WordPress Security Hardening Checklist for Omaha Businesses (2026)

If our Vulnerability Scanner flagged WordPress-specific findings on your site (exposed readme.html, user enumeration via REST API, XML-RPC enabled), you're far from alone — about 70% of WordPress sites we scan have at least one of these. The good news: the entire hardening checklist takes about an hour, requires zero code, and blocks the vast majority of automated attacks.

Why WordPress Is a Target

WordPress powers about 40% of the public web, which means it's a fat target for attackers. Most attacks are fully automated — bots scan millions of WordPress sites a day looking for outdated plugins, weak passwords, and the exact misconfigurations our scanner detects. They don't care that you're a 12-person dental practice in Papillion. They care that port 80 answered.

Hardening doesn't make your site invisible — it makes it boring enough that the bots move on to the next target.

The 12-Step Checklist

1. Disable User Enumeration via REST API

By default, https://yourdomain.com/wp-json/wp/v2/users returns the list of every WordPress username on your site. That's half of every brute-force attack handed over for free.

Fix: Install Wordfence (free) → Tools → Diagnostics → Enable "Block REST API user listing." Or with iThemes Security, toggle the "WordPress Tweaks → REST API" setting.

2. Delete or Block readme.html

The file at https://yourdomain.com/readme.html displays your exact WordPress version, telling attackers which CVEs to try.

Fix: SSH into your server (or use cPanel File Manager) and delete readme.html. Or block it in .htaccess: <Files readme.html> Require all denied </Files>

3. Disable XML-RPC (Unless You Need It)

The xmlrpc.php endpoint is a legacy API that's almost universally abused for brute-force amplification and pingback DDoS attacks. 99% of WordPress sites don't need it.

Fix: In functions.php: add_filter('xmlrpc_enabled', '__return_false'); Or block it in .htaccess. Wordfence and most security plugins have a one-click toggle.

4. Enforce Strong Passwords + 2FA

Wordfence, iThemes, or WP 2FA — all free — let you require strong passwords and 2FA for every admin/editor user. Non-negotiable in 2026.

5. Limit Login Attempts

Block IPs after 5 failed login attempts. Wordfence does this by default. Without it, bots can try thousands of password guesses an hour.

6. Hide /wp-admin Behind Cloudflare

If your business is in Omaha, you only need /wp-admin accessible from US IPs. Cloudflare's free tier lets you block /wp-admin and /wp-login.php from countries you don't operate in. This single rule blocks ~80% of attack traffic.

7. Update Everything Weekly

WordPress core, every plugin, every theme. Most successful WordPress hacks exploit a vulnerability that was patched 2+ weeks earlier. Set a calendar reminder if nothing else.

8. Remove Inactive Plugins and Themes

Inactive plugins still get exploited if their files are reachable on disk. Delete anything you're not using.

9. Use SFTP/SSH, Not FTP

If your hosting provider still uses plain FTP, your password is being sent in the clear. Switch to SFTP/SSH (every modern host supports it).

10. Disable Theme/Plugin File Editing

By default, WordPress admins can edit PHP files from inside the dashboard. If your admin account is ever compromised, this becomes a remote code execution vulnerability.

Fix: Add to wp-config.php: define('DISALLOW_FILE_EDIT', true);

11. Set Up Real Backups

UpdraftPlus or BlogVault — set them to back up to off-site storage (S3, Dropbox, etc.) daily. Test the restore process at least once. Most WordPress recovery disasters are not from missing backups but from backups that turn out to be unrecoverable.

12. Run a Vulnerability Scan Quarterly

Plugins, themes, and core get new CVEs constantly. Re-running our free vulnerability scanner every 90 days catches drift — new exposed files, expired SSL, dropped security headers — before attackers do.

Bonus: HTTP Headers

WordPress doesn't set strong security headers by default. Add them via:

• The free "HTTP Headers" plugin
• Cloudflare Transform Rules (best for performance)
• Your host's dashboard if available

Specifically: HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and a Content Security Policy. See our HSTS guide and CSP guide.

Get Help From a Local Team

If you'd rather hand this off, DME Computer Services hardens WordPress sites as part of our managed IT engagements — typically a 2-hour engagement and we cover all 12 steps plus monitoring. Call 402-650-8407 or book a free 30-minute consult.

Related reading:

• Why .env Files Get Exposed
• How to Fix a Missing DMARC Record