WordPress Hardening – Part 5: Advanced Hardening (File Editing, REST API, and Optional Enhancements)

Final steps to lock down your WordPress site without breaking functionality

By this point in the series, you’ve already addressed the biggest security risks most WordPress sites face: uploads, rewrite rules, XML-RPC, and author enumeration. In this final part, we’ll cover several advanced but highly practical hardening steps that round out your security posture.

These steps are safe, widely recommended, and easy to implement – and together, they significantly reduce the chances of a successful attack.

Disable File Editing in the WordPress Dashboard

WordPress includes two built-in editors:

Appearance – Theme File Editor
Plugins – Plugin File Editor

These allow you to edit PHP files directly from the dashboard.

Why this is dangerous

If an attacker ever gains access to your admin panel, these editors give them:

full access to your theme
full access to your plugins
the ability to inject malware
the ability to create backdoors

Disabling them removes a major attack vector.

How to disable file editing

Add this line to your wp-config.php, above the “stop editing” comment:

// Disable file editor in admin dashboard
define('DISALLOW_FILE_EDIT', true);

What you lose

Only the dashboard editors.
You can still edit files via:

your hosting file manager
FTP/SFTP
a code editor
a child theme
a Code Snippets plugin

This is one of the safest and most universally recommended hardening steps.

Tighten REST API Exposure

The WordPress REST API powers:

the block editor
many plugins
AJAX-style interactions
mobile app features

But it also exposes information that attackers can use, including:

user data
metadata
plugin endpoints
site structure

Test your REST API exposure

Visit:

https://yourdomain.com/wp-json/wp/v2/users

Safe result:

{
  "code": "rest_user_cannot_view",
  "message": "Sorry, you are not allowed to list users.",
  "data": { "status": 401 }
}

This means your user data is protected.

If your site exposes user data

You can restrict access using:

a security plugin
a custom code snippet
a REST API hardening plugin

But be careful – blocking the REST API entirely can break:

Gutenberg
SEO plugins
caching plugins
contact forms
analytics plugins

The goal is not to disable the REST API, but to limit what anonymous visitors can see.

Optional wp-config.php Hardening Constants

There are several additional constants you can add to wp-config.php to improve security. These are optional but useful.

Disable plugin and theme installation from the dashboard

// Disable plugin/theme installs and updates
define('DISALLOW_FILE_MODS', true);

This prevents:

installing plugins
updating plugins
updating themes
updating WordPress

Use this only if you manage updates manually or through your host.

Force SSL in the admin area

// Require HTTPS for admin area
define('FORCE_SSL_ADMIN', true);

Only use this if your site already has a valid SSL certificate.

Regenerate security keys (salts)

WordPress uses security keys to encrypt cookies and sessions. Regenerating them is a good security practice, especially if you suspect your site may have been compromised.

To regenerate:

Visit https://api.wordpress.org/secret-key/1.1/salt/
Copy the newly generated keys
Open your wp-config.php file
Replace the existing AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY, etc. with the new ones
Save the file

Note: This will log out all users (including you) and invalidate all existing sessions. This is intentional and enhances security.

Plugin and Theme Hygiene

Security isn’t just about blocking attacks, it’s also about reducing the number of things that can be attacked.

Remove anything you’re not using

inactive plugins
inactive themes
abandoned plugins
outdated themes

Inactive plugins can still contain vulnerable code.
Unused themes can still be exploited.

Keep only:

your active theme
a default fallback theme (Twenty Twenty-Four, etc.)
plugins you actively use and trust

Update regularly

Most WordPress compromises happen because of outdated plugins, not WordPress itself.

Limit login attempts

Wordfence, Solid Security (formerly iThemes Security), and others can:

block repeated login failures
throttle brute-force attempts
lock out suspicious IPs

Restrict access to /wp-admin/ (optional)

Advanced users can restrict admin access by IP, but this can be inconvenient if your IP changes.

Backups and Monitoring

Have at least one of these:

daily backups
offsite backups
host-level backups
plugin-based backups (UpdraftPlus, etc.)

Monitor your site

Security plugins can alert you to:

file changes
login attempts
blocked attacks
suspicious activity

You don’t need to obsess over logs, just keep an eye on them.

Final Verification Checklist

After completing all five parts of this series, verify:

PHP cannot execute in uploads
directory indexing is disabled
.htaccess is clean and correct
XML-RPC is blocked
author enumeration returns a 404
file editing is disabled
REST API user data is protected
plugins/themes are cleaned up
backups are in place
2FA is enabled (optional but recommended)

If all of these are true, your WordPress site is significantly more secure than the average installation.

Conclusion: A Hardened WordPress Site Without the Headaches

Hardening doesn’t have to be complicated. It’s not about locking everything down to the point of breaking your site, it’s about removing unnecessary risks and closing the doors attackers rely on.

By following this series, you’ve:

reduced your attack surface
protected sensitive data
blocked common exploit paths
improved your site’s stability
gained a deeper understanding of how WordPress works

Most importantly, you’ve taken control of your site’s security instead of leaving it to chance.