Title: WT Hardening
Author: Webmasters.Team
Published: <strong>Gicurasi 4, 2026</strong>
Last modified: Gicurasi 4, 2026

---

Search plugins

![](https://ps.w.org/wt-hardening/assets/banner-772x250.png?rev=3521943)

![](https://ps.w.org/wt-hardening/assets/icon-256x256.png?rev=3521943)

# WT Hardening

 By [Webmasters.Team](https://profiles.wordpress.org/webmastersteam/)

[Download](https://downloads.wordpress.org/plugin/wt-hardening.1.0.2.zip)

 * [Details](https://kin.wordpress.org/plugins/wt-hardening/#description)
 * [Reviews](https://kin.wordpress.org/plugins/wt-hardening/#reviews)
 *  [Installation](https://kin.wordpress.org/plugins/wt-hardening/#installation)
 * [Development](https://kin.wordpress.org/plugins/wt-hardening/#developers)

 [Support](https://wordpress.org/support/plugin/wt-hardening/)

## Description

**WT Hardening** is a lightweight, modular security plugin that turns on the most
important WordPress hardening measures without modifying your theme, `wp-config.
php`, or `.htaccess`. Everything works through WordPress hooks and can be disabled
at any moment with a single click.

The plugin is **completely free**, without a PRO version, without ads, and without
sending data to external servers. Built by the [webmasters.team](https://webmasters.team)
crew for daily WordPress work.

#### Modules

 * **XML-RPC** — blocks `xmlrpc.php` (403) and filters the XML-RPC methods. Stops
   brute-force attacks through the most attacked WordPress endpoint.
 * **User enumeration** — hides logins by blocking `/wp/v2/users` in the REST API
   for unauthenticated users.
 * **Author archive** — redirects `/?author=1` to the homepage (another enumeration
   vector).
 * **Hide WP version** — removes the `<meta name="generator">` tag, `?ver=` query
   strings from assets, and redundant meta tags (wlwmanifest, rsd, shortlink).
 * **X-Pingback** — removes the `X-Pingback` HTTP header from all responses.
 * **Login errors** — replaces the specific “wrong login / wrong password” messages
   with a single generic text (does not reveal whether a login exists).
 * **Login limiter** — blocks an IP for X minutes after N failed attempts. Data 
   lives in a dedicated table (not `wp_options`), with hourly cleanup of old entries.
 * **File editor** — sets `DISALLOW_FILE_EDIT`, hiding the theme and plugin editor
   in the admin (an attacker who compromises an account cannot inject a backdoor
   through the browser).
 * **Password policy** — enforces minimum length and complexity (upper and lower
   case, digits, optionally symbols) for profile updates, registration, and password
   reset.
 * **Security HTTP headers** — `X-Frame-Options`, `X-Content-Type-Options`, `Referrer-
   Policy`, `Permissions-Policy`, optionally `HSTS` (use with care — browsers cache
   it for a year).
 * **Event log** — records logins (successful and failed), registrations, user changes,
   plugin activations and deactivations, theme switches, and settings updates. Retention
   defaults to 30 days. Visible in the admin panel.

#### What makes it different

 * **Modular architecture** — each module is a separate class and can be disabled
   in the settings without affecting the others.
 * **Zero external dependencies** — no Composer, no vendor lock-in, no cloud APIs.
 * **No data leaves the instance** — everything stays in the local MySQL/MariaDB
   database.
 * **Internationalization ready** — full coverage with `__()`/`esc_html__()` and
   a POT file for translators.
 * **Clean uninstall** — when the plugin is removed, options, tables, and cron jobs
   are dropped.

#### What WT Hardening does NOT do (by design)

 * Does not scan for malware — that is a different problem, a different toolset.
 * Does not ship telemetry to the cloud — all data is local.
 * Does not add a WAF at the application layer — that belongs to the server or CDN.

For those needs we recommend dedicated plugins (e.g. Wordfence) or an infrastructure
layer (Cloudflare, fail2ban).

## Screenshots

 * [[
 * Settings panel — modules rendered as cards with toggles and descriptions.
 * [[
 * Login attempt log — currently blocked IPs plus a list of recent failed attempts.
 * [[
 * Event log — chronology of logins, registrations, user changes, and plugin activations.

## Installation

#### Standard install

 1. In the WP admin go to **Plugins  Add new**.
 2. Search for “WT Hardening”.
 3. Click **Install** and then **Activate**.
 4. Open the **WT Hardening** menu in the admin (shield icon) and configure the modules.

#### Manual install (via ZIP)

 1. Download the archive from [wordpress.org/plugins/wt-hardening](https://wordpress.org/plugins/wt-hardening/).
 2. In the WP admin go to **Plugins  Add new  Upload plugin**.
 3. Pick the downloaded ZIP, click **Install now**, and then **Activate plugin**.

#### FTP/SFTP install

 1. Unzip the archive.
 2. Upload the `wt-hardening` folder to `wp-content/plugins/` on your server.
 3. In the WP admin go to **Plugins  Installed plugins** and activate **WT Hardening**.

