How to Secure WordPress Without Plugin(s)

How to secure WordPressWordPress security is just like the security for your house or apartment.

When you leave home, you lock the doors and close the windows, right? Why wouldn’t you do the same for your website?

After all – just like your place of living, it also represents a sizable investment in time, effort and often money. Your web presence is likely tied directly to earning your livelihood. It will either be a direct source of income (such as an online shop) or to advertise our services to the rest of the world.

For that reason, in this post, I want to dive deeply into how to keep your WordPress website safe. The first part of this post will talk about the risks involved in running a website. The second part will be about how to increase WordPress security to keep your site from being compromised.

This is a very detailed (and thus long) post. So grab yourself a coffee and let’s get started!

How Do WordPress Websites Get Compromised?

In order to take a proactive approach, you first need to know how sites get hacked. Only when you know the weak spots can you take measures to guard them.

A study from 2012 showed the following main avenues of successful hacking attempts:

  • 41% came through a vulnerability in the hosting platform
  • 29% via vulnerable WordPress themes
  • 22% were targeted through the security issues of the WordPress plugins
  • 8% of hacking were through a weak login information

Knowing this gives us a lot of insight into how to increase WordPress security. In this article, you will learn how to protect yourself from your site being compromised in all of the ways mentioned above.

28 Tips to Secure Your WordPress

Putting basic security measures in place can go a long way to protect yourself from most attacks. People who attack websites don’t like to work hard and go for the low-hanging fruits. For that reason, addressing the most common issues will take care of large part of the hacking attempts.

1. Keep Your Computer Safe

Security for your site starts with the machine you are using to take care of it. If your PC is compromised, it can easily extend to your web presence. Consequently, it’s important to follow basic security guidelines.

  • Install a virus and malware scanner on your machine and run scans regularly.
  • Set up a computer firewall. Either download one or use the one delivered with your operating system.
  • Don’t log into your WordPress site through public wifi or an unsecured connection. If you do, your credentials could be tracked. Also, take good care that nobody sees your screen while logging in.
  • When accessing your server, use FTPS (File Transfer Protocol Secure) instead of the unsecured FTP to prevent your connection from being monitored

2. Use a Good Hosting Company

Another basic measure is picking a quality host. As seen above, the majority of successful attacks come from the hosting platform. It is your first line of defense and you’d do well to go for one that takes security seriously.

How do you find one of those?

One way is to read the article on the best WordPress hosting on this site. Aside from that, look for a host that:

  • supports the latest versions of basic web technology such as PHP and MySQL
  • offers hosting optimized for WordPress
  • has a firewall in place that is also geared toward WordPress
  • offers malware scanning and intrusion detection
  • additionally, comes with a CDN that can sort out attacks and spam before they reach your site

It’s also worth taking the time to read up on different types of hosting so that you would better understand what you are getting into.

3. Change the WordPress Table Prefix During Installation

Besides housing your site with a quality host, there are also things you can do during the installation to make WordPress more secure. One of them is setting a custom table prefix.

If you look into the WordPress database of a standard installation, you will see that all tables start with wp_.

wordpress security - wordpress database table prefix

Keeping it that way makes your site more vulnerable to SQL injections. That’s because, for this kind of attack, hackers need to know the table prefix. Of course, the standard WordPress setting is common knowledge.

A simple way to increase WordPress security is to change it into something random like 8uh7zgokm_. You can either do this during the installation or, if you have an existing website, by changing the setting below in wp-config.php.

$table_prefix  = 'wp_';

In case you don’t know, you can find this file in the root directory of your WordPress installation. I will talk about it more further below. If you have found the right line, change it to your custom prefix like this:

$table_prefix  = '8uh7zgokm_';

After that, you still have to update the prefix inside your database. One of the easiest ways to do it is via a security plugin like iThemes Security. Alternatively, you can also do it manually as described in this post.

4. Go for Quality Themes and Plugins

Next in line for most common avenues of attack are themes and plugins. Together, they accounted for more than half of all hacked websites. Here’s how to eliminate them as gateways for hackers:

  • Only have what you need — Having dozens of plugins active on your site not only diminishes the performance of your website, but also makes it less secure. The more components you have, the higher the risk. Therefore, regularly check if you can deactivate and delete plugins and themes.
  • Look for well-supported plugins and themes — If a theme or plugin hasn’t been updated in a long time, there are high chances that it contains unpatched security holes or just some bad code which makes your site more vulnerable. For that reason, pay attention to the level of support before installing.

