WordPress is one of the world’s most widely-used content management systems, with over 35% of all websites running on it. It offers a plethora of themes and plugins, allowing you to create a website easily.

But did you know that over sixty thousand WordPress websites get hacked daily? In most cases, this is due to inadequate security measures. Many web administrators are unaware of the steps they need to take to ensure their website’s security. That’s why we’ve put together this tutorial to provide you with some basic tips on how to keep your WordPress website secure.

1. Choose a perfect hosting provider

Choosing a reliable web hosting provider is essential for securing your WordPress website. Web hosting companies work diligently to protect your websites and data, such as monitoring their networks for malicious actors. They have sophisticated security tools to prevent large-scale attacks and keep their server software and hardware up-to-date to prevent hackers from exploiting known security vulnerabilities.

We recommend using a managed hosting service instead of a general shared hosting service for an even more secure platform. Managed WordPress hosting typically comes with automatic backups, updates, advanced security configurations to protect your website, and improved website performance.

2. Correct file permissions and ownership

If file permissions and ownership are incorrect, an attacker can easily read and write system files using compromised files, potentially leading to your site being hacked and other websites on the same server being compromised. To ensure the security of your website, all files should have a file permission of 640 or 644, and all directories should have a permission of 750 or 755. Additionally, the wp-config.php file should have a permission of 600.

Linux command to change file and directory permission:

Directory permission fix: Assuming that your domain root directory is public_html

Files permission fix: Assumeing that your domain root directory is public_html

3. Protect system files

WP-config.php and .htaccess/nginx.conf are essential files for ensuring the security of your website. .htaccess/nginx.conf contains directives for the server, while wp-config.php stores your WordPress database credentials. It is imperative to protect these files, as well as other sensitive files such as the git directory and readme.html, to ensure the safety of your website.

Apache server: To protect the wp-config.php, .htaccess, git directory and other sensitive files:

For Nginx server: paste in the following code into nginx.conf to protect the system and sensitive files.

4. Change WP-login URL

You should never keep the default WordPress login URL, which is yoursite.com/wp-login.php or yoursite.com/wp-admin. Doing so leaves your website vulnerable to malicious botnets attempting to break your administrator password through brute force. Additionally, if user registration is enabled for subscriber accounts, your website will be inundated with spam registrations. To protect your website, it is highly recommended that you use a plugin to change the login URL. The “WP Better Security” plugin is a great option for this.

5. Limit login attempts

By default, WordPress allows users to attempt to log in as many times as they wish, leaving the website vulnerable to brute-force attacks. Fortunately, you can easily prevent such attacks by limiting the number of failed login attempts. To do this, you can use a plugin like “WP Better Security” that will restrict the number of unsuccessful logins. This simple step can help protect your website from malicious actors.

6. Filter request method

WordPress websites typically only require two request methods: GET to retrieve data from the database to fulfill the client-side request (browser request), and POST to send data from the client side to the server. It is important to note that WordPress websites will never use request methods such as TRACE and TRACK, so these can be blocked using the .htaccess file on an Apache server.

Nginx: paste this code in nginx.conf file

7. Filter suspicious query strings

WordPress websites are often vulnerable to SQL injection hacks caused by poorly coded plugins. By filtering out suspicious query strings in URLs, we can significantly reduce the potential for damage and bolster the security of WordPress websites.
To filter suspicious query strings, paste this code in the .htaccess file on Apache server.

Nginx: Paste this code in nginx.conf

8. Remove WordPress version number

It’s easy to discover the version of WordPress you are using. Knowing this information can make it simpler for hackers to craft the perfect attack, as each WordPress version has public changelogs that detail the list of bugs and security patches, allowing them to identify any potential vulnerabilities quickly. To prevent WordPress version disclosure, you can add the following code to the theme’s functions.php file.

9. Disable XML-RPC in WordPress

XML-RPC is commonly used to connect WordPress websites with web and mobile applications. Unfortunately, it is also a favorite of hackers, as they can exploit this protocol to gain access to the website and execute various commands. XML-RPC can significantly amplify brute-force attacks, making it even easier for hackers to gain access.

If you are not using XML-RPC, we recommend disabling it by adding the following code to the .htaccess file on an Apache server:


10. Disable direct PHP access

To ensure the security of your WordPress website, it is recommended to disable direct PHP file access in certain directories. This can help to prevent backdoors and web shells from being executed in these directories. The most commonly targeted directories are uploads, plugins, and theme directories. This security setting will not interfere with any of the functionality of your WordPress theme or plugin.

To implement this on an Apache server, add the following code block to the .htaccess file:

Niginx server:

11. Disable directory browsing

Directory listings can expose potentially sensitive information to attackers, providing them with the necessary information to launch further attacks against the website. This can potentially compromise private or confidential data, making it vulnerable to malicious exploitation. To protect against such threats, it is essential to ensure that directory listings are disabled and that all sensitive information is securely stored.

Add this code block inside .htaccess on Apache server:


12. Disable error reporting

Error reporting can be a valuable tool for troubleshooting and pinpointing which plugin or theme is causing an error on your WordPress website. However, when the system reports an error, it will reveal your server path, which can provide hackers with sensitive information about your WordPress website. To prevent this, you can edit the wp-config.php file and add the following code.

By following these steps, you can secure your WordPress website and protect it from hackers. Remember that website security is an ongoing process and it’s important to stay vigilant and keep your website updated and protected.

Also, check 10 best security practices for WordPress website

Does your website secure enough? – Free Security Audit