How to Secure WordPress Installation – Hardening Best Practices on Linux

How to Secure WordPress Installation – Hardening Best Practices on Linux. Learn how to secure WordPress with these WordPress hardening tips for sites hosted on Linux servers. This tutorial uses Ubuntu 21.04.

Table of Contents

The days of WordPress as just a blogging tool are long gone. It has since evolved into a full blown CMS and a full blown enterprise website. It’s popularity is largely due to the fact that it’s free and easy to use and a massive ecosystem.  Not only it provides support to all skill levels, but also the means to extend the CMS with custom functionality by way of plugins.

The plugin vulnerabilities of WordPress are coming hard and fast. 

While WordPress is secure out of the box any modifications, plugins, themes and custom code increases the CMS’s attack surface. To this end, the WordPress Performance Team has proposed a new tool that will check plugin/custom code against best practice guidelines.

But even with such a tool in hand, if you’re running WordPress on a Linux machine (dedicated or virtual), it’s good practice to harden your WordPress installation.  This is to protect your information and to avoid crippling fines and to maintain visitor trust. Let’s get started with how to secure WordPress installation- hardening Best Practices on Linux.

How to Secure WordPress Installation - Hardening Best Practices on Linux.

Disable XML-RPC

XML-RPC was created to facilitate connection to your WordPress blog, typically via mobile phone. Useful back in the day when internet connections were slow, it has since become more of a nuisance used by threat actors for brute force attacks. Follow these steps to block access to XML-RPC:

Step 1: Open .htaccess in your website’s root directory:

					sudo nano /var/www/html/.htaccess

Note: Replace ‘html’ with your site’s directory name

Step 2: Add the following code to the top of your .htaccess file:

					# Block WordPress xmlrpc.php requests

order deny,allow
deny from all


If you’ve done a bit of research already, you’ll have seen many websites suggesting adding the following line of code to a plugin file, or optionally to functions.php in your /wp-content/themes directory:

					add_filter('xmlrpc_enabled', '__return_false');

However, as security consultant Scott Brown notes, this method is ineffective since it only blocks “authenticated XML-RPC methods, not all XML-RPC methods”.

Disable the file editor

With WordPress it is easy to edit your theme’s files from within the admin dashboard. You can see it in action at Appearance > Theme file editor. While convenient for quick changes or when you don’t have access to a terminal, it’s also a major security risk since it allows anyone with the necessary privileges to make changes to theme files and gain access to all your information.

Step 1: Open wp-config.php file in your site’s root directory:

					sudo nano /var/www/html/wp-config.php

Step 2: Add the following code to your wp-config.php file:

					define('DISALLOW_FILE_EDIT', true );

Disable file and plugin management

We can take the previous step a bit further by disabling file and plugin management in the WordPress dashboard. This is useful when, for example, a threat actor has somehow gained admin access to your WordPress dashboard, since it prevents the modification of theme files or malicious plugins from being uploaded. At the same time, it also prevents users from uploading themes and plugins which could either harm the site or introduce vulnerabilities.

When the DISALLOW_FILE_MODS constant is set to true in wp-config.php, theme installation and updates, plugin installation and updates, as well as the file editor functions are removed from the dashboard.

Note: When theme, plugin, and file functions are removed from the dashboard, you’ll have to use the WordPress CLI as a substitute to accomplish these tasks. Learn more about the WP CLI at

Step 1: Open wp-config.php file in your site’s root directory:

					sudo nano /var/www/html/wp-config.php

Step 2: Add the following code to your wp-config.php file:

					define('DISALLOW_FILE_MODS', true );

Prevent user enumeration

User enumeration refers to a process by which threat actors can determine valid WordPress users. With a valid username, attackers can attempt to brute force their way into your WordPress site.

You can easily test user enumeration on your site: add /?author=1 to your website address. For example

If users can be enumerated on your site, you’ll see the username corresponding with the user ID, along with all posts by that user. With the use of a script, the user ID can be incremented automatically to get a list of all users on the WordPress site.