After activation all modules are enabled with sensible defaults. If something clashes
with your workflow (for example the Jetpack mobile app that needs XML-RPC), just
turn off the specific module in the settings.

## FAQ

### Does the plugin modify wp-config.php or .htaccess?

No. Everything is wired through WordPress hooks. Deactivating the plugin instantly
reverts all changes (except HSTS, which browsers cache — enabling HSTS is a conscious
decision).

### Will blocking XML-RPC break my mobile app / Jetpack / pingbacks?

Possibly, if you actually rely on them. Disable the **XML-RPC** module in the settings—
the other protection layers stay active.

### What happens to the event log on deactivation?

The table stays in the database (useful for later analysis). On full uninstall the
tables are dropped cleanly.

### Does the plugin work with multisite?

Tested on a single-site install. Multisite should work since we do not use superadmin-
specific APIs, but it is not yet formally supported — file an issue if something
breaks.

### What about performance?

Modules only register the hooks they actually need. The event log is a single INSERT
per event. No scanner, no background work beyond an hourly and daily cleanup of 
old rows. Real impact on response time: under 1 ms.

### Why is HSTS disabled by default?

Because `Strict-Transport-Security` has a **sticky** effect — browsers remember 
the header for a year. Enabling it too early (before your entire traffic works on
HTTPS without errors) can lock users out of the site for a long time. Turn it on
once HTTPS is rock-solid.

### Does the strong password policy apply to users created through WP-CLI or `wp_create_user()`?

No — the policy hooks into admin form validation (profile, registration, reset).
Programmatic user creation bypasses these hooks by design. For a typical client 
workflow (users are created through the admin panel) this is enough.

## Reviews

There are no reviews for this plugin.

## Contributors & Developers

“WT Hardening” is open source software. The following people have contributed to
this plugin.

Contributors

 *   [ Webmasters.Team ](https://profiles.wordpress.org/webmastersteam/)

[Translate “WT Hardening” into your language.](https://translate.wordpress.org/projects/wp-plugins/wt-hardening)

### Interested in development?

[Browse the code](https://plugins.trac.wordpress.org/browser/wt-hardening/), check
out the [SVN repository](https://plugins.svn.wordpress.org/wt-hardening/), or subscribe
to the [development log](https://plugins.trac.wordpress.org/log/wt-hardening/) by
[RSS](https://plugins.trac.wordpress.org/log/wt-hardening/?limit=100&mode=stop_on_copy&format=rss).

## Changelog

#### 1.0.2

 * Fix: Plugin URI now points to a public landing page on webmasters.team (the previous
   URL returned 404 during review).

#### 1.0.1

 * Fix: readme rewritten in English to satisfy the WordPress.org July 2025 policy.
 * Fix: escape output in the event log admin page (`EventsPage`).
 * Fix: replace `parse_url()` with `wp_parse_url()` in the XML-RPC module.
 * Fix: prefix global variables in `uninstall.php` and add safe-query annotations.

#### 1.0.0

First release.

 * XML-RPC module (endpoint block plus methods filter).
 * User enumeration blocker for the REST API.
 * Author archive redirect.
 * Hide WordPress version.
 * Remove X-Pingback header.
 * Generic login error message.
 * Login attempt limiter with IP lockout.
 * File editor disable.
 * Strong password policy (length, mixed case, digits, symbols).
 * Security HTTP headers (X-Frame, nosniff, Referrer-Policy, Permissions-Policy,
   HSTS).
 * Event log (logins, users, plugins, theme, settings) with configurable retention.

## Meta

 *  Version **1.0.2**
 *  Last updated **6 days ago**
 *  Active installations **Fewer than 10**
 *  WordPress version ** 6.0 or higher **
 *  Tested up to **6.9.4**
 *  PHP version ** 8.0 or higher **
 *  Language
 * [English (US)](https://wordpress.org/plugins/wt-hardening/)
 * Tags
 * [Brute Force](https://kin.wordpress.org/plugins/tags/brute-force/)[hardening](https://kin.wordpress.org/plugins/tags/hardening/)
   [security](https://kin.wordpress.org/plugins/tags/security/)[Security Headers](https://kin.wordpress.org/plugins/tags/security-headers/)
   [xmlrpc](https://kin.wordpress.org/plugins/tags/xmlrpc/)
 *  [Advanced View](https://kin.wordpress.org/plugins/wt-hardening/advanced/)

## Ratings

No reviews have been submitted yet.

[Your review](https://wordpress.org/support/plugin/wt-hardening/reviews/#new-post)

[See all reviews](https://wordpress.org/support/plugin/wt-hardening/reviews/)

## Contributors

 *   [ Webmasters.Team ](https://profiles.wordpress.org/webmastersteam/)

## Support

Got something to say? Need help?

 [View support forum](https://wordpress.org/support/plugin/wt-hardening/)

## Donate

Would you like to support the advancement of this plugin?

 [ Donate to this plugin ](https://webmasters.team/)