Security Settings

Outcome

You will understand the hosted security settings available in WordPress admin and when to use each one.

What You Can Control

Hosted security settings focus on practical hardening: reducing risky admin surfaces, tightening login behavior, and disabling features your site does not depend on. None of these settings affect the underlying platform; they change what the WordPress application itself exposes.

Setting	Default	What it does	When to change
Plugin editor	Disabled	Blocks editing plugin source from inside WordPress admin.	Leave disabled unless a developer needs in-admin edits temporarily.
Theme editor	Disabled	Blocks editing theme files from inside WordPress admin.	Leave disabled. Use deployments to change theme code.
XML-RPC	Disabled	Turns off the legacy XML-RPC endpoint used by some integrations.	Enable only if a known integration (older Jetpack flows, certain mobile apps) needs it.
Login attempt limit	Enabled	Locks an IP out after repeated failed logins for a cooldown window.	Adjust the threshold or window if legitimate users hit the limit, or tighten it for high-risk sites.

Defaults exist for a reason

The defaults reflect what most hosted sites should be running. Disabling login protection, re-enabling the file editors, or turning XML-RPC back on widens the attack surface in real ways. If you change a default, write down why and revisit the change after the integration or task that needed it is finished.

Posture Comparison

Two common postures are shown below. Most sites should sit between them and only deviate where a specific integration requires it.

Typical

• Plugin editor: disabled
• Theme editor: disabled
• XML-RPC: disabled
• Login attempt limit: enabled with default thresholds
• Suitable for most marketing, brochure, and small commerce sites.

Hardened

• Plugin editor: disabled
• Theme editor: disabled
• XML-RPC: disabled
• Login attempt limit: enabled with a lower threshold and longer lockout
• Plus: enforce strong passwords and two-factor for all admin users, restrict admin role assignment, and review user list regularly.
• Suitable for sites handling sensitive data or sites that have been targeted in the past.

How To Use This Page

Use these settings when you want to reduce risky admin actions, tighten login behavior, or disable features your site does not depend on. If you are unsure whether something on the site uses XML-RPC, ask the developer who installed the integration before disabling it.

What Success Looks Like

• Your site reflects the security posture your team intended.
• Risky editing surfaces are disabled if your team does not need them.
• Login protection is active and understood by site administrators.

Related Troubleshooting

• If users report lockouts, see Hosted Troubleshooting.
• If an integration depends on XML-RPC, coordinate the change before turning it off.