security

WM Security Hardener

One-click WordPress hardening without breaking your site.

v3.0.2 Included Stable
View plans Talk to an engineer
Free
On all Wordimatic managed plans
$0
No license fees, ever
Auto
Updates maintained by Wordimatic
Open
Available to audit on request

Most WordPress security guides recommend a list of 15 things to do manually across your server config, wp-config.php, and theme files. WM Security Hardener turns that list into a single admin screen where each rule is a toggle — applied immediately, reversible at any time, and annotated with exactly what it does and why.

On first activation the plugin audits your current configuration against a curated hardening checklist and surfaces any gaps with a severity rating. From there you can apply rules individually or all at once. The rule set covers the most impactful changes: disabling XML-RPC (with a warning if the plugin detects active consumers like Jetpack), restricting REST API access to authenticated users, adding the full suite of recommended security headers including a configurable Content-Security-Policy, and scrubbing the WordPress version from page output and feeds.

Authentication event logging runs continuously in the background. Every login, logout, failed attempt, and password reset is recorded with IP address, user agent, and timestamp in a dedicated database table — not the options table — with a configurable retention window. The 3.0 rewrite added a CSP builder UI and per-endpoint REST API allow rules, making it practical to harden sites that have legitimate external API consumers without blocking them entirely.

How it works

Three steps to up and running

1

Audit on activation

On first activation, the plugin audits your current WordPress configuration against its hardening checklist and flags any issues with a severity rating.

2

One-click apply

Each hardening rule can be applied individually or all at once. Rules are reversible — disabling a rule restores the previous behaviour.

3

Continuous monitoring

Authentication events (login, logout, failed attempts, password resets) are logged with IP, user agent, and timestamp. Alerts are sent on unusual activity patterns.

Key features

What's included

XML-RPC disable toggle
REST API access control
Security headers (CSP, HSTS, X-Frame-Options)
WordPress version scrubbing
Auth event logging
Use cases

Who it's for

  • Harden a fresh WordPress install to a production-ready security baseline in under five minutes.
  • Audit an inherited site and get a clear list of security gaps without manual inspection.
  • Meet client security requirements without installing three separate plugins.
Requirements

Technical requirements

WordPress6.0+
PHP8.1+
WooCommerceNot required
Changelog

Version history

v3.0.2
2025-05-10
  • Content-Security-Policy builder UI added
  • REST API access control now supports per-endpoint allow rules
v3.0.0
2025-03-01
  • Full rewrite for WordPress 6.5 compatibility
  • New auth event logging system
  • Security headers now individually toggleable
FAQ

Frequently asked questions

Will disabling XML-RPC break my site?

Only if you use Jetpack, certain mobile apps, or a remote publishing tool that relies on XML-RPC. The plugin warns you if it detects active XML-RPC consumers before disabling.

What security headers does it add?

X-Frame-Options (SAMEORIGIN), X-Content-Type-Options (nosniff), Referrer-Policy (strict-origin-when-cross-origin), and a conservative Content-Security-Policy. Each header is individually toggleable.

How long are auth event logs retained?

90 days by default. Configurable from 7 days to 365 days. Logs are stored in a custom DB table, not the options table, to avoid bloat.

Get access

WordPress plugins, maintained by engineers.

Every Wordimatic managed plan includes our full plugin library — no license fees, no manual updates, no compatibility surprises.

View managed plans Contact us