Guide · 6 min read

Hardening, firewalls, and malware scanners: what actually does what

WordPress security is three different jobs wearing one word. Here is which tool does which, and where hardening fits.

Ask three WordPress site owners how they handle security and you will hear three different answers that all sound like the same thing. One installed a firewall. One runs a malware scanner. One spent an afternoon closing settings nobody else thinks about. Each believes they have the problem covered, and each has done a different job. The word "security" is doing a lot of quiet work here, hiding the fact that these are three separate tools with three separate purposes, and that having one tells you almost nothing about whether you have the others.

It is worth pulling them apart, because the confusion has a cost. People skip hardening because a firewall feels like enough. People treat a malware scanner as prevention when it is really a smoke detector. Knowing which tool does what is the difference between a security stack with a plan and a pile of plugins that overlap in some places and leave gaps in others.

Hardening: closing the doors before anyone tries them

Hardening is the preventative layer. It does not watch for attacks or react to them. It removes the configuration exposures that give an attacker something to work with in the first place, so that when the automated scanners arrive, they find less to use.

The list is unglamorous and that is the point. XML-RPC left open on a site that never uses it. Usernames a brute-force tool can confirm before it starts guessing passwords. The WordPress version sitting in your page source for any scanner to read. Missing security headers that would otherwise tell the browser not to be framed or to stop guessing content types. A failed-login limit that is not in place. Mixed content that breaks the padlock. An uploads folder that lists its contents to anyone who visits the URL. None of these is an attack. Each is a door left ajar.

This is the layer RecapWP works on. It scans for those exposures, and where the remedy is a known configuration change, it carries a one-click fix that writes the change for you, recorded so you can reverse it later. Closing XML-RPC, blocking username enumeration, hiding the version, adding the missing headers, limiting failed logins, fixing mixed content, re-enabling search visibility when it was switched off by mistake. The detection is rule-based and the fix is rule-based, so the same site returns the same findings every time, and nothing is left to a model to decide.

Firewalls and WAFs: inspecting traffic as it arrives

A firewall, or a web application firewall, does something hardening cannot. It sits in front of your site, inspects requests in real time, and blocks the ones that look malicious before they reach WordPress at all. Where hardening shrinks the attack surface, a firewall actively defends what is left of it.

That live, reactive posture is exactly what hardening does not provide, and it is worth being plain about it: RecapWP is not a firewall. It does not watch your traffic, it does not block requests, and it makes no claim of real-time protection. The two jobs are complementary rather than competing. A firewall stops the request that is trying something; hardening makes sure that even a request the firewall misses finds nothing useful waiting for it.

A firewall defends the surface. Hardening shrinks it. A scanner tells you when something already got through. They are not three names for one tool.

Malware and file scanners: the smoke detector

The third category is different again. A malware or file scanner looks for injected malicious code: altered core files, a backdoor dropped into a plugin, a payload hidden where it does not belong. By its nature it is usually a post-event tool. It is most useful after a compromise has already happened, telling you that something got in and where it is hiding so you can clean it up.

That is valuable, and it is also not prevention. A scanner finding nothing today does not mean your doors are shut; it means nothing has walked through them yet. This is a separate job from the one RecapWP does. RecapWP hardens configuration and fixes known exposures. Treating any one of these three tools as a substitute for the other two is how sites end up surprised.

Why you want more than one layer

Lay the three side by side and the logic of running all of them gets obvious. Hardening is preventative and works on your configuration. A firewall is reactive and works on incoming traffic. A scanner is detective and works on your files after the fact. They cover different moments in the same story: before an attack, during it, and after.

Lean on only one and you can feel the gaps. A firewall in front of a site whose XML-RPC is wide open and whose usernames enumerate freely is defending a building with the back windows unlatched. Hardening with no scanner means that if something ever does slip through, you have no smoke detector to tell you. A scanner alone is all aftermath and no prevention. The layers are not redundant. They are complementary, and the cost of stacking them is mostly the small effort of understanding what each one is for.

Where RecapWP fits

RecapWP is the hardening layer, and it is deliberate about staying in that lane. It finds the configuration exposures most WordPress sites carry without knowing it, and it applies the fix for the deterministic ones with an undo behind every change, so hardening never becomes a one-way door. It does not pretend to be a firewall, and it does not do what a malware scanner does. Run it alongside whatever firewall and scanning you use, not instead of them.

The honest framing is the useful one. No single tool here is "security" on its own. Hardening closes the easy openings so the rest of your stack has less to do, a firewall watches the traffic, a scanner catches what gets past everything else, and together they cover ground none of them covers alone. The point of knowing the difference is that you can stop assuming one tool is doing another's job.

The fastest way to see where your own site sits on the hardening side is to run a scan and read the security findings worst-first. Most owners are surprised by how many doors turn out to be open, and by how many of them close with a single fix.

  • WordPress
  • Security
  • Hardening
Try it on a real site

Stop reading about it. Run the scan.

RecapWP Pro runs dozens of deterministic checks across every area and fixes them for you, with undo, plus the full-site crawl, redirect manager, frontend auditor and the Ask RecapWP assistant.