Security Basics

Essential WordPress hardening, login protection, and malware scanning in one module

Essential WordPress security hardening with login protection, headers, and more.

Get Started Free View Documentation

Available in these plans

Agency & Enterprise

Free, Pro, Plus, Ultra, Agency & Enterprise

Why you'll love it

Custom Login

Hide your login page

Move wp-login.php to a custom URL. Automated scanners get a 404, and your real login stays hidden.

yoursite.com/wp-login.php

404 Not Found

yoursite.com/my-secret-panel

200 OK

Rate Limiting

Stop brute force attacks

Lock out attackers after repeated failed login attempts. Configurable threshold and lockout duration.

admin Failed

Locked for 15 min

Headers

Security headers in one click

HSTS, X-Frame-Options, Content-Type-Options, Referrer-Policy, and Permissions-Policy. No server config needed.

HSTS

X-Frame-Options

Content-Type

Referrer-Policy

Permissions

XML-RPC

Block legacy exploits

Disable the XML-RPC endpoint to prevent brute force and DDoS amplification attacks.

POST /xmlrpc.php

403 Forbidden

Scanner

Find threats in your code

Scan plugins and themes for malware signatures, backdoors, and obfuscation. Each finding shows the matched code in context.

theme/header.php

theme/footer.php

plugin/shell.php

theme/functions.php

eval(base64_decode($_POST['c'])); Backdoor

Version

Hide your WordPress version

Remove the generator meta tag and version strings from scripts and styles. Scanners can't fingerprint your installation.

Removed

Editor

Lock the file editor

Disable the built-in theme and plugin editor. If an attacker gains admin access, they can't inject code.

functions.php

1 <?php

2 // Theme functions

3 add_action(...

Editor disabled

And much more

Directory listing prevention, REST API hardening, database prefix protection, and more security layers.

Explore all features

How it works

Install the RakuWP plugin and enable Security Basics from your dashboard. Toggle individual protections on or off: custom login URL, XML-RPC blocking, version hiding, security headers, file editor lock, directory listing prevention, and login rate limiting. Each toggle takes effect immediately. Run a malware scan to check your theme and plugin files for known threats. Findings show the matched code in context so you can assess whether action is needed.

Frequently asked questions

Will the custom login URL lock me out?

No. When you enable the custom login URL, wp-login.php is redirected to your chosen slug. If you forget the URL, you can disable the feature by deactivating the plugin or through the RakuWP panel remotely.

Do security headers break anything?

The default values are safe for the vast majority of WordPress sites. If your site embeds content in iframes on other domains, you may need to adjust X-Frame-Options. Each header value is fully customizable from the settings panel.

Can the malware scanner detect all threats?

The scanner checks for known malware signatures, backdoors, and suspicious code patterns. It is not a replacement for a full security audit, but it catches the most common threats. Some detections may be false positives from legitimate plugins that use patterns similar to malicious code.

Ready to try it?

Get started with RakuWP for free. No credit card required.

Get Started Free