets and scripts. An attacker scanning the web for sites running a specific vulnerable version finds you in milliseconds.

AdminEase empties the RSS generator output and strips the ?ver= parameter from script and style URLs only when the value matches the current WordPress version. Other version strings (plugin-specific cache busters, theme versions) are left alone, so this does not break asset caching elsewhere.

Enable it: AdminEase › Security › Hardening › Hide WordPress version. Save.
Reality check Determined attackers can still fingerprint your WordPress version through the structure of generated HTML and the presence of specific JS files. Hiding the version is not invisibility, it is removing the welcome mat. Worth doing, but pair it with actually keeping WordPress updated.

5. Hide the PHP version

Apache and many shared-hosting setups expose your PHP version in the X-Powered-By response header on every request. The information is useless to legitimate visitors and a free gift to vulnerability scanners. AdminEase writes an Apache rule to unset the header for every response.

Enable it: AdminEase › Security › Hardening › Hide PHP Version. Save.

The rule AdminEase adds to .htaccess (between # ADMINEASE_HIDE_PHP_VERSION BEGIN and END markers):

<IfModule mod_headers.c>
    Header unset X-Powered-By
    Header always unset X-Powered-By
</IfModule>
Nginx users The .htaccess rule will not apply. Add fastcgi_hide_header X-Powered-By; to your server block, or remove the expose_php = On setting in php.ini at the source.

6. Disable XML-RPC

XML-RPC is the legacy remote-API endpoint at /xmlrpc.php. It exists so that desktop blogging clients, older mobile apps, and the Jetpack plugin can talk to your site. It is also the single most-abused endpoint in WordPress for brute-force credential attacks: a single XML-RPC request can test multiple passwords at once, which bypasses login-rate-limiting plugins that only watch wp-login.php.

If you do not use Jetpack or a remote publishing client, turn XML-RPC off. AdminEase writes a hard deny to .htaccess. Blocked at the web server, never reaches PHP, costs the attacker zero CPU on your end.

Enable it: AdminEase › Security › Hardening › Disable XML-RPC. Save.

The rule written to .htaccess is the standard hard deny:

<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
What this breaks Jetpack's connection to wordpress.com (some features). Any third-party publishing tool that posts via XML-RPC. If your client genuinely depends on one of these, leave the toggle off and look at restricting xmlrpc.php by other means at the host or firewall layer.

7. Disable or restrict the REST API

The REST API is the modern successor to XML-RPC and is far more widely used. Gutenberg uses it. Elementor uses it. Most modern themes use it. The contact-form plugin probably uses it. You almost never want to disable the REST API outright, but you also probably do not want anonymous visitors querying /wp-json/wp/v2/users and getting a public list of every admin username.

AdminEase's compromise: a parent toggle "Disable REST API" plus a child toggle "Enable for logged-in users." Turn on both. Now anonymous requests get a 403 and the user-enumeration endpoint is closed, but Gutenberg and the page builder still work for editors who are logged in.

Enable it (recommended for most sites): AdminEase › Security › Hardening › Disable REST API set to ON. Then enable the child toggle "Enable for logged-in users" also ON. Save.
What this breaks if you disable it without the logged-in bypass Gutenberg will fail to load. Elementor's editor will error. Any plugin that uses the REST API anonymously (some contact forms, some search plugins) will break. The "Enable for logged-in users" child toggle exists precisely to avoid this. Use it.
Developer note If you ever need to bypass the block in code (for an integration that runs as a non-logged-in identity), AdminEase exposes the adminease_disable_rest_api_bypass filter. Return true from a mu-plugin and the REST gate is skipped. Use sparingly, this is an escape hatch, not a feature.

8. Block access to sensitive files

This single toggle adds Apache rules denying direct access to file types attackers routinely scan for: .ht* files, any .env file, wp-config.php, generic config.php and configuration.php, composer.json, composer.lock, package.json, package-lock.json, yarn.lock, files starting with .git, README and CHANGELOG files, and anything ending in .ini, .bak, .backup, .old, .orig, .tmp, .log, .sql, or ~. The same rule set also blocks the .git, .svn, and .hg directories via mod_rewrite.

The most common real-world threat this defends against: a developer who accidentally commits wp-config.php.bak or database.sql to the document root. Without this rule, those files are world-readable. With it, they return 403.

Enable it: AdminEase › Security › Access Control › Block access to sensitive files. Save.
What's safe and what's not Nothing legitimate should be served from wp-config.php or .git/ on a production site. If something does break after enabling this, you almost certainly have a configuration problem you wanted to know about.

9. Block directory browsing

If a directory in your WordPress install has no index.php or index.html, Apache's default behavior is to show its contents as a clickable file listing. wp-content/uploads/ is the most common culprit. Directory listings expose filenames, modification dates, and structure that you simply do not want public.

