plugin-icon

Security Hardener

Von Marc Armengou·
Basic hardening: secure headers, enumeration blocking, generic login errors, IP-based rate limiting, and optional restriction of the REST API.
Brute Force
hardening
headers
Bewertung
Füge deine Bewertung hinzu
Version
0.3
Aktive Installationen
100
Zuletzt aktualisiert
Nov 3, 2025

Security Hardener is inspired by the official WordPress hardening guide (Advanced Administration / Security / Hardening). It uses the platform’s standard functions and does not override core. Applies a prudent set of defenses:

  • Security headers: X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP/CORP.
  • HSTS (optional; HTTPS only).
  • Basic nonce-based CSP (optional; requires testing).
  • Disable XML-RPC and pingbacks (optional; enabled by default).
  • Hide the WordPress version in the <head>.
  • Block user enumeration via /?author= by returning 404.
  • Generic login errors (prevents information leakage).
  • IP-based login rate limiting with transients (configurable threshold and window).
  • Restrict the REST API to authenticated users, with a minimal allowlist for oEmbed/index.

⚠️ Important: The restrict REST API option and CSP can affect integrations and plugins. Test it in staging first.

Privacy: the plugin does not send data to external services or create new tables. It only uses transients to count failed login attempts.

Kostenlosmit dem Business-Tarif
Jetzt starten
Mit deiner Installation stimmst du den Geschäftsbedingungen von WordPress.com sowie den Bedingungen für Drittanbieter-Plugins zu.
Getestet bis
WordPress 6.8.3
Dieses Plugin steht für deine -Website zum Download zur Verfügung.
Herunterladen