WordPress security basics

by - posted

WordPress security basicsThis article will give you a practical understanding of WordPress security basics. I will cover .htacces modifications, security plugins, hosting and more.

Check and scan for problems

Remove the login link from the theme

Go to Dashboard > Appearance > Widgets > remove the Meta widget from the sidebar.

Choose a strong ID and password for all accounts

Check your password strength here : https://www.grc.com/haystack.htm

Limit login attempts

Go to Dashboard > Settings > Limit Login Attempts > change the allowed retries and the lockout time as well as other parameters you need.

Activate the auto updates

The auto updates will guarantee that your whole WordPress installation is always up do date, without any manual intervention.

1) For the WP core

Simply add the single line of code in your site’s wp-config.php file : define( 'WP_AUTO_UPDATE_CORE', true );

There is one little problem with this code. It also enables nightly builds and development updates.
To disable nightly builds and development updates, you need to add this code in your theme’s functions.php file :
add_filter( 'allow_dev_auto_core_updates', '__return_false' );

2) For plugins and themes

Put the following lines in the themes functions.php file

/* auto updates for plugins */
add_filter( 'auto_update_plugin', '__return_true' );

/* auto updates for themes */
add_filter( 'auto_update_theme', '__return_true' );

Disable file editing

The following code will prevent editing any files from within your WordPress admin area.
Add the line define('DISALLOW_FILE_EDIT',true); to your wp-config.php file.

Delete all unused stuff like themes, plugins, etc

Every unused software is a potential security risk, so delete it.


  • Change the database prefix from default to a personalized one like wp_abxyz.
    The default table prefix is wp_.
  • As MySQL administrator disable “accepting the remote TCP connections”
  • Do a backup on a regular basis ! Use a plugin, do it via MySQL or ask your host for the necessary script.

Disable PHP error reporting

You can do this in 3 different ways.

1) Add the following code to your wp-config.php file:




2) Add the following code in the php.ini file :

display_errors = off
error_reporting = off

3) Add the following code in the .htaccess file :

php_flag display_errors off
php_value error_reporting 0

Admin area

1) Don’t use the default ID “admin” and password “admin” to access the admin area

2) Never use the administrator account for posts !

3) Limit the number of IPs

Allow one IP : Get our home IP address and add the following lines to the .htaccess file. Replace xx.xxx.xxx.xxx with your IP address.

In case you want to allow access to multiple computers (like your office, home PC, laptop, etc.), simply add another “Allow from xx.xxx.xxx.xxx” statement on a new line.

<Files wp-login.php>
order deny,allow
Deny from all
Allow from xx.xxx.xxx.xxx

4) Multiple IPs

If you allow multiple IPs : limit the number of incorrect login attempts to your site. This way you will protect your WordPress site from brute-force attacks and people trying to guess your password.


  • Add a firewall plugin like “Wordfence”
  • Add an anti Spam plugin like “Akismet”
  • The anti-virus protection is usually done on shared hosts, you can also install a plugin like : the “WP Antivirus Site Protection”


  • Security modules
    Hosting is more secure when WordPress is using your account’s username instead of the server’s default shared username. The most common way for hosting companies to do this is using suPHP. Just ask your host if it runs suPHP or something similar. An additional security patch is the Suhosin PHP security system, also ask your host if it’s available.
  • PHP, MySQL
    Make sure that your host uses the latest PHP and MySQL versions.
  • WAF, IDS
    Make sure that there are a Web application firewall (WAF )and an intrusion detection system (IDS) on your host !
  • Account
    Make sure you have a good account isolation.
  • Use SFTP
  • Use SSL

Modify the .htaccess

Add the following to the .htaccess file after the “# END WordPress” entry

# protect the .htaccess file

<files ~ “^.*\.([Hh][Tt][Aa])”>
order allow,deny
deny from all
satisfy all

# protect the wp-config.php file

<files wp-config.php>
order allow,deny
deny from all

# prevent directory browsing

Options All -Indexes

# prevent hotlinking – the rewrite engine is already on by the WP default

RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourDomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]

# protect  the wp-includes directory – the rewrite engine is already on by the WP default

<IfModule mod_rewrite.c>
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]

– Add the following to the .htaccess file to protect  the wp-content directory.

# this code will allow access to images, CSS, java-script and XML files, but deny it for any other type

order deny,allow
deny from all
<files ~ “.(xml|css|jpe?g|png|gif|js)$”>
allow from all

Be aware that this code has been known to break some WordPress themes. If the code causes any problems with your Website, it is best to remove it in the .htaccess file.

Disable XML-RPC

Since WordPRess 3.5, XML-RPC has been enabled by default. This feature allows you to remotely connect via blogging clients. It is also used for trackbacks and pingbacks. Unfortunately, hackers have been known to use the XML-RPC feature for DDoS attacks.

1) You can turn off only the pingback functionality of XML-RPC

Add the following code to your child theme’s functions.php file. :

add_filter( 'xmlrpc_methods', 'remove_xmlrpc_pingback_ping' );
function remove_xmlrpc_pingback_ping( $methods ) {
unset( $methods['pingback.ping'] );
return $methods;

2) You can turn off completely XML-RTC

Add the following line in the wp-config.php or functions.php file :

add_filter('xmlrpc_enabled', '__return_false');

3) WP settings

Go to Dashboard > Settings > Discussion > Default Article Settings : uncheck “Allow link notification from other blogs…”


If your computer is infected with malware, a potential attacker can gain access to your login data and make a valid login to your site bypassing all the measures you’ve taken before. This is why it is very important do have an up-to-date antivirus program and keep the overall security of all computers you use to access your WordPress Website on a high level.

If you enjoyed this article, you can :

– get post updates by subscribing to our e-mail list

– share on social media :

2 thoughts on “WordPress security basics

Leave a comment Cancel reply