How To Do Website Hardening With Patchstack?

Published 21 April 2023
Updated 31 August 2023
Sander Jürgens
Support engineer at Patchstack
Table of Contents

What does website hardening mean? Having a proper firewall to protect your WordPress website is a crucial way to keep it secure. However, there are many ways you can configure and customize the firewall to take security to the next level. Website hardening means exactly that.

You can set your own firewall rules and tweak some settings here and there – for example – set a custom WordPress login URL or block certain countries from accessing your site.

website hardening
Hardening settings IN the Patchstack app

In this article, we go over different website hardening methods that Patchstack offers.

Which website hardening features does Patchstack offer?

Patchstack covers all the basic website hardening settings, and the most essential of these will be turned on by default when you subscribe to the Patchstack Developer or Business plan.

1. Block unwanted traffic by IP addresses or countries

  • IP blocking
    You can prevent different IP addresses from accessing your site. IP addresses can be set one by one, or in group with similar structure (e.g. 127.0.0.*)
  • IP whitelisting
    You can whitelist IP addresses that have been previously blocked
  • Country blocking
    Create a list of countries you would like to block traffic from. Read more about country blocking here
  • Reverse country blocking
    You can also create a list to only allow traffic from specific countries

2. Protect your registration and login functionality

  • Email registration blacklist
    This is an easy way to block spam users from registering on your website. With this feature, you can block visitors who try registering with an email containing certain phrases. For example, you can block all emails that contain “”
  • ReCaptcha
    Protect your WordPress forms and set up reCaptcha (v2 or v3) to built-in WordPress forms such as:
    • Post commenting form
    • Login form
    • Registration form
    • Password reset form
  • Login URL protection
    You can block access to your default /wp-admin URL, and set a custom login URL. You will still retain access to the /wp-admin URL – to whitelist your own IP address, simply visit the custom login page once. Read more about our login protection here
  • Automatic IP ban for brute force attacks
    Brute-force attacking is one of the ways hackers can gain access to your WordPress admin account. This is done by sending thousands of login requests to the login form and trying out different passwords. Our automatic brute-force IP ban feature blocks IP addresses that have failed to log in after a certain number of times. This feature is enabled by default
  • Logon hours
    You can enable this feature to let people log in to your WordPress administration area only during certain times of the day. You simply set the start and end time for when logging in to wp-admin is allowed (for example, only during your office hours)
  • 2 Factor Authentication
    It is always good to use 2FA for keeping your account secure. Patchstack supports 2FA for WordPress login functionality, and you can use different authenticator apps on your phone or tablet to use it. It is also possible to whitelist some IP addresses from which the 2FA is not required

3. Configure your .htaccess and other settings easily

  • Different htaccess features
    There are multiple settings to modify your htaccess file, and you can write and apply htaccess rules straight from the Patchstack App. Other settings Patchstack handles through htaccess features are:
    • adding security headers
    • limiting access to default WordPress files (like readme.html, license.txt)
    • blocking access to debug.log file
    • disabling directory and file listing
    • forbidding proxy commenting
    • preventing image hotlinking
  • Disable the theme editor
    This feature removes the possibility of admin users getting their hands on the raw theme files from WordPress admin. This could also protect you from potential automated attacks that involve the theme editor. This feature is enabled by default
  • Hide information about your active WordPress core version
    Patchstack removes readme.html file and hides your WordPress version in the <meta> tags. This makes it difficult to run targeted attacks against your active WordPress version. This feature is enabled by default
  • Disable user enumeration
    It is fairly easy to detect the usernames that are registered on your WordPress site. Once the usernames are known, hackers could run brute force attacks against these user accounts. Disabling user enumeration blocks access to user data. This feature is enabled by default
  • Block application passwords
    Disables the application passwords feature introduced in WordPress 5.6. This feature is enabled by default
  • Restrict XML-RPC Access
    You can restrict access to xmlrpc.php file by only allowing authenticated users to access it. This feature is enabled by default
  • Restrict WP REST API Access
    Restrict access to the WP REST API by only allowing authenticated users to access it

Patchstack rocks at WordPress website hardening

As you can see, there can be a lot more to be done by just customizing your firewall settings. Patchstack has the most critical settings turned on by default, but there are lots of different rules that can be modified and added to your WordPress website to take the security even further.

We care about the best user experience, and try to make difficult things simple for you – so most of these hardening settings can be configured with only a couple of mouse clicks.

If you have any questions about our hardening features, read our documentation, or feel free to jump in the chat.
Just click on the green chat bubble at the bottom right corner of this page!

The latest in Patchstack How-To's

Looks like your browser is blocking our support chat widget. Turn off adblockers and reload the page.