WordPress hardening advice on the internet ranges from genuinely useful to actively destructive. “Disable REST API” sounds great until your contact form stops working. Most guides do not distinguish between advice that helps and advice that breaks things.
1. Hide login error hints
By default, WordPress tells attackers whether the username or password was wrong. That is an information leak with zero benefit to legitimate users. Safe on every site, no exceptions.
2. Remove the WordPress version number
Automated scanners use this to target sites running outdated versions. Removing it adds a layer of obscurity that costs nothing and breaks nothing.
3. Block author enumeration
Visiting /?author=1 reveals the admin username on most WordPress sites. Blocking this endpoint removes a common reconnaissance vector. Safe on all sites.
4. Disable application passwords
WordPress 5.6 added application passwords for REST API authentication. If you are not using REST API integrations, these are an unnecessary attack surface.
5. Disable the file editor
The built-in theme and plugin editor lets anyone with admin access modify PHP files from the browser. This is a security nightmare. Disable it.
Enable all five in 30 seconds
All five rules are available in OvKit free. Each shows a risk label so you know exactly what you are enabling. One dashboard, zero guesswork.