Linux 软件免费装
Banner图

WT Hardening

开发者 webmastersteam
更新时间 2026年7月7日 17:53
捐献地址: 去捐款
PHP版本: 8.0 及以上
WordPress版本: 7.0
版权: GPLv2 or later
版权网址: 版权信息

标签

security brute-force xmlrpc hardening security-headers

下载

1.0.3 1.0.4 1.0.5 1.0.2

详情介绍:

WT Hardening is a lightweight, modular security plugin that turns on the most important WordPress hardening measures without modifying your theme, wp-config.php, or .htaccess. Everything works through WordPress hooks and can be disabled at any moment with a single click. The plugin is completely free, without a PRO version, without ads, and without sending data to external servers. Built by the webmasters.team crew for daily WordPress work. Modules What makes it different What WT Hardening does NOT do (by design) For those needs we recommend dedicated plugins (e.g. Wordfence) or an infrastructure layer (Cloudflare, fail2ban).

安装:

Standard install
  1. In the WP admin go to Plugins → Add new.
  2. Search for "WT Hardening".
  3. Click Install and then Activate.
  4. Open the WT Hardening menu in the admin (shield icon) and configure the modules.
Manual install (via ZIP)
  1. Download the archive from wordpress.org/plugins/wt-hardening.
  2. In the WP admin go to Plugins → Add new → Upload plugin.
  3. Pick the downloaded ZIP, click Install now, and then Activate plugin.
FTP/SFTP install
  1. Unzip the archive.
  2. Upload the wt-hardening folder to wp-content/plugins/ on your server.
  3. In the WP admin go to Plugins → Installed plugins and activate WT Hardening.
After activation all modules are enabled with sensible defaults. If something clashes with your workflow (for example the Jetpack mobile app that needs XML-RPC), just turn off the specific module in the settings.

屏幕截图:

  • Login attempt log - currently blocked IPs plus a list of recent failed attempts.
  • Event log - chronology of logins, registrations, user changes, and plugin activations.

升级注意事项:

1.0.5 Adds a new module that hides the post author's name and URL from oEmbed responses - closes a user-enumeration vector picked up by WPScan. Enabled by default. Only affects sites that expose oEmbed publicly; if you rely on other WordPress sites embedding your posts and want author attribution, disable the new module in the settings. 1.0.4 Minor polish to a module description in the Settings panel. No behaviour or data changes. 1.0.3 Confirmed compatible with WordPress 7.0. No code or behavior changes. 1.0.2 Plugin URI fix - points to the new landing page on webmasters.team. No code or behavior changes. 1.0.1 Compliance update: readme translated to English, escape fixes, safer URL parsing. No data or behavior changes. 1.0.0 First release - install, activate, modules are enabled with sensible defaults.

常见问题:

Does the plugin modify wp-config.php or .htaccess?

No. Everything is wired through WordPress hooks. Deactivating the plugin instantly reverts all changes (except HSTS, which browsers cache - enabling HSTS is a conscious decision).

Will blocking XML-RPC break my mobile app / Jetpack / pingbacks?

Possibly, if you actually rely on them. Disable the XML-RPC module in the settings - the other protection layers stay active.

What happens to the event log on deactivation?

The table stays in the database (useful for later analysis). On full uninstall the tables are dropped cleanly.

Does the plugin work with multisite?

Tested on a single-site install. Multisite should work since we do not use superadmin-specific APIs, but it is not yet formally supported - file an issue if something breaks.

What about performance?

Modules only register the hooks they actually need. The event log is a single INSERT per event. No scanner, no background work beyond an hourly and daily cleanup of old rows. Real impact on response time: under 1 ms.

Why is HSTS disabled by default?

Because Strict-Transport-Security has a sticky effect - browsers remember the header for a year. Enabling it too early (before your entire traffic works on HTTPS without errors) can lock users out of the site for a long time. Turn it on once HTTPS is rock-solid.

Does the strong password policy apply to users created through WP-CLI or wp_create_user()?

No - the policy hooks into admin form validation (profile, registration, reset). Programmatic user creation bypasses these hooks by design. For a typical client workflow (users are created through the admin panel) this is enough.

更新日志:

1.0.5 1.0.4 1.0.3 1.0.2 1.0.1 1.0.0 First release.