Step 1: To prevent user enumeration, open the .htaccess file in your site’s root directory:

					sudo nano /var/www/html/.htaccess

Step 2: Add the following code to .htaccess

					# Prevent user enumeration
RewriteEngine    On
RewriteCond    %{REQUEST_URI}    !^/wp-admin [NC]
RewriteCond    %{QUERY_STRING}    author=\d
RewriteRule    (.*)        $1? [L,R=301]

Disable expose_php

Reducing the amount of sensitive information freely available about the software powering a WordPress site can help reduce the potential for an attack.

Type the following in a terminal window:

					curl –head

Here’s the output of a server with expose_php enabled:

					HTTP/1.1 200 OK
Date: Sat, 23 Jul 2022 08:09:39 GMT
Server: Apache/2.4.46 (Ubuntu)
X-Powered-By: PHP/7.4.16
Link: ; rel=""
Content-Type: text/html; charset=UTF-8

X-Powered-By reveals not only that we’re running PHP (which is obvious, since we’re running WordPress), but also the exact version of PHP supporting our WordPress installation. Set expose_php to off in your php.ini file:

					sudo nano /etc/php/7.4/apache2/php.ini
Then, find expose_php (around line 379 on my system) and set it to off:
					expose_php = Off

Then, restart Apache:

					sudo systemctl restart apache2

Now when we run the curl command again, we get:

					HTTP/1.1 200 OK
Date: Sat, 23 Jul 2022 08:17:11 GMT
Server: Apache/2.4.46 (Ubuntu)
Link: ; rel=""
Content-Type: text/html; charset=UTF-8

Disable the Apache server signature

When you look at the output of the curl command above, you’ll notice that it still reveals the Apache2 version, as well as our server’s operating system. Just like the PHP version number, that’s information we’d like to hide from attackers. We can achieve this by making a small change to the Apache2 security configuration file.

Step 1: Open the security.conf file:

					sudo nano /etc/apache2/conf-enabled/security.conf
Step 2: Find and change ServerTokens to Prod
					ServerTokens Prod

Step 3: Find and change ServerSignature to Off

					ServerSignature Off

Step 4: Save and close the file, then restart Apache2:

					sudo systemctl restart apache2

Now when we run our curl command, we get the following output:

					curl --head 
					HTTP/1.1 200 OK
Date: Sat, 23 Jul 2022 08:31:29 GMT
Server: Apache
Link: ; rel=""
Content-Type: text/html; charset=UTF-8

Remove WordPress version information

Above we’ve hidden information about our PHP version, Apache2 version, and our operating system. But what about our WordPress version? Removing WordPress version information can help protect against version targeted attacks. A possible use case is being unable to perform a WordPress upgrade due to potential compatibility issues. Or, you just haven’t gotten round to it yet.

We can find the WordPress version of a site by opening the site and then viewing the source of the site (CTRL+U). Press CTRL+F and search for ‘WordPress’. Alternatively, download your site’s feed file by appending /feed to your site’s URL, e.g. Open the downloaded file in a text editor, where you’ll see this line:

We can remove WordPress version information by adding a few lines of code in functions.php.
Step 1: Open functions.php in your theme directory:
					sudo nano /var/www/esque/wp-content/themes//functions.php

Step 2: Add the following code:

					/** Remove WP Version Info **/
function remove_wp_version() {
return '';
add_filter('the_generator', 'remove_version_info');


Now when you check your site’s source or feed file, you’ll see that the WordPress version number has been removed.

WP Cloud SSO plugin for WordPress

Take the security of your WordPress site to the next level with our WPCloud SSO plugin. 

Thank you for reading How to Secure WordPress Installation – Hardening Best Practices on Linux. Time to conclude. 

How to Secure WordPress with WordPress Hardening Best Practices Conclusion

Implementing these hardening best practices on Linux will help shrink the attack surface of your WordPress website. Installing an intrusion prevention package like fail2ban and a WordPress security plugin like Wordfence will go a long way to complement your CLI efforts, and help keep your WordPress installation safe.

Please take a look at our WordPress content here

Avatar for Leo De Jager
Leo De Jager

I'm a freelance writer in the tech industry. When I'm not writing about hosting-related topics, I spend my time doing calisthenics or in the ocean doing my level best to stand on a surfboard.

0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments
Would love your thoughts, please comment.x