Built for Hostnasi-hosted WordPress sites

Harden your WordPress site in minutes, not hours.

Hostnasi Security scans your site against 22 industry-standard security checks, shows a live 0–100% security score, and fixes 15 of those checks automatically — no technical knowledge required.

⬇ Download hostnasi-security.zip View installation guide

Version 1.0.0 · Requires WordPress 6.0+ · PHP 8.0+ · Free for Hostnasi customers

Default WordPress site

18%

3–4 of 22 checks passing

After Hostnasi Security

85%

18–22 of 22 checks passing

22Security checks
15One-click auto-fixes
0–100%Live security score
6Hardening categories

Why this plugin

A freshly installed WordPress site with default settings typically passes fewer than 5 of these 22 checks. WordPress powers 43% of the web, making it the most targeted platform for automated attacks. Hostnasi Security closes the most common gaps in minutes — directly from your WordPress admin dashboard.

What it checks — and fixes

Six hardening categories cover authentication, configuration, file permissions, updates, HTTP headers, and information leakage.

🔐 Authentication & login

4 checks · 3 auto-fixable

  • Remove default "admin" username
  • Limit login attempts (lockout after 5 fails)
  • Hide wp-login.php from bots
  • Disable XML-RPC

⚙️ wp-config.php hardening

5 checks · 3 auto-fixable

  • Disable theme/plugin file editor
  • Force HTTPS for wp-admin
  • Non-default database table prefix
  • WP_DEBUG disabled on production
  • Security keys & salts are set

📁 File & directory permissions

4 checks · 4 auto-fixable

  • wp-config.php permissions (440/400)
  • PHP execution blocked in /uploads/
  • Directory listing disabled
  • .htaccess & sensitive files protected

🔄 Updates & plugins

4 checks · 1 auto-fixable

  • WordPress core is up to date
  • No plugins with pending updates
  • No inactive plugins installed
  • Minor core auto-updates enabled

🛡️ HTTP security headers

3 checks · 3 auto-fixable

  • X-Frame-Options (clickjacking)
  • X-Content-Type-Options (MIME sniffing)
  • Referrer-Policy

🔍 Information leakage

3 checks · 3 auto-fixable

  • Block user enumeration
  • WordPress version hidden
  • readme.html deleted from root

Built-in features — no third-party plugins needed

  • Login lockout — blocks IPs after 5 failed attempts for 30 minutes
  • Hidden login URL — moves wp-login.php to a secret random slug
  • XML-RPC disable
  • Security headers (X-Frame-Options, HSTS, Referrer-Policy, Permissions-Policy)
  • User enumeration block (/?author= and REST API /wp/v2/users)
  • WordPress version hiding (meta tags, feeds, asset query strings)
  • wp-config.php constant patching (DISALLOW_FILE_EDIT, FORCE_SSL_ADMIN, WP_DEBUG)
  • .htaccess hardening (PHP block in uploads, directory listing, sensitive file protection)
  • wp-config.php permission fix (chmod 440)
  • readme.html deletion

Using the dashboard

Navigate to HN Security in your WordPress admin sidebar after activation. The scan runs immediately.

Security score

  • Good — 80% and above
  • Needs work — 50–79%
  • At risk — below 50%

The score updates live in the browser after each auto-fix — no page reload required.

Fix buttons

Each failing check shows one of two things:

  • Green "Fix" button — click once; the fix applies via AJAX and the check turns green
  • "Manual fix required" tag — the fix must be done outside the plugin

Hidden login URL

After enabling the hidden login URL, a green info box at the bottom of the dashboard shows your new login address, e.g. https://yoursite.com/secure-xk3p9mz2/.

⚠️ Bookmark this immediately. Direct access to /wp-login.php will be blocked for bots — and for you if you forget the slug.

Installation

Two ways to install — pick whichever fits how you manage your site.

