Security Tools MU Plugin Code for WordPress

Learn how to create a lightweight WordPress Security Tools MU Plugin that automatically protects your website using simple hardening rules, security headers, login protection, and safer WordPress settings without relying entirely on traditional security plugins.

---

Why a Security Tools MU Plugin Matters

WordPress powers millions of websites worldwide. Because of its popularity, it also attracts bots, brute-force attacks, malware injections, spam attempts, and vulnerability scans every day. Many website owners install large security plugins to protect their sites. While those plugins can help, some users prefer a lighter and more controlled solution.

This is where a Security Tools MU Plugin becomes useful. MU stands for “Must-Use.” WordPress automatically loads MU plugins from the wp-content/mu-plugins/ directory. Unlike normal plugins, they cannot be disabled accidentally from the standard Plugins page.

This makes them perfect for critical security rules that should always stay active.

A properly configured MU plugin can help:

• Disable risky WordPress features
• Reduce exposed site information
• Block simple reconnaissance attempts
• Add browser security headers
• Improve baseline WordPress hardening
• Apply custom security rules automatically

The best part is that an MU plugin is lightweight and easy to customize.

---

What Is an MU Plugin in WordPress?

An MU plugin is a special type of plugin loaded automatically by WordPress.

These plugins are stored inside:

wp-content/mu-plugins/

Unlike regular plugins:

• They do not require activation
• Users cannot disable them from the Plugins page
• WordPress loads them before normal plugins
• They remain active unless manually removed

Website administrators often use MU plugins for:

• Security hardening
• Hosting customizations
• Performance tweaks
• Admin restrictions
• Forced configurations
• Maintenance rules

Because they load automatically, MU plugins are ideal for essential security rules.

---

Why Use a Custom Security MU Plugin?

Many security plugins include hundreds of features. However, not every website needs all those functions. Some plugins also consume additional resources or create unnecessary dashboard clutter. A custom MU plugin gives you more control. Instead of installing a large suite, you can create lightweight protections tailored to your own website.

Benefits include:

• Faster execution
• Cleaner dashboard
• Reduced plugin dependency
• Permanent security rules
• Easier customization
• Better control over hardening settings

This approach is especially useful for developers, server administrators, agencies, and advanced WordPress users.

---

Important Safety Warning Before Using Custom Code

Always create a complete backup before editing website files. Even a small PHP error can break your site.

Before adding custom security code:

• Back up website files
• Back up the database
• Save a copy of wp-config.php
• Test on staging if possible
• Keep file manager or SSH access available

Never paste unknown code from random websites into your live server. Only use trusted and reviewed code snippets.

---

Create the MU Plugin Folder

Open your WordPress installation directory.

Navigate to:

wp-content/

If the mu-plugins folder does not exist, create it manually.

Final path:

wp-content/mu-plugins/

---

Create the Security Tools MU Plugin File

Inside the mu-plugins directory, create a PHP file named:

wpzone-security-tools.php

You can use any filename you prefer.

---

Complete Security Tools MU Plugin Code

Copy and paste the following code into your MU plugin file.

<?php
/**
 * Plugin Name: WPZone Security Tools
 * Description: Lightweight WordPress MU security hardening tools.
 * Version: 1.0
 * Author: WPZone
 */

if ( ! defined( 'ABSPATH' ) ) {
    exit;
}

/**
 * Disable file editing from dashboard
 */
if ( ! defined( 'DISALLOW_FILE_EDIT' ) ) {
    define( 'DISALLOW_FILE_EDIT', true );
}

/**
 * Remove WordPress version
 */
remove_action( 'wp_head', 'wp_generator' );
add_filter( 'the_generator', '__return_empty_string' );

/**
 * Disable XML-RPC
 */
add_filter( 'xmlrpc_enabled', '__return_false' );

/**
 * Remove unnecessary header links
 */
remove_action( 'wp_head', 'rsd_link' );
remove_action( 'wp_head', 'wlwmanifest_link' );
remove_action( 'wp_head', 'wp_shortlink_wp_head' );

/**
 * Hide login errors
 */
add_filter( 'login_errors', function () {
    return 'Login failed.';
} );

/**
 * Block author enumeration
 */
add_action( 'template_redirect', function () {

    if ( is_admin() ) {
        return;
    }

    if ( isset( $_GET['author'] ) && is_numeric( $_GET['author'] ) ) {
        wp_safe_redirect( home_url(), 301 );
        exit;
    }
} );

