Improving WordPress security is essential to protect your website from hackers, malware, and other threats. Here are some key steps to enhance WordPress security:
1. Keep WordPress Core, Themes & Plugins Updated
-
Regularly update WordPress core, themes, and plugins to patch vulnerabilities.
-
Enable automatic updates for minor releases (
define('WP_AUTO_UPDATE_CORE', 'minor');inwp-config.php).
2. Use Strong Login Credentials
-
Use unique usernames (avoid “admin” as the username).
-
Enforce strong passwords (12+ characters, mix of letters, numbers, symbols).
-
Enable Two-Factor Authentication (2FA) (use plugins like Google Authenticator, Wordfence, or Duo).
3. Limit Login Attempts
-
Use plugins like Login LockDown, Wordfence, or iThemes Security to block brute-force attacks.
4. Change the Default Login URL
-
Use WPS Hide Login or iThemes Security to change
/wp-admin/to a custom path.
5. Secure Your wp-config.php File
-
Move
wp-config.phpto a higher directory (if possible). -
Set permissions to 640 or 440.
-
Add this to
.htaccessto block access:
-
<Files wp-config.php> Order Allow,Deny Deny from all </Files>
6. Disable File Editing in WordPress Dashboard
-
Add this to
wp-config.php:
-
define('DISALLOW_FILE_EDIT', true);
7. Use a Web Application Firewall (WAF)
-
Cloudflare (free tier available) or Sucuri Firewall can block malicious traffic before it reaches your site.
8. Disable XML-RPC (If Not Needed)
-
XML-RPC can be exploited for brute-force attacks. Disable it via
.htaccess:
-
<Files xmlrpc.php> Order Deny,Allow Deny from all </Files>
-
Or use a plugin like Disable XML-RPC.
9. Secure .htaccess & wp-admin Directory
-
Password-protect wp-admin (via cPanel or
.htaccess). -
Restrict access to wp-admin by IP (if you have a static IP):
-
<Files wp-login.php> Order Deny,Allow Deny from all Allow from YOUR.IP.ADDRESS </Files>
10. Disable Directory Indexing
-
Add this to
.htaccess:
-
Options -Indexes
11. Use HTTPS (SSL/TLS)
-
Install an SSL certificate (free via Let’s Encrypt).
-
Force HTTPS by adding this to
wp-config.php:
-
define('FORCE_SSL_ADMIN', true);
-
Update site URL to
https://in Settings > General.
12. Regular Backups
-
Use UpdraftPlus, BlogVault, or Jetpack for automated backups.
-
Store backups offsite (Google Drive, Dropbox, etc.).
13. Disable PHP Execution in Uploads Folder
-
Add this to
.htaccessinside/wp-content/uploads/:
-
<Files *.php> Deny from all </Files>
14. Monitor & Scan for Malware
-
Use Wordfence, MalCare, or Sucuri for security scans.
-
Check for unauthorized file changes.
15. Change Database Prefix
-
During installation, change
wp_to something unique (e.g.,myprefix_). -
For existing sites, use plugins like iThemes Security or manually update the prefix.
16. Disable Unused Features
-
Disable REST API if unused (via plugin or code).
-
Disable pingbacks & trackbacks (Settings > Discussion).
17. Use a Secure Hosting Provider
-
Choose hosts with WordPress-specific security (e.g., Kinsta, WP Engine, SiteGround).
18. Hide WordPress Version
-
Remove version info by adding this to
functions.php:
-
remove_action('wp_head', 'wp_generator');
19. Disable Hotlinking
-
Prevent others from stealing bandwidth by adding to
.htaccess:
-
RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^https://(www\.)?yourdomain.com [NC] RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]
20. Implement Security Headers
-
Add these to
.htaccessor server config:
-
Header set X-Content-Type-Options "nosniff" Header set X-Frame-Options "SAMEORIGIN" Header set X-XSS-Protection "1; mode=block"
Final Tip: Stay Informed
-
Follow WordPress security blogs (Wordfence, Sucuri, WP WhiteSecurity).
───────────────────────────────────────────────────────────────────────────────
🔒 WORDPRESS SECURITY CHECKLIST 🔒
20 Essential Steps to Protect Your Website from Hackers
───────────────────────────────────────────────────────────────────────────────
✅ LOGIN SECURITY 🛡️ CORE HARDENING 🚫 BLOCK ATTACKS
——————————– —————————— ——————————
• Use 2FA & Strong Passwords • Update WP + Plugins • Enable Firewall (Cloudflare)
• Limit Login Attempts • Disable File Editing • Disable XML-RPC
• Rename /wp-admin/ URL • Secure wp-config.php • Hide WP Version
• Disable “admin” username • Set correct file permissions • Restrict WP-REST API
🔍 MONITORING 🔐 ADVANCED TWEAKS 🚨 EMERGENCY FIXES
——————————– —————————— ——————————
• Scan for Malware (Wordfence) • Change Database Prefix • Backup Before Changes
• Regular Backups (UpdraftPlus) • Force HTTPS (SSL) • .htaccess Lockdown
• Disable Directory Indexing • Disable PHP in /uploads/ • Monitor File Changes
─────────────────────────────────────────────────────────
By implementing these measures, you can significantly reduce the risk of attacks on your WordPress site.
