Use coupon code EARLY30 at checkout for 30% off — while redemptions last.

Hardened sites
in seconds.

Improve security across your sites by applying best practices through a simple, clear interface.

acme.com
Security
ScanBest Practices
wp-config.php PermissionsChecks if wp-config.php file permissions are correctly configured to prevent unauthorized access.
File EditorChecks if the file editor is enabled, which can pose a security risk.
Database PrefixChecks if the database prefix is customized, as using the default 'wp_' prefix can facilitate SQL injection.
Directory BrowsingChecks if directory browsing is enabled, which can expose sensitive files.
SSL ActiveChecks if the site is using an active SSL connection to protect transmitted data.
XML-RPC StatusChecks if the XML-RPC service is enabled, which can pose a security risk.
Security HeadersChecks if HTTP security headers are correctly configured to protect the site from common attacks.
Fix
WordPress Version HiddenChecks if the WordPress version is hidden to prevent targeted attacks.
PHP Error ReportingChecks if PHP error reporting is enabled, which can expose sensitive information in case of errors.
PHP Memory > 256MBChecks if the PHP memory limit is correctly configured to ensure optimal performance.
Admin usernameChecks if the site uses a default username like 'admin' or 'administrator', which can pose a security risk.
Unused PluginsChecks for installed but inactive plugins, which can pose a security risk if not updated.Jetpack Boost
Fix
Unused ThemesChecks for installed but inactive themes, which can pose a security risk if not updated.
WAF PresenceChecks if the site uses a Web Application Firewall (WAF) to protect against common attacks.

Apply security hardening across sites in seconds. No more manual per-site setup. WP Smart finds each issue and fixes it directly — in one click.

Admin username

Check there’s no user named “admin” — the top brute-force target on WordPress.

File editor disabled

Verify the wp-admin file editor is off. If not, WP Smart disables it by adding the constant in wp-config.php.

wp-config.php permissions

Ensure wp-config.php is 600 or 640 — WP Smart fixes permissions in one click when they’re wrong.

Database table prefix

Confirm the prefix isn’t the default “wp_”, which simplifies SQL injection attacks.

Directory browsing

Verify directory listing is disabled — WP Smart adds the .htaccess rule to protect file structure.

PHP error reporting

Check display_errors is off in production — avoid exposing paths and internals publicly.

HTTP security headers

Verify CSP, X-Frame-Options, and other critical headers — WP Smart adds them automatically when missing.

XML-RPC disabled

Check if XML-RPC is on — if so, WP Smart disables it to remove a classic brute-force and DDoS vector.

Hidden WordPress version

Ensure the WordPress version isn’t exposed in HTML — WP Smart removes it with a functions.php line.

Unused plugins

List installed but inactive plugins — each inactive plugin is extra attack surface, shown with name badges.

Unused themes

List inactive themes — unused themes can hide vulnerabilities. WP Smart highlights them for quick cleanup.

Fix in one click

Every fixable item shows a Fix button — WP Smart applies the change remotely and updates state optimistically.

A full audit on every install

Instant health snapshot: read reports and technical notes, fix critical settings — without complex menu diving.

Best Practices — All sites5 sites
acme.com
11/14
blog.startup.io
13/14
store.brand.it
9/14
docs.agency.dev
14/14
app.saas.co
12/14
acme.com
Security
ScanBest Practices
wp-config.php PermissionsChecks if wp-config.php file permissions are correctly configured to prevent unauthorized access.
File EditorChecks if the file editor is enabled, which can pose a security risk.
Database PrefixChecks if the database prefix is customized to prevent SQL injection attacks.
Directory BrowsingChecks if directory browsing is enabled, which can expose sensitive files.
SSL ActiveChecks if the site is using an active SSL connection to protect transmitted data.
XML-RPC StatusChecks if the XML-RPC service is enabled, which can pose a security risk.
Security HeadersChecks if HTTP security headers are correctly configured to protect from common attacks.
Fix
WordPress Version HiddenChecks if the WordPress version is hidden to prevent targeted attacks.
PHP Error ReportingChecks if PHP error reporting is enabled, which can expose sensitive information.
PHP Memory > 256MBChecks if the PHP memory limit is correctly configured for optimal performance.
Admin usernameChecks if the site uses a default username like 'admin' or 'administrator'.
Unused PluginsChecks for installed but inactive plugins, which can pose a security risk.Jetpack Boost
Fix
Unused ThemesChecks for installed but inactive themes that can contain vulnerabilities.
WAF PresenceChecks if the site uses a Web Application Firewall (WAF) for protection.
acme.com
5/9 applied
56%
FixTargetStatus
Disable XML-RPC
Blocks brute-force via xmlrpc.php
wp-config
Fixed
Hide WP version
Remove generator meta tag
functions.php
Fixed
wp-config permissions
Set file permissions to 640
chmod
Fixed
Disable file editor
DISALLOW_FILE_EDIT = true
wp-config
Fixed
Directory listing off
Options -Indexes in .htaccess
.htaccess
Fixed
Security headers
CSP, X-Frame-Options, HSTS
.htaccess
Fixing…
PHP display_errors
Set display_errors = Off
php.ini
FixFixing…
Debug mode off
WP_DEBUG = false
wp-config
FixFixing…
DB prefix changed
Change default wp_ prefix
wp-config
FixFixing…

Automatic fixes without touching the server

Advanced architecture that acts on the WordPress instance — critical settings and file permissions updated with secure, instant protocols.

acme.com
11 unused
Inactive plugins (7)
Hello DollyAkismet Anti-SpamClassic EditorJetpack BoostWP Super CacheStarter TemplatesMonsterInsights
Inactive themes (4)
Twenty Twenty-FourTwenty Twenty-ThreeTwenty Twenty-Twoflavor Theme
Active summary
Active plugins audited12
Active theme verified1
Must-use plugins2
Drop-ins detected0
Auto-update enabled9
Outdated plugins0
Remove unused assets to reduce attack surfaceClean up

Leaner, safer sites in a minute

Cut cruft without hunting through menus — reduce risk by finding and removing inactive plugins fast.

Harden every site in minutes

Stop configuring sites one by one — secure all WordPress installs in one click and skip hours of repetitive technical work.

Hardening — All sites5 sites
acme.com
in progress
blog.startup.io
complete
store.brand.it
in progress
docs.agency.dev
complete
app.saas.co
in progress
acme.com
5/10 applied
50%
FixTargetStatus
Disable XML-RPC
Blocks brute-force via xmlrpc.php
wp-config
Fixed
Hide WP version
Remove generator meta tag
functions.php
Fixed
wp-config permissions
Set file permissions to 640
chmod
Fixed
Disable file editor
DISALLOW_FILE_EDIT = true
wp-config
Fixed
Directory listing off
Options -Indexes in .htaccess
.htaccess
Fixed
Security headers
CSP, X-Frame-Options, HSTS
.htaccess
Fixing…
PHP display_errors
Set display_errors = Off
php.ini
FixFixing…
Debug mode off
WP_DEBUG = false
wp-config
FixFixing…
DB prefix changed
Change default wp_ prefix
wp-config
FixFixing…
Login lockout
Limit failed login attempts
plugin
FixFixing…
5 fixes applied successfully

Built for those who demand the best.
Available today.

Get started
Support
Ask AI about WP Smart