WT Hardening

WT Hardening is a lightweight, modular security plugin that turns on the most important WordPress hardening measures without modifying your theme, wp-config.php, or .htaccess. Everything works through WordPress hooks and can be disabled at any moment with a single click.

The plugin is completely free, without a PRO version, without ads, and without sending data to external servers. Built by the webmasters.team crew for daily WordPress work.

Modules

• XML-RPC — blocks xmlrpc.php (403) and filters the XML-RPC methods. Stops brute-force attacks through the most attacked WordPress endpoint.
• User enumeration — hides logins by blocking /wp/v2/users in the REST API for unauthenticated users.
• Author archive — redirects /?author=1 to the homepage (another enumeration vector).
• Hide WP version — removes the <meta name="generator"> tag, ?ver= query strings from assets, and redundant meta tags (wlwmanifest, rsd, shortlink).
• X-Pingback — removes the X-Pingback HTTP header from all responses.
• Login errors — replaces the specific “wrong login / wrong password” messages with a single generic text (does not reveal whether a login exists).
• Login limiter — blocks an IP for X minutes after N failed attempts. Data lives in a dedicated table (not wp_options), with hourly cleanup of old entries.
• File editor — sets DISALLOW_FILE_EDIT, hiding the theme and plugin editor in the admin (an attacker who compromises an account cannot inject a backdoor through the browser).
• Password policy — enforces minimum length and complexity (upper and lower case, digits, optionally symbols) for profile updates, registration, and password reset.
• Security HTTP headers — X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, optionally HSTS (use with care — browsers cache it for a year).
• Event log — records logins (successful and failed), registrations, user changes, plugin activations and deactivations, theme switches, and settings updates. Retention defaults to 30 days. Visible in the admin panel.

What makes it different

• Modular architecture — each module is a separate class and can be disabled in the settings without affecting the others.
• Zero external dependencies — no Composer, no vendor lock-in, no cloud APIs.
• No data leaves the instance — everything stays in the local MySQL/MariaDB database.
• Internationalization ready — full coverage with __()/esc_html__() and a POT file for translators.
• Clean uninstall — when the plugin is removed, options, tables, and cron jobs are dropped.

What WT Hardening does NOT do (by design)

• Does not scan for malware — that is a different problem, a different toolset.
• Does not ship telemetry to the cloud — all data is local.
• Does not add a WAF at the application layer — that belongs to the server or CDN.

For those needs we recommend dedicated plugins (e.g. Wordfence) or an infrastructure layer (Cloudflare, fail2ban).