WordPress Hardening Plugin
Login protection. Security headers. File hardening.
No bloat, no cloud, no monthly fee.
Hardening score dashboard
"Silent auto-hardening is how you end up
locked out of your own admin panel."
What it covers
Tracks failed logins per IP. Configurable lockout threshold and duration. Currently locked IPs visible in the dashboard, unlockable with one click.
Serves the login form at a custom URL. Requests to /wp-login.php from non-admin IPs return 404. You decide the slug.
TOTP-based 2FA implemented in pure PHP โ no external library. QR code generated as inline SVG. Backup codes included.
HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, and CSP. Each individually toggleable.
Protects wp-config.php and .htaccess. Disables directory browsing. Blocks access to readme.html and license.txt. All via .htaccess markers.
Detects when OAP is active and marks overlapping items as "Handled externally" โ no duplicate functions, no conflicts, accurate score.
FAQ
Why is nothing enabled automatically on activation?
Because you should understand what's protecting your site. Silent auto-hardening is how you end up locked out of your own admin panel. Flak Jacket shows you what's available โ you decide what to enable.
Will renaming wp-login.php break anything?
It shouldn't, but test it before enabling in production. The plugin warns you clearly if you've forgotten the custom URL. Works with standard WordPress โ multisite support is disabled by default with a clear warning.
What happens to .htaccess rules if I deactivate?
Deactivation does not automatically remove .htaccess rules โ you get a notice asking whether to keep or remove them. All rules are wrapped in clearly marked comment blocks.
Does it work alongside OAP, CCCP, and Critical Path CSS?
Yes โ it's designed for exactly that stack. Overlapping functions handled by OAP are detected automatically and shown as blue in the dashboard rather than as gaps.
Free. Open source. GPL-2.0+. No strings attached.