/**
 * Add security headers
 */
add_action( 'send_headers', function () {

    if ( headers_sent() ) {
        return;
    }

    header( 'X-Frame-Options: SAMEORIGIN' );
    header( 'X-Content-Type-Options: nosniff' );
    header( 'Referrer-Policy: strict-origin-when-cross-origin' );
    header( 'Permissions-Policy: camera=(), microphone=(), geolocation=()' );
} );

/**
 * Disable REST API user endpoint for visitors
 */
add_filter( 'rest_endpoints', function ( $endpoints ) {

    if ( ! is_user_logged_in() ) {

        unset( $endpoints['/wp/v2/users'] );
        unset( $endpoints['/wp/v2/users/(?P<id>[\d]+)'] );
    }

    return $endpoints;
} );

---

What This Security MU Plugin Does

Disables Theme and Plugin File Editing

WordPress includes a built-in file editor. Attackers often abuse this feature after compromising an admin account.

This rule disables dashboard file editing:

define( 'DISALLOW_FILE_EDIT', true );

This improves security without affecting SFTP or SSH access.

---

Removes the WordPress Version Number

WordPress sometimes exposes its version publicly. Attackers may use this information during vulnerability scanning.

This code removes version details:

remove_action( 'wp_head', 'wp_generator' );

Although this does not fully hide WordPress, it reduces unnecessary exposure.

---

Disables XML-RPC

XML-RPC is an older remote communication feature.

Some websites still need it for:

• Mobile apps
• Jetpack
• Remote publishing tools

However, many sites never use it.

Disabling XML-RPC can reduce attack surface and brute-force abuse.

add_filter( 'xmlrpc_enabled', '__return_false' );

---

Removes Unnecessary Header Information

WordPress automatically adds several links inside the website header.

Examples include:

• RSD links
• WLW manifest links
• Shortlink references

These links are usually unnecessary on modern websites. Removing them slightly reduces exposed information.

---

Hides Login Error Details

Default login errors may reveal whether a username exists. This can help attackers during brute-force attempts.

Replacing detailed errors with generic messages improves privacy.

return 'Login failed.';

---

Blocks Author Enumeration

Bots often try URLs like:

/?author=1

This can reveal usernames.
The MU plugin redirects those requests back to the homepage.

---

Adds Browser Security Headers

Security headers tell browsers how to handle website content safely.

The MU plugin adds headers such as:

• X-Frame-Options
• X-Content-Type-Options
• Referrer-Policy
• Permissions-Policy

These help reduce risks like:

• Clickjacking
• MIME sniffing
• Excessive browser permissions

---

Restricts REST API User Endpoints

The WordPress REST API can expose public user data.
This plugin removes user endpoints for non-logged-in visitors.
That reduces unnecessary exposure while keeping normal WordPress functionality intact.

---

Why Lightweight Security Matters

Many website owners install multiple heavy security plugins at once.

This can create:

• Duplicate firewall rules
• Conflicting settings
• Dashboard clutter
• Higher resource usage
• Slower admin areas

A lightweight MU plugin focuses only on essential hardening.

This approach works well when combined with:

• Good hosting
• Cloudflare or WAF protection
• Regular updates
• Strong passwords
• Two-factor authentication

---

Security Features This Plugin Does Not Replace

This MU plugin improves baseline hardening.
However, it is not a complete security solution.

You still need:

• Regular backups
• Malware scanning
• Secure hosting
• Firewall protection
• SSL certificates
• Updated plugins and themes
• Strong passwords
• Limited administrator accounts
• Monitoring tools

Security works best in layers.
No single plugin can protect everything.

---

Recommended Additional WordPress Security Practices

Keep WordPress Updated

Outdated WordPress versions often contain known vulnerabilities.

Always update:

• WordPress core
• Plugins
• Themes

Delete unused plugins and themes completely.

---

Use Strong Passwords

Weak passwords remain one of the biggest security problems.

Use passwords that include:

• Uppercase letters
• Lowercase letters
• Numbers
• Symbols

Avoid using predictable names or dictionary words.

---

Enable Two-Factor Authentication

Two-factor authentication adds another security layer.
Even if attackers discover your password, they still need the second verification step.

---

Use Secure Hosting

Cheap hosting often lacks advanced protection.

Choose providers with:

• Malware scanning
• Firewall systems
• DDoS protection
• Automatic backups
• Isolated accounts
• Updated server software

---

Use SSL Certificates

Always enable HTTPS.