Recommended

Method A — WordPress admin

  1. Download hostnasi-security.zip below
  2. In your WordPress admin, go to Plugins → Add New → Upload Plugin
  3. Choose hostnasi-security.zip and click Install Now
  4. Click Activate Plugin
  5. Navigate to HN Security in the sidebar — the scan runs immediately

Method B — FTP / cPanel File Manager

  1. Extract hostnasi-security.zip on your computer
  2. Upload the hostnasi-security/ folder to /wp-content/plugins/ on your server
  3. Activate via Plugins → Installed Plugins

Requirements

RequirementMinimum
WordPress6.0
PHP8.0
User roleAdministrator
Web serverApache or LiteSpeed (Nginx: partial support)
⬇ Download hostnasi-security.zip
Manual steps guide — checks the plugin can't fix automatically

Remove the "admin" username

  1. Go to Users → Add New in your admin panel
  2. Create a new Administrator account with a unique username (not admin)
  3. Log out, then log back in as the new account
  4. Go to Users, find the old admin account, click Delete
  5. When prompted, choose to reassign all content to your new account

Change the database table prefix

Best done at install time — set wp_ to something unique (e.g. hn7x_) during the WordPress installation wizard.

For existing live sites: back up your database, use a plugin such as Brozzme DB Prefix & Tools Addons, or contact Hostnasi support — we can do it for you.

Set strong security keys and salts

  1. Visit api.wordpress.org/secret-key/1.1/salt/ to generate a fresh set
  2. Open wp-config.php via cPanel File Manager or FTP
  3. Replace the block starting with define('AUTH_KEY', with the generated keys
  4. Save — all current sessions will be invalidated (all users must log in again)

Update WordPress core & plugins

Go to Dashboard → Updates, update plugins first, then core. Enable auto-updates for extra safety.

Delete inactive plugins

Go to Plugins → Installed Plugins, filter by Inactive, select all, then Bulk Actions → Delete.

Security checks reference

Every check the scanner runs, grouped by category, with severity and auto-fix status.

🔐 Authentication & login 4 checks
Remove default "admin" usernameCriticalManual

Every brute-force bot tries admin as the first username. Rename or delete this account.

Limit login attemptsCriticalAuto-fix

Blocks IPs after 5 failed logins within 10 minutes, for 30 minutes. Reads CF-Connecting-IP behind Cloudflare.

Hide wp-login.php from botsCriticalAuto-fix

Moves the login page to a secret secure-[random] slug. Bots can't attack a page they can't find.

Disable XML-RPCCriticalAuto-fix

Prevents amplified login-attempt and DDoS abuse via XML-RPC, unless your app or Jetpack needs it.

⚙️ wp-config.php hardening 5 checks
Disable theme/plugin file editorCriticalAuto-fix

Inserts DISALLOW_FILE_EDIT so a compromised admin password can't become arbitrary code execution.

Force HTTPS for wp-adminCriticalAuto-fix*

Inserts FORCE_SSL_ADMIN. Requires an active SSL certificate — fails if the site isn't served over HTTPS.

Non-default database table prefixCriticalManual

The default wp_ prefix makes SQL injection easier to exploit. Safest to set at install time.

WP_DEBUG disabled on productionHighAuto-fix

Debug mode leaks file paths and stack traces to visitors. The plugin sets WP_DEBUG to false.

Security keys & salts are setHighManual

Checks that all four primary keys are defined and at least 40 characters. Default/missing keys make stolen cookies reusable.

📁 File & directory permissions 4 checks
wp-config.php permissions (440/400)CriticalAuto-fix

chmod 0440 — your database credentials become unreadable to other users on shared hosting.

PHP execution blocked in /uploads/CriticalAuto-fix

Breaks the common attack chain of uploading disguised .php files through vulnerable plugins.

Directory listing disabledHighAuto-fix

Adds Options -Indexes so directories without an index file don't expose a file browser.

Protect .htaccess and sensitive filesHighAuto-fix

Blocks direct HTTP access to config and log files that should never be public.

🔄 Updates & plugins 4 checks
WordPress core is up to dateCriticalManual

Outdated core has publicly disclosed CVEs that automated scanners actively exploit.

No plugins with pending updatesCriticalManual

Vulnerable plugins are the #1 attack vector on WordPress.

