Fix Guides

WordPress security, fixed step by step

Clear, practical guides to fix the issues our scanner finds — with copy-paste code you can apply today.

high

How to Fix Cross-Site Scripting (XSS) in WordPress

Sanitize input, escape output, patch vulnerable plugins, and add a Content-Security-Policy.

Read guide
critical

How to Fix SQL Injection in WordPress

Patch vulnerable plugins and use $wpdb->prepare() for every query with user input.

Read guide
medium

How to Disable XML-RPC in WordPress

Block xmlrpc.php unless you need it — it enables brute-force amplification and pingback DDoS.

Read guide
medium

How to Add Security Headers to WordPress

Add HSTS, CSP, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy.

Read guide
medium

How to Stop User Enumeration in WordPress

Block ?author= scans, restrict the users REST endpoint, and use generic login errors.

Read guide
low

How to Disable Directory Listing in WordPress

Turn off directory browsing so folders like /wp-content/uploads aren't publicly listed.

Read guide
high

How to Fix an Exposed WordPress Debug Log

Never leave WP_DEBUG_DISPLAY on in production, and block public access to debug.log.

Read guide
low

How to Hide the WordPress Version Number

Remove the generator meta tag and block readme.html to avoid advertising your version.

Read guide
high

How to Stop Brute-Force Attacks on WordPress Login

Limit login attempts, enforce 2FA and strong passwords, and protect wp-login.php.

Read guide
high

How to Fix Outdated and Vulnerable WordPress Plugins

Update everything, remove abandoned plugins, and check each against known vulnerabilities.

Read guide
critical

How to Protect wp-config.php and Sensitive Files

Block direct access to wp-config.php, .env, backups, and other sensitive files.

Read guide
high

How to Force HTTPS (SSL) on WordPress

Install SSL, set your HTTPS site URL, redirect all HTTP traffic, and fix mixed content.

Read guide