Plugins DatabasePlugins Database logo
Back to plugins
Homepage WordPress

Actions

DownloadAuthor pageSee on WordPress

Plugin info

Total downloads: 59
Active installs: 100
Total reviews: 0
Average rating: 0
Support threads opened: 0
Support threads resolved: 0 (0%)
Available in: 3 language(s)
Contributors: 1
Last updated: 11/3/2025 (58 days ago)
Added to WordPress: 11/3/2025 (0 years old)
Minimum WordPress version: 6.0
Tested up to WordPress version: 6.8.3
Minimum PHP version: 7.4

Maintenance & Compatibility

Maintenance score

Actively maintained • Last updated 58 days ago

59/100

Is Security Hardener abandoned?

Likely maintained (last update 58 days ago).

Compatibility

Requires WordPress: 6.0
Tested up to: 6.8.3
Requires PHP: 7.4

Ratings

0
0
0
0
0See all reviews

Developers

Marc Armengou (Owner)4

Languages

Spanish (Spain)32,360Catalan4,308

Similar & Alternatives

Explore plugins with similar tags, and compare key metrics like downloads, ratings, updates, support, and WP/PHP compatibility.

Secure HTTP Headers
Rating 3.0/5 (2 reviews)Active installs 100
Compare
BaseCloud Security Manager
Rating 0.0/5 (0 reviews)Active installs 10
Compare
SecurelyWP – all-in-one security
Rating 0.0/5 (0 reviews)Active installs 0
Compare
WP Hardening (discontinued)
Rating 4.1/5 (19 reviews)Active installs 10,000
Compare
NETSENSAI Shield
Rating 5.0/5 (5 reviews)Active installs 1,000
Compare
SAR One Click Security
Rating 5.0/5 (7 reviews)Active installs 200
Compare
See more alternatives to Security Hardener

Description

Security Hardener is inspired by the official WordPress hardening guide (Advanced Administration / Security / Hardening). It uses the platform’s standard functions and does not override core. Applies a prudent set of defenses:

  • Security headers: X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, COOP/CORP.
  • HSTS (optional; HTTPS only).
  • Basic nonce-based CSP (optional; requires testing).
  • Disable XML-RPC and pingbacks (optional; enabled by default).
  • Hide the WordPress version in the .
  • Block user enumeration via /?author= by returning 404.
  • Generic login errors (prevents information leakage).
  • IP-based login rate limiting with transients (configurable threshold and window).
  • Restrict the REST API to authenticated users, with a minimal allowlist for oEmbed/index.

⚠️ Important: The restrict REST API option and CSP can affect integrations and plugins. Test it in staging first.

Privacy: the plugin does not send data to external services or create new tables. It only uses transients to count failed login attempts.

Installation

  1. Go to Plugins > Add New Plugin.
  2. Search for Security Hardener.
  3. Install and activate the Security Hardener plugin.

Frequently Asked Questions

Does restricting the REST API “block everything”?

No. By default it allows the index and the oEmbed namespace for basic compatibility. The rest requires an authenticated user. If you need additional public routes, do not enable the restriction or create specific solutions in your theme/plugin (with their permission_callback).

I use a CDN or proxy. What about the IP?

By default, rate limiting takes the IP from REMOTE_ADDR. If you use a trusted proxy (CDN/load balancer), define in wp-config.php:
define(‘WPH_TRUST_PROXY’, true);
With that, the plugin will try to use HTTP_CF_CONNECTING_IP or X-Forwarded-For (first element), validating the IP.

Which headers does it add exactly?

X-Frame-Options: SAMEORIGIN, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin, Permissions-Policy: geolocation=(), microphone=(), camera=(), Cross-Origin-Opener-Policy: same-origin, Cross-Origin-Resource-Policy: same-origin, and optionally Strict-Transport-Security and Content-Security-Policy (with nonce).

Does the plugin clean up its data upon uninstall?

Yes. uninstall.php deletes the main option and the rate-limit transients.

Review feed

No reviews available

Screenshots

No screenshots available

Changelog

[0.3] – 2025-10-20

  • Some corrections.

[0.2] – 2025-10-13

  • Some corrections.

[0.1] – 2025-10-04

  • Initial release.
Back to plugins