There was a problem loading the comments.

Astra WP Security Hardening Free Plugin

Support Portal  »  Knowledgebase  »  Viewing Article

Astra is our premier partner for Wordpress website security. While we strongly recommend the licensed version of Astra which includes a firewall, login protection and malware scanning and cleanup, there is a FREE solution. This free plugin will cover a wide variety of security steps every Wordpress website should have to keep you safer than you are now.

If you already have an Astra license or plan to purchase an Astra License, we still recommend using the free plugin alongside the licensed version.

If you decide in the future to upgrade to the licensed version, remember, our prices are LOWER than Astra directly.

Download it today and install it on all of your Wordpress websites:
Free Wordpress Hardening Plugin

This plugin includes the following hardening features:

Hardening Audit

  1. WordPress Version Check
    It checks if your website is on the latest version or not.
  2. Checking Outdated Plugins
    It checks if your website is running the updated plugins or not.
  3. Checking PHP Version
    WP Hardening also checks if your website is running on a secure version of PHP.
  4. Checking File & Folder Permissions
    WP Hardening also checks if your website is built on the secured version of PHP or not.
  5. Database Password Strength
    We check the strength of passwords used on your database. Not having a secured password can become an easy target for Brute-Force attacks.
  6. Checking Firewall Protection
    We’ll check if your website is being protected by a firewall or not. Firewalls leverage a great monitoring and filtering system on your website. Check out the features of Astra firewall here.

Security Fixers

Admin & API Security
  1. Stop User Enumeration Hackers & bad bots can easily find usernames in WordPress by visiting URLs like This can significantly help them in performing larger attacks like Bruteforce & SQL injection.
  2. Change Login URL Prevent admin password brute-forcing by changing the URL for the wp-admin login area. You can change the url only when this fixer is disabled.
  3. Disable XMLRPC XMLRPC is often targeted by bots to perform brute force & DDoS attacks (via pingback) causing considerable stress on your server. However, there are some services which rely on xmlrpc. Be sure you definitely do not need xmlrpc before disabling it. If you are using Astra firewall, then you’re safe against xmlrpc attacks automatically.
  4. Disable WP API JSON Since 4.4 version, WordPress added JSON REST API which largely benefits developers. However, it’s often targeted for bruteforce attacks just like in the case of xmlrpc. If you are not using it, best is to disable it.
  5. Disable File Editor If a hacker is able to get access to your WordPress admin, with the file editor enabled it becomes quite easy for them to add malicious code to your theme or plugins. If you are not using this, it’s best to keep the file editor disabled.
  6. Disable WordPress Application Passwords WordPress application passwords have full permissions of the user that generated them, making it possible for an attacker to gain control of a website by tricking the site administrator into granting permission to their malicious application.
Disable Information Disclosure & Remove Meta information
  1. Hide WordPress version number
    This gives away your WordPress version number making life of a hacker simple as they’ll be able to find targeted exploits for your WordPress version. It’s best to keep this hidden, enabling the button shall do that.
  2. Remove WordPress Meta Generator Tag
    The WordPress Meta tag contains your WordPress version number which is best kept hidden
  3. Remove WPML (WordPress Multilingual Plugin) Meta Generator Tag
    This discloses the WordPress version number which is best kept hidden.
  4. Remove Slider Revolution Meta Generator Tag
    Slider revolution stays on the radar of hackers due to its popularity. An overnight hack in the version you’re using could lead your website vulnerable too. Make it difficult for hackers to exploit the vulnerabilities by disabling version number disclosure here
  5. Remove WPBakery Page Builder Meta Generator Tag
    Common page builders often are diagnosed with a vulnerability putting your website’s security at risk. With this toggle enabled, the version of these page builders will be hidden making it difficult for hackers to find if you’re using a vulnerable version.
  6. Remove Version from Stylesheet
    Many CSS files have the WordPress version number appended to their source, for cache purposes. Knowing the version number allows hackers to exploit known vulnerabilities.
  7. Remove Version from Script
    Many JS files have the WordPress version number appended to their source, for cache purposes. Knowing the version number allows hackers to exploit known vulnerabilities.
Basic Server Hardening
  1. Hide Directory Listing of WP includes
    WP-includes directory gives away a lot of information about your WordPress to hackers. Disable it by simply toggling the option to ensure you make reconnaissance of hackers difficult

Security Headers
  1. Clickjacking Protection
    Protect your WordPress Website from clickjacking with the X-Frame-Options response header. Clickjacking is an attack that tricks a user into clicking a webpage element which is invisible or disguised as another element.
  2. XSS Protection
    Add the HTTP X-XSS-Protection response header so that browsers such as Chrome, Safari, Microsoft Edge stops pages from loading when they detect reflected cross-site scripting (XSS) attacks.
  3. Content Sniffing protection
    Add the X-Content-Type-Options response header to protect against MIME sniffing vulnerabilities. Such vulnerabilities can occur when a website allows users to upload content to a website, however the user disguises a particular file type as something else. This can give them the opportunity to perform cross-site scripting and compromise the website.
  4. HTTP only & Secure flag
    Enable the HttpOnly and secure flags to make the cookies more secure. This instructs the browser to trust the cookie only by the server, which adds a layer of protection against XSS attacks.

Share via
Did you find this article useful?  

Related Articles


© Evolve Web Hosting, LLC