Haych/dev Hardener
Harden WordPress in one click. Fingerprint removal, security headers, custom login URL — no external calls.
Haychdev Hardener removes the breadcrumbs that reveal your site is built on WordPress — version strings, generator tags, emoji scripts, sensitive file paths — and adds the security headers that browsers use to enforce protection policies. All of it runs through WordPress hooks without touching your theme, your .htaccess, or any external service.
Why Haych/dev Hardener
- Invisible to scanners
Strips the WordPress version from every output that exposes it — the generator meta tag, RSS feeds, and asset ?ver= query strings. Automated WordPress scanners stop finding you.
- Security headers, zero config
Outputs X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, HSTS (HTTPS only), and X-XSS-Protection on every response. Each header is individually togglable.
- Custom login URL
Move wp-login.php to any secret slug you choose. The original URL returns a 404. Logout and password-reset flows follow the custom URL too — no partial-protection gaps.
- XML-RPC off by default
Blocks all xmlrpc.php requests via the xmlrpc_enabled filter and removes the X-Pingback header. The most-abused WordPress attack surface, disabled in one toggle.
- Removes WP fingerprints from source
Removes the RSD link, WLW manifest link, and emoji detection scripts from your page source. These three alone are enough for many scanners to confirm a WordPress installation.
- No JS, no external calls
Pure PHP — no JavaScript bundle, no CDN, no license server. Every hardening decision runs locally inside WordPress hooks.
Screenshots
Free vs Pro
Free
- Remove the generator meta tag
- Strip version strings from RSS feeds
- Strip ?ver= query params from assets
- Remove RSD, WLW manifest, and emoji detection scripts
Pro
Everything in Free, plus:
- Six configurable security headers including HSTS, X-Frame-Options, Referrer-Policy
- Move wp-login.php to a secret URL slug
- Block XML-RPC requests and remove the X-Pingback header
FAQ
- Will this break my site?
- The default settings are conservative — all features are safe for the vast majority of WordPress sites. The custom login URL is the only feature that requires care; the admin page shows a warning to test in a private window before saving.
- Does it affect page speed?
- No. Fingerprint removal uses WordPress filters that run at hook time, not at render time. Security headers are a single header() call. There is no database query overhead beyond the one wp_options read on init.
- Can I still use Jetpack or the WordPress mobile app?
- Jetpack and the mobile app require XML-RPC. Disable the XML-RPC toggle in the XML-RPC settings section to keep it enabled for those tools.
- What happens if I forget my custom login URL?
- Deactivate the plugin via FTP or your host's file manager by renaming the plugin directory — this bypasses the login redirect and restores access to /wp-login.php. Then reactivate and clear the slug.
- Does it add a Content-Security-Policy header?
- Not in v1. CSP is highly site-specific and misconfiguration breaks JavaScript and external resources. It is on the roadmap as an advanced option once a safe default policy is established.