SSL protects data between visitors and your website.
Most modern hosting providers offer free SSL certificates through Let’s Encrypt.

---

Limit Administrator Accounts

Only trusted users should have administrator access.
Remove inactive accounts regularly.
Use Editor or Author roles when full admin access is unnecessary.

---

How to Install the MU Plugin

Step 1: Access Your Website Files

Use:

• cPanel File Manager
• SFTP
• SSH
• Hosting panel

---

Step 2: Open wp-content

Navigate to:

wp-content/

---

Step 3: Create the mu-plugins Folder

Create:

mu-plugins

if it does not already exist.

---

Step 4: Create the PHP File

Inside the folder, create:

wpzone-security-tools.php

---

Step 5: Paste the Code

Paste the complete code from this tutorial.

Save the file.

---

Step 6: Verify the MU Plugin

Open WordPress admin.

Navigate to:

Plugins → Must-Use

You should see the security plugin listed there.

---

How to Disable the MU Plugin

MU plugins cannot be disabled from the regular Plugins page.

To disable it:

• Rename the file
• Move it outside the folder
• Delete it manually

Example:

wpzone-security-tools.php.disabled

---

Common Mistakes to Avoid

Placing the File in the Wrong Folder

The file must be directly inside:

wp-content/mu-plugins/

Avoid nested folders unless using a loader file.

---

Editing Live Sites Without Backups

Always create backups first.
A small syntax mistake can create a fatal PHP error.

---

Using Untrusted Code

Never install copied snippets from unknown sources.
Review all custom code carefully before deployment.

---

Disabling Important Features Accidentally

Some websites depend on:

• XML-RPC
• REST API endpoints
• Custom headers
• External integrations

Always test after enabling new security rules.

---

Advanced Hardening Suggestions

You can improve security further using wp-config.php.

Example:

define( 'DISALLOW_FILE_MODS', true );

This blocks plugin and theme installations from the dashboard.

You can also disable debug output on production websites:

define( 'WP_DEBUG', false );
define( 'WP_DEBUG_DISPLAY', false );

---

Recommended WordPress Security Checklist

Use this checklist regularly:

• Update WordPress core
• Update plugins
• Update themes
• Remove unused plugins
• Remove unused themes
• Enable SSL
• Use strong passwords
• Enable 2FA
• Scan for malware
• Create backups
• Store backups offsite
• Limit admin users
• Review file permissions
• Monitor login activity
• Use a firewall

---

Frequently Asked Questions

What does MU mean in WordPress?

MU stands for “Must-Use.” These plugins load automatically and cannot be disabled normally.

Are MU plugins safer than regular plugins?

They are not automatically safer, but they are harder to disable accidentally.

Can beginners use MU plugins?

Yes, but beginners should always create backups before editing PHP files.

Does this replace a firewall plugin?

No. This plugin only provides lightweight hardening features.

Can this plugin slow down my website?

The code is lightweight and should have minimal impact on performance.

Is XML-RPC dangerous?

Not always. However, many attacks abuse XML-RPC endpoints when enabled unnecessarily.

Will this stop hackers completely?

No security solution can guarantee total protection. Security reduces risk rather than eliminating it entirely.

Can I customize the plugin?

Yes. You can add or remove security rules depending on your website needs.

Where should I upload the file?

Inside:

wp-content/mu-plugins/

Can I use this on WooCommerce websites?

Usually yes, but always test carefully because some integrations may depend on REST API features.

---

Strengthening Your WordPress Security the Smart Way

A lightweight Security Tools MU Plugin gives WordPress administrators more control over essential hardening settings. Instead of depending entirely on large security suites, you can apply focused protections that remain active automatically. This approach helps reduce exposed information, block simple attacks, and improve your website’s baseline security posture.

However, security should never rely on a single file or plugin.

The strongest websites combine:

• Secure hosting
• Regular updates
• Smart user management
• Backups
• Monitoring
• Layered protection

Small improvements applied consistently often make the biggest difference over time.

---

Sources and References

• WordPress Developer Documentation
• WordPress Security Hardening Guide
• WordPress Plugin Developer Handbook
• OWASP Security Best Practices
• WordPress REST API Documentation

---

Secondary Sources and Testimonials

Many WordPress developers use MU plugins for permanent website rules involving security, performance optimization, and hosting customizations. Properly tested lightweight MU plugins can improve control and reduce dependency on large plugin suites while maintaining better long-term management flexibility.

---