In this article, I will share self-tested methods to protect your WordPress installation from hackers without incurring additional expenses for paid security plugins or third-party applications. Most of these steps don’t require expert knowledge.
When it comes to WordPress security, most people rush to install plugins. While plugins are useful, they can also slow down your site and increase vulnerability if not updated regularly. But what if you could harden your WordPress site without relying on any plugin?
1. Keep WordPress Up to Date
Always keep your WordPress version, themes, and PHP up to date. WordPress regularly pushes security patches, and hackers often target older versions.
- Go to Dashboard > Updates
- Check regularly for theme and core updates
- Use PHP 8.0 or higher for better performance and security
2. Disable File Editing
WordPress allows you to directly edit theme and plugin files from the admin dashboard, which can be risky as it exposes your site to potential code errors or security threats. It’s recommended to disable this feature for better security.
Add the following line to your wp-config.php file:
define( 'DISALLOW_FILE_EDIT', true );
3. Change WordPress Login URL
Hackers frequently target the /wp-login.php page to perform brute-force attacks and gain unauthorised access. To enhance security, you can restrict access to this login page using .htaccess rules.
Add this snippet to your .htaccess file to allow only specific IPs
<Files wp-login.php>
Order Deny,Allow
Deny from all
Allow from YOUR_IP_ADDRESS
</Files>
Replace YOUR_IP_ADDRESS With your actual IP.
4. Enforce HTTPS/SSL Sitewide
SSL encrypts the connection between your website and visitors, protecting sensitive data like login credentials and personal information. Enforcing HTTPS ensures all traffic is secure, and you can do this without using any plugin.
Add this code to your .htaccess file to force HTTPS:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
5. Disable Directory Browsing
If your directories are exposed, visitors can easily browse your site’s file structure, revealing sensitive files and scripts. This can lead to security vulnerabilities or data leaks if not properly restricted.
Prevent directory listing by adding this line to your .htaccess file.
Options -Indexes
Bonus Tip: Do not use Admin
Using “admin” as your username makes your WordPress site an easy target for hackers, as it’s the most commonly guessed login name in brute-force attacks. Always choose a unique username to strengthen your site’s login security.
WordPress is secure by default, but only if you take the proper precautions. By following these steps, you can significantly improve your website’s security without relying on any third-party plugin.
