Free Plugin by DrGlenn
Harden-It
Toggle powerful hardening rules for Apache/LiteSpeed: bot blocking, directory/privacy protections, headers, XML-RPC controls, SQL-injection mitigations, and more—built to play nicely with real sites.
Overview
Harden-It helps close gaps WordPress doesn’t address by default. It applies curated server rules and headers for Apache and LiteSpeed hosts, with per-rule toggles so complex sites can enable only what they want.
Heads-up: Harden-It is one layer. Use it alongside updates, backups, least-privilege access, and a WAF.
Why You’ll Like It
Toggle-based Safe defaults Headers Anti-bot
- Enable/disable individual protections to fit your stack.
- Ship proven directives and security headers quickly.
- Reduce noise (directory listings, user enumeration, hotlinks, etc.).
Key Features
| Feature | Description |
|---|---|
| Toggle Security Rules | Activate or deactivate each rule—great for complex sites that need flexibility. |
Block access to .htaccess/.htpasswd | Protect critical config files from direct web access. |
| Bad-Bot Filtering | Add/remove disallow rules to hinder known malicious crawlers. |
| Disable Directory Listings | Prevents snooping and casual reconnaissance. |
| Shield Sensitive System Files | Deny access to logs, wp-config.php, php.ini, and similar. |
| Block Author Enumeration | Stops ?author= based user-ID probing. |
Protect .ini files | Block reads of configuration files in web scope. |
Protect wp-config.php | Prevent direct download of DB credentials and salts. |
Restrict xmlrpc.php | Disable or limit access to reduce DDoS/pingback abuse. |
| Spam Comment Shield | Block off-domain comment posts; optionally redirect offenders. |
| Block Blank UA/Referrer/Host | Drop suspicious POSTs lacking basic headers. |
| General Bot Protection | Reduce scraping, cheap DDoS, and resource drain. |
| No PHP in Uploads | Stop execution of uploaded PHP in /uploads. |
| Hide Backups & Sources | Block access to source/backup artifacts. |
Block .zip Access | Prevent bulk downloads of packaged files. |
| Anti-Clickjacking | Send X-Frame-Options to stop iframe embedding. |
| Security Headers | Add X-Content-Type-Options, X-XSS-Protection, Strict-Transport-Security, etc. |
| SQLi Mitigations | Common injection patterns filtered at the server layer. |
| Anti-Hotlinking | Stop other sites embedding your assets directly. |
| Disable XML-RPC Pingbacks | Reduce reflection abuse vectors. |
| Hide Server Signature | Avoid leaking server version details. |
| Disable ETags | Improve caching; avoid inode leakage. |
| Disable TRACE | Mitigate cross-site tracing issues. |
| Force HTTPS | Redirect HTTP→HTTPS for secure transport. |
| Block File-Injection Patterns | Drop suspicious query strings commonly used in exploits. |
| Admin by IP (Optional) | Restrict /wp-admin by current IP. Use with caution—changes in IP/VPN will block you. |
Advanced Tools
Extra helpers for hardening and maintenance:
- Change File Permissions: Recursively normalize to 755 (dirs) / 644 (files).
- Modify
wp-config.php: AddsDISALLOW_FILE_EDIT, and optionalWP_HOME/WP_SITEURLdefines.
Installation
- Download: harden-it.zip
- WordPress admin → Plugins → Add New → Upload Plugin → choose the zip → Install Now.
- Click Activate.
- Open Harden-It in the admin menu and toggle desired protections.
Test new rules on a staging site if you run unusual rewrites or legacy code.
Best Practices
- Keep WordPress, plugins, and themes updated.
- Use strong passwords, 2FA, and least-privilege roles.
- Maintain verified off-site backups.
- Pair with a WAF/CDN for edge filtering.
Download
Harden your site with safe defaults and smart server rules.
Disclaimer: This plugin is provided for free without warranty or claims of fitness. Use it as part of a comprehensive security program.
© 2024–2025 DrGlenn. All Rights Reserved.
Visit fixmyhackedwebsite.com for professional help.