AdminEase adds a single Apache directive, Options -Indexes, that turns directory listings off globally. Modern hosts usually have this set already, but "usually" is not "always."

Enable it: AdminEase › Security › Access Control › Block directory browsing. Save. Test by visiting your-site.com/wp-content/uploads/2025/01/ in an incognito window. You should get 403, not a file list.

10. Block author enumeration scans

Two URLs on a default WordPress site leak admin usernames to anyone who asks. The first is your-site.com/?author=1. WordPress redirects to /author/admin-username/, revealing the username in the URL. The second is /wp-json/wp/v2/users, which returns a JSON list of all users with published posts. Attackers script both, harvest usernames, and feed them to brute-force tools.

AdminEase blocks both at the Apache layer, but only for unauthenticated requests. Logged-in admins can still use the author archives normally. The rule checks for the presence of the wordpress_logged_in cookie and the Authorization header, and rejects only requests that have neither.

Enable it: AdminEase › Security › Access Control › Block author scans. Save.
What this can break Depending on your permalink configuration, public "posts by author" archive pages may stop working for logged-out visitors. If your blog actively uses author archive pages as part of its content strategy (a magazine-style site, for example), test these pages after enabling and decide whether the trade-off is acceptable.

11. Disable pingbacks and trackbacks

Pingbacks were a 2004-era feature designed so that two blogs could automatically link to each other when one cited the other. Today they serve one practical purpose: they let an attacker use your site as an unwitting amplifier in a DDoS attack against a third party. The pingback request is small; the response WordPress sends is large. Multiply by a botnet and your site is suddenly the attack tool.

AdminEase disables pingbacks in four places simultaneously: it removes the pingback.ping XML-RPC method, strips the X-Pingback response header, sets the default ping status on new posts to "closed," and filters out internal pingbacks (the ones WordPress would otherwise send to itself when you link from one of your posts to another).

Enable it: AdminEase › Security › Hardening › Disable pingbacks. Save.
What this breaks Nothing of value on most modern sites. Pingback notifications in comments, a feature most sites already moderate into oblivion.

Where to go from here

You have just closed eleven of the most-scanned WordPress attack surfaces in the time it takes to drink a coffee. The single change that gives you the most security per minute is force strong passwords; the change that protects you against the noisiest class of automated attacks is the XML-RPC plus REST API restriction combo; the change that quietly saves you the day a developer commits the wrong file is block access to sensitive files.

Next, layer geo-blocking and bot protection on top. See the companion tutorial "Geo-Blocking & Bot Protection: Restricting Access by Country and Bot Type". Then put the whole site behind a maintenance or password gate when you need to take it private for a migration or staging cycle.

Frequently asked questions

Will enabling all eleven of these break my site?

Not on a normal WordPress install. The two toggles that have real failure modes are Disallow file modifications (breaks plugin updates from the dashboard) and Disable REST API without the logged-in bypass (breaks Gutenberg). Read those two sections carefully; the others are safe defaults on virtually every site.

I'm on Nginx, not Apache. Does any of this work?

The wp-config.php toggles (file edit, file mods) work everywhere because they are PHP-level. The .htaccess toggles (hide PHP version, XML-RPC block, sensitive file block, directory browsing, author scans) only apply on Apache and LiteSpeed. On Nginx you need equivalent server-block rules. AdminEase will save the settings but the rules will not take effect. Translate them or ask your host.

What if I lock myself out of the admin?

The most common cause is enabling Disable REST API without the "Enable for logged-in users" child toggle on a site that depends on REST-driven editing. The reliable recovery: connect via SFTP or your host's file manager, go to wp-content/plugins/, and rename the adminease folder to something like adminease-disabled. WordPress will deactivate the plugin on its next load and your admin will come back. After you log in, rename the folder back, reactivate, and try again with the bypass enabled.

Do I still need a security plugin like Wordfence or Solid Security after this?

AdminEase handles configuration hardening. Wordfence and Solid Security handle malware scanning, firewall rules, and live login-attempt monitoring, which are different categories of work. The honest answer is that the two stacks are complementary on a high-value site, and AdminEase alone is sufficient on a low-traffic informational site that is kept up to date.

How do I verify each setting actually applied?

For wp-config.php changes, open the file via SFTP and look for blocks delimited by // ADMINEASE_DISALLOW_FILE_EDIT BEGIN through END (and the equivalent for DISALLOW_FILE_MODS). For .htaccess changes, open .htaccess in the WordPress root and look for blocks delimited by # ADMINEASE_<RULE_NAME> BEGIN through # ADMINEASE_<RULE_NAME> END, for example # ADMINEASE_BLOCK_DIRECTORY_BROWSING BEGIN. For hide-version, view-source your homepage feed and confirm the <generator> element is empty. For XML-RPC, request your-site.com/xmlrpc.php and confirm you get a 403.

Was this article helpful?

Yes
No
On this page
Back to top
Copy link to article