Hardening Procedures
Follow Excel list
Standard Plugins
Wordfence
Duplicate Page by mndpsingh287
Redirection (John Godley )
Yoast SEO
Simple History (Records admin/editor events)
Procedures for Elementor
Elementor PRO
Astra PRO
Use the header, footer, menu, colors features from Astra Pro and use Elementor Pro only for Building pages. For Posts, don’t use Elementor, use only for pages
Astra Child - For any custom code
Wordfence Settings
Firewall
Enabled and Protecting
Rate limiting: the defaults are too permissive. Tighten to something like:
If a crawler's page views exceed: 60 per minute → throttle
If a crawler's pages not found (404s) exceed: 20 per minute → block for 1 hour
If a human's page views exceed: 120 per minute → throttle
If a 404 exceeds: 30 per minute → block
Block fake Google crawlers: enabled
How long is an IP address blocked: 1 hour minimum (longer is better)
Login Security
Under Login Security → Settings:
Require 2FA for all administrators: yes. Also enable it for Editors and any role with edit_pages/publish_posts.
Allow remembering device for 30 days: optional, but reasonable for an internal team.
Disable XML-RPC authentication unless you specifically need it (Jetpack, mobile app posting). Most sites don't.
Require 2FA for XML-RPC if you can't disable it.
reCAPTCHA v3 on login, registration, and lost-password forms with a score threshold around 0.5.
Office IP exception
Brute Force Protection
- Lock out after 8 login failures (default is 20)
- Lock out after 10 forgot-password attempts
- Count failures over 5 minutes
- Lockout duration: 60 minutes minimum
- Immediately lock out invalid usernames: yes — this defeats username enumeration via login
- Don't let WordPress reveal valid users in login errors: yes
- Prevent users registering "admin", "root", "administrator", etc: yes
- Block IPs who send POST requests with blank User-Agent and Referer: yes — pure botnet signature
Scans
Wordfence's default scan profile is "Standard." Switch to High Sensitivity for production sites; the false-positive rate is manageable and you catch more. Specifically enable:
- Scan files outside your WordPress installation
- Scan images, binary, and other files as if they were executable
- Scan posts/comments/options for known dangerous URLs and suspicious content
- Monitor disk space
- Scan for publicly accessible config, backup, or log files
- Check the strength of passwords (this flags weak admin passwords)
- Check if registered usernames exist as publicly visible authors (enumeration check)
Schedule scans daily, off-peak hours.
All Options → General Wordfence Options → Disable Code Execution for Uploads directory
SEO Settings
XML Sitemaps
Google indexing
Was this article helpful?
That’s Great!
Thank you for your feedback
Sorry! We couldn't be helpful
Thank you for your feedback
Feedback sent
We appreciate your effort and will try to fix the article