Aside from that, it’s absolutely crucial that you don’t download from unknown sources. Not all of them have your best interest in mind.

In the best case scenario, you get a shoddily programmed plugin or theme that makes your site insecure. At worst, the maker has deliberately included malicious code to compromise your site. That’s especially true if you download premium plugins “for free”. Therefore, it’s best to stick to quality sources like the WordPress directory and proven vendors.

5. Keep WordPress and Its Components Up to Date

New versions of WordPress don’t just bring new features and improvements, they also fix security holes identified in earlier iterations. That’s especially true for minor updates (which you can identify by the third digit in their version number, e.g. 4.9.1). They come out specifically for that purpose.

Consequently, it’s paramount that you apply new versions to your site as soon as possible.

WordPress 3.7 minor updates are applied automatically. This was added to make sure websites stay up to date in terms of security. However, major updates are still your responsibility. Make it a point to back up and update your site once you see the warning on your back end. Do the same for themes and plugins.

keep wordpress updated for wordpress security

Note that it is possible to have WordPress automatically apply major updates as well as updates for plugins and themes. We will talk about this below. However, the risk of something going wrong without you noticing is too great. Therefore, it is highly not recommended.

6. Only Give Access to People You Trust

The first way is to only give the site access to people you are confident won’t use it for bad purposes. Anyone who doesn’t absolutely need access shouldn’t be on there. Too many cooks and all that.

Even with those you deem trustworthy, it’s important to grant them only the roles and capabilities they absolutely need. That way the chance of accidents (or bad acts on purpose) is greatly diminished.

By the way, the same discretion should be applied for access to your hosting account, FTP server and other sensitive information.

7. Strengthen Your Login Information

A very basic way of increasing WordPress security is to use safe login information. It goes a long way to thwart brute force attacks, in which hackers automatically try out hundreds of different username/password combinations via script until one works.

WordFence alone registered around 35 million of these kinds of attacks in July 2017 per day! And that’s just on sites running their plugin.

As a consequence, it’s best to heed these best practices:

  • Don’t use the admin username — In earlier WordPress versions, admin was the default username for the administrator. Hackers found this an easy target so it was changed. However, some people still create this username manually. Don’t! It’s one of the first things any hacker will check for.
  • Have a separate publishing account — On the note of keeping your username secret, it’s a good idea to have separate accounts for administration and content publishing. If you publish articles with your admin account, the username will show up in the author archive URL. Aside from that, having separate accounts for content and administration also reduces the chances of accidents.
  • Choose a strong password — WordPress will propose strong password during the installation and whenever you want to change it. While you might want to go for something you can remember, make sure to pay close attention to the indicator. You can also use a service like Strong Random Password Generator to create one for you.

You might also want to use a service to keep all your passwords safe, for example, LastPass. Plus, if you have other people with high permission levels on your site, you may want to force them to use good login information as well. Instead of imploring them via email, do it through Force Strong Passwords. Just in case you need to change your admin username, follow these instructions.

8. Change the Login Error Messages

By default, if someone tries to log into your site with faulty credentials, WordPress will tell them whether the problem is with their username or password.

That’s definitely too much information, as it gives away half of what someone needs to break into your site. To change it, use this code snippet in your functions.php to change the message.

function custom_wordpress_error_message(){
  return 'That was not quite correct...';
add_filter( 'login_errors', 'custom_wordpress_error_message' );

Change That was not quite correct... to whatever you want your message to say. Simple but effective.

change login message to increase wordpress security

9. Limit Login Attempts

Strong login information is only one part of the equation. With enough time and tries, someone still might crack it.

Therefore, it’s a good idea to up the security level by limiting the number of tries. Plugins like WP Limit Login Attempts enable you to set how often a given IP address is allowed to fail at logging in before being banned from your site temporarily or permanently.

10. Implement Two-factor Authentication

Two-factor authentication means nothing else than creating an extra step for people to log into your site. This can be something like needing to enter a code delivered to their mobile phone. It blocks automatic attacks, even though increasing the effort.

Here are some plugins that let you implement two-factor authentication:

11. Hide the Login Page Altogether

Another way to keep the WordPress login page safe is to hide it. As everyone who has worked with WordPress knows, you usually reach it via yourdomain.com/wp-admin or yourdomain.com/wp-login.php.