No inactive plugins installedCriticalManual

Inactive plugins are still on the filesystem and still exploitable — delete, don't just deactivate.

Minor core auto-updates enabledHighAuto-fix

Minor WordPress releases are almost always security patches — applied automatically.

🛡️ HTTP security headers 3 checks

All header checks share one toggle — enabling any one enables all five headers, including HSTS on HTTPS sites.

X-Frame-OptionsHighAuto-fix

Prevents your site being embedded in an iframe on another domain — stops clickjacking.

X-Content-Type-OptionsHighAuto-fix

Stops browsers from MIME-sniffing responses into executable content.

Referrer-PolicyHighAuto-fix

strict-origin-when-cross-origin keeps full admin URLs out of referrer headers.

🔍 Information leakage 3 checks
Block user enumerationHighAuto-fix

Redirects /?author=N and removes /wp/v2/users from the REST API for unauthenticated visitors.

WordPress version hiddenHighAuto-fix

Strips the version from meta tags, RSS feeds, and ?ver= query strings on assets.

readme.html deleted from rootHighAuto-fix

Removes the file that publicly displays your exact WordPress version number.

All fixes apply via a nonce-verified AJAX request, restricted to Administrator users, and checked against a whitelist of 15 allowed methods before execution — no arbitrary code execution is possible.

Compatibility

EnvironmentStatus
WordPress 6.0–6.7✅ Fully supported
PHP 8.0, 8.1, 8.2, 8.3✅ Fully supported
Apache✅ All features
LiteSpeed✅ All features
Nginx⚠️ Headers and lockout work; .htaccess fixes need manual location blocks
Cloudflare proxy✅ Lockout reads CF-Connecting-IP
WordPress Multisite❌ Not tested — single-site installs only
Wordfence / Sucuri✅ Fully compatible — complementary, no conflicts
WP Super Cache / W3TC / LiteSpeed Cache✅ Compatible
Nginx equivalents for .htaccess fixes 
# Block PHP in uploads
location ~* /wp-content/uploads/.*\.php$ {
    deny all;
}

# Disable directory listing
autoindex off;

# Protect sensitive files
location ~* ^/(\.htaccess|wp-config\.php|debug\.log|readme\.html|license\.txt)$ {
    deny all;
}

Troubleshooting

I'm locked out after enabling the hidden login URL

The login slug is stored in the database. Retrieve it via phpMyAdmin:

SELECT option_value FROM wp_options WHERE option_name = 'hns_login_slug';

Or via WP-CLI:

wp option get hns_login_slug

Navigate to https://yoursite.com/{slug}/ to log in. To disable the feature entirely:

wp option update hns_hide_login_enabled 0
wp rewrite flush
wp-config.php fix says "not writable"

After the chmod 440 fix, wp-config.php becomes non-writable by the web process. Via SSH:

chmod 640 wp-config.php
# Apply fix via dashboard
chmod 440 wp-config.php

Or add the define() manually using cPanel File Manager's Text Editor.

.htaccess fix applied but the check still fails
  1. Clear your caching plugin's file cache
  2. On Nginx, .htaccess has no effect — use the Nginx equivalents above
  3. Verify .htaccess isn't overridden by a parent directory's AllowOverride None
FORCE_SSL_ADMIN fix returns an error

The plugin checks is_ssl() first. If SSL terminates at a load balancer or Cloudflare, add this to wp-config.php before retrying:

if (isset($_SERVER['HTTP_X_FORWARDED_PROTO']) && $_SERVER['HTTP_X_FORWARDED_PROTO'] === 'https') {
    $_SERVER['HTTPS'] = 'on';
}
Score isn't updating after a fix
  1. Hard refresh the page (Ctrl/Cmd+Shift+R)
  2. Go to Settings → Permalinks and click Save Changes to flush rewrites
  3. Some checks (e.g. DISALLOW_FILE_EDIT) only appear on the next page load after wp-config.php is patched

Ready to harden your site?

Free for Hostnasi-hosted customers. Install in under five minutes.

⬇ Download hostnasi-security.zip