Hardening WordPress in 2026 — the checklist we actually run on customer sites

Most "Top 50 WordPress Security Tips" articles are noise. They list "use a strong password" next to genuinely useful controls, and a reader has no way to tell which items matter.

This is the checklist we run against every new WordPress site that comes under managed hosting. Each item is here because we've seen the attack it prevents land on a real customer in the last 18 months. Run the controls on this list and you'll defend against approximately 95% of what shows up at WordPress origins.

The wp-config hardening pass

define('DISALLOW_FILE_EDIT', true);
define('DISALLOW_FILE_MODS', true);
define('WP_AUTO_UPDATE_CORE', 'minor');
define('FORCE_SSL_ADMIN', true);
define('WP_DEBUG', false);

The two heavy-hitters: DISALLOW_FILE_EDIT removes the in-dashboard theme/plugin editor, so a compromised admin can't drop a webshell through the UI. DISALLOW_FILE_MODS blocks plugin/theme installs entirely — which is correct for sites where deploys come through CI.

The full write-up covers:

• File-system permissions and the noexec mount on wp-content/uploads that defeats most webshells
• Disabling XML-RPC (or rate-limiting it) — the system.multicall brute-force amplifier
• REST API endpoints that leak usernames, and how to block them cleanly
• Fail2ban jails that actually count failed wp-login.php POSTs
• 2FA enforcement (TOTP minimum, WebAuthn for small teams)
• AIDE/Tripwire file-integrity monitoring as the post-compromise safety net
• Plugin and theme allowlisting — the abandoned-plugin problem

We ship this baseline on every managed WordPress install.