Moving it to a different address means automated scripts will aim at the wrong place. Many of the above security plugins can do this for you. In addition to that, Cerber Security & Antispam and WP Hide & Security Enhancer also have that capability. You can also do it yourself using the code described here.

12. Set up SSL and HTTPS

Using SSL encryption will keep sensitive information from being captured. If you have an e-commerce store or other stuff that needs to be protected, it’s a must-have.

However, encryption also works to protect your login details and is becoming increasingly mandatory. Check our detailed guide on the topic for more information on how to set it up.

13. Automatically Keep Your Site Up to Date

I talked about automatic updates earlier. Besides updates for minor versions, you can also activate the same feature for major updates, plugins and themes. This works by adding the following lines to wp-config.php:

define('WP_AUTO_UPDATE_CORE', true);
add_filter( 'auto_update_plugin', '__return_true' );
add_filter( 'auto_update_theme', '__return_true' );

However, I must again warn you that the risk of breaking your site is greater with using plugins and major WordPress updates. For that reason, it may be a better idea to apply them manually.

14. Add Security Keys

WordPress security keys, also called SALTs, encrypt information stored in browser cookies. That way, they protect passwords and other sensitive information. The keys themselves are phrases used to randomize that information and stored inside wp-config.php where it says this:

define('AUTH_KEY',         'put your unique phrase here');
define('SECURE_AUTH_KEY',  'put your unique phrase here');
define('LOGGED_IN_KEY',    'put your unique phrase here');
define('NONCE_KEY',        'put your unique phrase here');
define('AUTH_SALT',        'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT',   'put your unique phrase here');
define('NONCE_SALT',       'put your unique phrase here');

You have to add them manually (as can be seen from the prompt). Fortunately, you don’t need to come up with the phrases yourself. Instead, simply click through to the key generator and copy and paste what you find there. It will look something like this:

wordpress security keys

15. Disable the Theme and Plugin Editor

To make changes to your site, WordPress contains an internal editor for theme and plugin files. While it can be useful in some situations, it’s also very risky.

The reason is that if somebody gains access to your site’s back end, they can use the editor to take out your website without even having to have access to your server.

To avoid this, disable the editor by adding this line to your trusty wp-config.php file:

define('DISALLOW_FILE_EDIT', true);

16. Disable PHP Error Reporting

When plugins or themes cause an error on your site, WordPress will display a message on your front end.

php error reporting

This message may contain the path to the problematic file. Hackers can use this information to better understand the layout of your server and attack your site. Here’s how to switch it off inside wp-config.php:

@ini_set(‘display_errors’, 0);

If it doesn’t work, it might be due to host settings. In that case, you need to talk to them about turning it off.

17. Protect Important Files from Access

.htaccess is another important file that configures your server. Among other things, it holds the code that enables using pretty permalinks in WordPress. It can also set redirects and – you guessed it right – increase WordPress security.

For the latter, you first need to access the file, which is located on your server’s root directory and hidden by default. Therefore, to edit it, make sure to set your FTP client to display hidden files (Server > Force showing hidden files in FileZilla). After that, take the following measures.

The code below will prevent access to critical files like wp-config.php, php.ini, error logs and .htaccess itself.

Order deny,allow
Deny from all

Adjust the name of your php.ini file if needed (e.g. php5.ini or php7.ini). Be sure to place the code outside the #BEGIN WordPress and #END WordPress brackets. Everything inside that space can be edited by WordPress and might cause you to lose your changes.

18. Restrict Access to PHP Files

Additionally, you can keep others from accessing PHP files and injecting malware into them:

RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude.php
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
RewriteRule wp-content/plugins/(.*.php)$ - [R=404,L]
RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude.php
RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
RewriteRule wp-content/themes/(.*.php)$ - [R=404,L]

19. Prevent PHP Files from Being Executed

A common place for hackers to upload malware is in wp-content/uploads. To prevent them from executing the bad codes in the event of a hack, use this piece of code:

Order Deny,Allow
Deny from All

20. Disable Script Injections

While you are at it, use this snippet to prevent outsiders from being able to inject malicious code into your existing PHP files:

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

21. Secure wp-includes

The wp-includes folder houses WordPress core files that nobody should have the need to tamper with. To make absolutely sure it doesn’t happen, use the following code.

RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

Don’t worry, this won’t affect your theme or plugin files as they are placed in a different location.

22. Restrict Admin Access to Specific IP Address

With .htaccess you can also restrict access to your WordPress login page by IP address. That way, only you can get there. To achieve this, copy and paste the following code into it:

ErrorDocument 401 default
ErrorDocument 403 default

Order deny,allow
Deny from all
Allow from

Remember to replace the example IP addresses with the one you want to grant access to. You can also add more addresses by copying and pasting the Allow from... line. Everyone else will land on an error page. If you don’t know your IP, simply check it out here.

Be aware that in order to get to the WordPress admin area from another IP address, you need to change or add it to the file first.

23. Lock Out Specific IP Addresses

A similar technique is available to block IP addresses that consistently try to break into your site. If you notice something like that (from your server logs for example), you can lock them out of your site with this addition to .htaccess:

order allow,deny
deny from 456.123.8.9
allow from all

24. Prevent Directory Browsing

By default, anyone can look at the directory structure of any WordPress site by simply including the full path to directories on their browser bar.

wordpress directory browsing

While that doesn’t enable hackers to make changes, the knowledge of your site structure will still help them. Since you want to make things as difficult as possible for them, switch off directory browsing inside .htaccess :

Options All -Indexes

25. Pay Attention to File Permissions

Using correct file permissions on your server is a way of keeping unauthorized parties from modifying your files.

How can you change file permissions?

With FileZilla, it’s as easy as marking the items you want to modify, right-clicking and then choosing File permissions…

change file permissions to increase wordpress security

In the upcoming window, you can then set the permission level with a numeric value.

file permission editor in filezilla

As you can see, it’s also possible to apply the same to files and/or directories in lower levels. Much more practical than changing permissions individually.

As for what you should change them to, WordPress recommends the following settings:

  • 755 or 750 for directories
  • 644 or 640 for files
  • 600 for wp-config.php

26. Remove the WordPress Version Number

By default, WordPress contains a meta tag inside the source code that will display the version of your site and also add it to scripts loaded in your section.

wordpress version in head section

Unfortunately, this information is very useful to anyone trying to hack your site, especially true if you are using an older version of WordPress that has a known security vulnerability. Thankfully, removing the version number is as easy as adding the following to the top of your theme’s function.php file:

function remove_wordpress_version_number() {
return '';
add_filter('the_generator', 'remove_wordpress_version_number');

function remove_version_from_scripts( $src ) {
    if ( strpos( $src, 'ver=' . get_bloginfo( 'version' ) ) )
        $src = remove_query_arg( 'ver', $src );
    return $src;
add_filter( 'style_loader_src', 'remove_version_from_scripts');
add_filter( 'script_loader_src', 'remove_version_from_scripts');

27. Disable XML-RPC

This acronym is the name of a feature that allows connecting to WordPress remotely. For example, blogging clients use it and it’s also used for trackbacks and pingbacks. Unfortunately, it’s also sometimes the target of hackers, which is why you should protect it with a plugin Disable XML-RPC Pingback.

28. Back up Often

The precautions mentioned above are all good to keep WordPress secure. However, accidents still happen. For extra insurance, make sure to always have a fresh backup at hand.

There are many options out there to back up WordPress, which is why we have created an extensive guide on the topic. In it, you will find everything you need to know about creating backups of your WordPress site.

Think You Have Been Hacked?

If you think the above advice came too late and you might have already been hacked, there are ways to find out. Use these tools to see if your fears are substantiated (or just run them as a precaution):

If something is indeed wrong, use this guide to recover from a hacked website.

How is Your WordPress Security?

Just like in the real world, it’s important to protect your digital assets. For many of us, our biggest one is our website. For that reason, investing in WordPress security is the equivalent of buying renters insurance or installing a better lock on your door.

Above, you have learned about the dangers faced by WordPress websites as well as plenty of ways to ward them off. From basic best practices over login protection, hardening WordPress security via wp-config.php and .htaccess all the way to all-in-one security plugins, there is plenty you can do.

Be aware that you don’t have to take all the measures above. Even if you only cover the basics, you will be better prepared than a lot of other people out there.

However, most of the actions only take very little time to implement. Consequently, you might want to think about spending ten minutes here and there to further improve your WordPress security system. Trust me, you will thank yourself in the end.

What are your favorite WordPress security measures? Anything to add to the above? Let us know in the comments section below.


Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top button