aGo Harden v1.0

Security hardening for WordPress — protect your site without complexity

Quick Start

aGo Harden adds 11 security hardening measures to your WordPress site. Each measure is a toggle — no complex settings, no firewall rules to write. Enable what you need, check your security score, and you are done.

Installation

Upload ago-harden.zip from Plugins → Add New → Upload Plugin
Activate the plugin
Go to aGo Tools → Harden
Enable the security modules you want
Click Save Changes

Tip: Start by enabling all modules except "Custom Login URL" (which requires choosing a slug). Then set up a custom login URL to maximize your score.

Security Modules

Each module addresses a specific attack vector or information leak. The Risk Level column indicates how critical the vulnerability is if left unprotected.

Module	What It Does	Risk	Pts
Custom Login URL	Changes the default `/wp-login.php` and `/wp-admin` URLs to a custom slug (e.g., `/my-secret-access`). Bots scanning `wp-login.php` get a 404.	High	15
Limit Login Attempts	Blocks an IP address after repeated failed login attempts. Prevents brute-force password guessing attacks.	High	15
Security Headers	Adds HTTP security headers: `X-Content-Type-Options`, `X-Frame-Options`, `X-XSS-Protection`, `Referrer-Policy`, and `Permissions-Policy`.	High	15
Disable File Editor	Disables the built-in Theme and Plugin code editor in wp-admin (`DISALLOW_FILE_EDIT`). If an attacker gains admin access, they cannot inject code through the editor.	Medium	10
Disable XML-RPC	Completely disables the `xmlrpc.php` endpoint, preventing XML-RPC-based brute force and DDoS amplification attacks.	Medium	10
Block PHP in Uploads	Writes an `.htaccess` rule in `wp-content/uploads/` that blocks PHP file execution. Prevents uploaded malicious scripts from running.	Medium	10
Hide WP Version	Removes the WordPress version number from the `<meta generator>` tag, RSS feeds and script/style query strings.	Low	5
Block Author Enumeration	Blocks `?author=N` URL scans that reveal WordPress usernames. Attackers use these to find valid users for brute force attacks.	Low	5
Disable Directory Listing	Writes an `.htaccess` rule with `Options -Indexes` to prevent browsing directory contents when no index file exists.	Low	5
Force Logout	Logs out all users automatically after a configurable number of hours. Set to 0 to disable. Limits the window of a hijacked session.	Low	5
Hide Login Errors	Replaces specific login error messages ("invalid username" or "incorrect password") with a generic message. Prevents attackers from confirming valid users.	Low	5

Important: The "Block PHP in Uploads" and "Disable Directory Listing" modules write .htaccess rules. They are automatically removed when the plugin is deactivated. These modules only work on Apache/LiteSpeed servers — Nginx requires manual configuration.

Security Score

The security score is a 0-100 gauge displayed at the top of the Harden settings page. It provides a quick visual indicator of your security coverage.

How It Works

Each module has a point value based on its risk level. Enable a module to earn its points. The total is capped at 100.

Score Range	Label	Color
90 – 100	Excellent	Green
70 – 89	Good	Blue
40 – 69	Fair	Yellow
0 – 39	Weak	Red

Point Breakdown

High-risk modules (15 pts each): Custom Login URL, Limit Login Attempts, Security Headers
Medium-risk modules (10 pts each): Disable File Editor, Disable XML-RPC, Block PHP in Uploads
Low-risk modules (5 pts each): Hide WP Version, Block Author Enum., Directory Listing, Force Logout, Hide Login Errors

Note: A score of 100 means all modules are enabled. It does not mean your site is completely secure — other factors like strong passwords, updated software and hosting security are equally important.

Recommended Settings

For most WordPress sites, we recommend enabling all 11 modules. Here is a priority guide if you want to enable them incrementally:

Enable First (Critical)

Custom Login URL + Limit Login Attempts + Security Headers — These three modules protect against the most common WordPress attacks: automated bot scans on wp-login.php, brute-force password attacks, and XSS/clickjacking from missing headers. Together they contribute 45 points.

Enable Second (Important)

Disable File Editor + Disable XML-RPC + Block PHP in Uploads — These close secondary attack vectors: the code editor (used after compromising admin), XML-RPC (legacy brute force), and PHP execution in uploads (malicious uploads). Together they add 30 points.

Enable Third (Recommended)

All remaining modules — Hide WP Version, Block Author Enumeration, Disable Directory Listing, Force Logout, and Hide Login Errors. These are information leak and session management protections. They add the final 25 points for a perfect score.

Custom Login URL — Choosing a Slug

Choose something unique but memorable. Avoid common alternatives like /login, /admin, or /wp-admin. Good examples:

/access-panel
/team-login
/my-office

Important: After setting a custom login URL, bookmark the new address. The default /wp-login.php and /wp-admin (for non-logged-in users) will return a 404 page.

Frequently Asked Questions

I forgot my custom login URL. How do I log in?

Connect to your database (phpMyAdmin or WP-CLI) and look for the ago_harden_settings option in the wp_options table. The custom_login_url key contains your slug. Alternatively, rename or delete the plugin folder via FTP/SFTP — this deactivates the plugin and restores the default login URL.

Does "Limit Login Attempts" work behind a reverse proxy?

The module uses the visitor's IP address. If your site is behind Cloudflare, Nginx, or another reverse proxy, make sure the real IP is passed correctly (e.g., via X-Forwarded-For or CF-Connecting-IP). WordPress must see the real IP for rate limiting to work properly.

Will "Block PHP in Uploads" break anything?

No. The wp-content/uploads/ directory should never contain PHP files. It is only for media (images, PDFs, etc.). If a plugin legitimately stores PHP files in uploads (bad practice), that plugin would break — but this is extremely rare.

Do the .htaccess modules work on Nginx?

No. The "Block PHP in Uploads" and "Disable Directory Listing" modules write Apache .htaccess rules. On Nginx, you need to add equivalent rules to your server block manually. All other modules work on any server because they operate at the PHP/WordPress level.

Can I use aGo Harden with other security plugins?

Yes, but avoid overlapping features. If you use Wordfence or Sucuri, check whether they already handle login protection or security headers. Duplicate protections do not cause errors, but they add unnecessary processing.

What happens when I deactivate the plugin?

All hardening measures are removed immediately. The custom login URL reverts to /wp-login.php, security headers stop being sent, and .htaccess rules written by the plugin are automatically cleaned up.

Need help?