WordPress Hidden Service Security: Complete Hardening Guide

wp-config.php security settings: define('DISALLOW_FILE_EDIT', true) (prevents plugins/themes from editing files via admin panel), define('DISALLOW_FILE_MODS', true) (prevents plugin/theme installation/updates via admin), define('WP_DEBUG', false) (never enable in production), define('DB_HOST', 'localhost') (database must be localhost), change table prefix from default 'wp_' to a custom prefix (reduces SQL injection success rate). Set file permissions: wp-config.php chmod 600, .htaccess chmod 644, wp-content directory chmod 755, wp-content/uploads chmod 755. WordPress core files should be read-only except during updates. Automate updates: define('WP_AUTO_UPDATE_CORE', true) enables automatic security updates for WordPress core.

Minimize installed plugins: every plugin is potential attack surface. Audit installed plugins quarterly and remove inactive ones. Security-focused plugin selection: use widely-audited plugins with active maintenance history. Avoid: plugins that make external API calls to clearnet services (these may leak your hidden service's origin IP), plugins with JavaScript that loads external resources (violates CSP for hidden services), and plugins from untrusted sources. Must-have security plugins: Wordfence or Solid Security (login protection, file integrity monitoring), Redirection (manage redirects without modifying .htaccess), WP Mail SMTP (for email via SMTP rather than PHP mail function). Disable XML-RPC if not needed: add_filter('xmlrpc_enabled', '__return_false') in functions.php.

The WordPress admin login (/wp-admin/, /wp-login.php) is the primary attack target. Protections: rename the login URL using a plugin (WPS Hide Login), implement reCAPTCHA or equivalent on login form (hCaptcha is better for privacy than Google reCAPTCHA), limit login attempts (Wordfence or Limit Login Attempts Reloaded), disable user enumeration (?author=1 reveals usernames - add redirect for author query parameter), use strong passwords enforced by WordPress password policy, enable two-factor authentication for all admin users (Wordfence has built-in TOTP 2FA). HTTP authentication layer: add Nginx basic auth protection for /wp-admin/ location as an additional layer before WordPress handles the request.

WordPress's default behavior loads many external resources (CDN-hosted jQuery, Google Fonts, analytics scripts). For a hidden service: all external resource loading must be prevented (it would reveal user IPs by making clearnet requests). Replace CDN-hosted resources with locally hosted versions. Disable Emojis (which load from s.w.org): remove_action('wp_head', 'print_emoji_detection_script', 7). Remove Google Fonts from themes: replace @import url('https://fonts.googleapis.com/...') with locally hosted font files. CSP header: add_action('send_headers', function() { header('Content-Security-Policy: default-src 'self' 'unsafe-inline'; img-src 'self''); }). Test the CSP with browser developer tools to identify any remaining external resource loads.

Keeping WordPress updated is critical: WordPress has a history of significant security vulnerabilities in both core and plugins. Enable automatic updates: wp-config.php define('WP_AUTO_UPDATE_CORE', true) and add_filter('auto_update_plugin', '__return_true') in mu-plugins. Staged update process: test updates on a local development copy before applying to production hidden service. This is especially important for the main hidden service where downtime or regression affects real users. Backup before updates: automated backups (UpdraftPlus) stored encrypted off-server. Regular security scanning: Wordfence or Sucuri SiteCheck scan for malware and security issues. Log review: monitor WordPress error logs and Nginx access logs for suspicious patterns (unusual admin access, PHP error floods).