WordPress Hardening& Optimization - anyone doing this?

TL;DR - I’d be keen to chat with those of you who are doing this for clients, interested in the topics or have a wordpress site that you want to optimize & secure.

So a year ago all I did with regards to websites was click. At the time a regular long standing business client asked if I do websites, to which I said no. They went on their own accord & found a company via someone they knew, who worked for this company , with no ask for input from me.

Few months later - Day 1 live site: site was “hacked” with the “web design” company owner saying that security was not part of the brief… Slimy ways of doing business if you ask me. They went on to tell us that their “dev team” have been coding for ±13 years… Site would redirect to porn sites when CTA buttons were clicked.

Being rather protective over my clients, I dived into the deep-end of Google with “Wordpress security basics” & ended up about 4 hours later having stumbled upon a tool which pointed out the bad code. I also found out that the site was not optimized , had no login page sec, no WAF, no cache, no CDN , no sec headers etc. Literally amateur hour 101. All build on a theme that has terrible performance , with a page builder thrown on top because well, " 13years of coding "…

Notified the client & we agreed to keep this & see if this “dev team” could find the issue by Fri. Fri came & they did not find it… We showed it to them and they removed it.

In those 4 hours, I was able to see that this “dev team” were failing to do the absolute minimum ion terms of security or optimization.

Fast forward 1 year I’m about to launch a Wordpress security + optimization bundle & ongoing maint within my business. I’ve got a list of almost 300 companies, that I’ve done some checks on, over the last year. I’m hoping that the website sec & opt side of things , will serve as a great cold calling tool , aswell as a step into their actual I.T needs.

I’d be keen with those of you who are doing this for clients, interested in thew topic or have a wordpress site.

1 Like

It’s a tough sell, for most clients they just set it and forget it until something happens. We got out of the design / hosting of web sites and outsourced all of that to a company that focuses on it and charge monthly fees to do all the updates and hardening.

Curious what the tool is? I am a wordpress user.

Also, what do you mean by login security are you speaking captcha and/or 2fa?

When we were doing Wordpress work I was using https://www.wordfence.com/ which is nice for WAF. Combine that with a tool such as https://updraftplus.com/ for keeping site backups and you have a nice system. Except when you are updating plugins and they change or break some piece of the site which requires some site updates which require first, someone to test the sites functionality after each update and then fix any issues they find such as form that stops working. You have to charge accordingly for all the time it takes.


@LTS_Tom I hate design & won’t be doing any of it. That will be outsourced , I will do all additional hardening & optimization + monitoring & maint for a monthly cost.

Companies sites I’ve analysed range from small restaurants in my area to international house hold names. It’s always a case of good design / looks, and bad sec / opt (if any).

Currenty my site is small (5 pages) , I have 20plugin’s (all free for now) incl Updraft that backups to Google Drive ; WordFence (Check WordFence Central out) ; SEO ; Forms plugin ; staging.

With all of that (no CDN yet) I get a 94% on PageSpeed & a 86% on Yslow, with a fully loaded time between 1.8-3 seconds (host is crap) . Page size is 887KB with 18 requests. Sure it doesn’t load in < second, but I’ll hopefully get there.

Even with all plugins off, bar essentials for the pagebuilder , updraft, security plugins , the site loads in ~4 seconds , with a size of ~2MB if I recall. Once I change hosts, the load time will decrease.

@Thedannymullen IF I recall, it was https://sitecheck.sucuri.net/ but could’ve also been https://pentest-tools.com/website-vulnerability-scanning/website-scanner .

This is my basic scan list after finding a Wordpress site:

  1. https://sitecheck.sucuri.net/
  2. https://securityheaders.com/
  3. https://webscan.upguard.com/
  4. https://premium.wpmudev.org/wp-checkup/
  5. https://gtmetrix.com/
  6. https://tools.pingdom.com/#5c58fe6318800000
  7. https://observatory.mozilla.org/ (use all 3 scans)
  8. https://builtwith.com/

If the site / company is interesting I’ll grab nMap too.

I regularly manually scan my WAF and usually learn new things weekly. IE A simple domain.com/wp-admin/ (press enter) usually takes you to the login page. Many tools exist to enumerate usernames & then there are more tools that will perform the password entry side of things , using the enumerated usernames.



I am going to check my sites. Thankfully I only had a problem once. It was a site I forgot I had up as a test so it never got updated. My host blocked it and emailed me.

Other than that security wise, keeping Wordpress up to date has been successful.

On optimization I was looking to a dedicated host for Wordpress. They talked a good game but when you dug in they were not really providing anything more than shared hosting and core updates. Issue was if an update breaks a plugin or template that’s on you. So in the end I would still need to manage and test quite a bit what’s one more click.

1 Like

Thats standard prac (fix’s being on you).

Do this:

  1. Setup Updraft to backup to a exclusive Gmail drive, that is only used for WP backups. Set it to backup 2x a week.
  2. I think I use WP-staging, to create staging sites to test certain plugin’s / code etc.
  3. WordFence Central will help you monitor multiple sites. :slight_smile:
  4. A2 hosting have decent speed and are ~ $20 p/m . Host is your foundation, so don’t skimp on it.
1 Like

Thanks @ZaK86 will check out these links.

1 Like

Wordpress is one hell of a buggy CMS

Never Forget