WordPress is one of the most popular content management systems globally, with more than 30% of all websites on the web. There are many themes and plugins, and you can create an internet site with them. Do you know how many websites get hacked every day? More than sixty thousand WordPress websites. In most cases, WordPress websites get hacked due to a lack of security. Most web admins do not know how to keep their websites secure. So in this tutorial, we will share some basic tips on keeping your WordPress website secure.
1. Choose a perfect hosting provider
Hosting service provider is the first to choose wisely to keep the WordPress website secure. Web hosting companies work to protect your websites and data, such as hosting providers monitoring their network for bad actors. They have automated security tools to prevent large-scale attacks. They also keep their server software and hardware up to date and prevent hackers from exploiting a known security vulnerability.
We recommend using a managed hosting service that is a more secure platform for websites other than general shared hosting services. Managed WordPress hosting usually comes with automatic backup, updates, advanced security configuration to protect your website, and increased website performance.
2. Correct file permissions and ownership
If file permissions & ownership is incorrect, an attacker can easily read and write system files using compromised files. It can lead to your site being hacked and other websites on the same server. You must ensure that all your files have 640 or 644 values as file permission, and all directories on your website should have 750 or 755 as permission; wp-config.php should be 600.
Linux command to change file and directory permission:
Directory permission fix: Assumeing that your domain root directory is
Files permission fix: Assumeing that your domain root directory is
3. Protect system files
wp-config.php and .htaccess/nignx.conf are the most important files to keep your website secure. .htaccess/nginx.conf contain server rules, while wp-config.php contains your WordPress database credentials. These files and other sensitive files, such as the git directory and readme.html files, must be protected to keep your website secure.
Apache server: To protect the wp-config.php, .htaccess, git directory and other sensitive files:
For Nginx server: paste in the following code into nginx.conf to protect the system and sensitive files.
4. Change WP-login URL
You shouldn’t keep the default WordPress login URL anyway. Default WordPress login URL is:
yoursite.com/wp-admin redirect to login page.
If you keep WordPress’s default login URL, many botnets will try to break your administrator password daily by brute force. Identifying the administrator username is not so hard. Also, if user registration is enabled for subscriber accounts, the website will get many spam registrations. Please use a plugin to change the login URL. The “WP better security” plugin is a good one to do that.
5. Limit login attempts
By default, WordPress allows users to try to log in as often as they want. This is one kind of vulnerability of your website because it opens brute force attacks. You can easily stop brute force by limiting the number of failed login attempts. You can use a plugin to limit failed login attempts.
6. Filter request method
WordPress website may only need to perform two types of requests, i.e., GET to retrieve data from the database to serve the client-side request (browser request), POST to send data from the client side to the server. Your WordPress website will never use request methods like TRACE and TRACK. So we can just block those request methods using .htaccess on Apache
Nginx: paste this code in nginx.conf file
7. Filter suspicious query strings
WordPress websites often suffer from SQL injection hacks due to badly coded plugins. If we filter suspicious query strings in URLs, we can stop much damage and keep the WordPress website secure in most cases. To filter suspicious query strings, just paste this code in the .htaccess file on Apache server.
Nginx: Paste this code in nginx.conf
8. Remove WordPress version number
It’s effortless to find out the WordPress version that you are using. If hackers know which version of WordPress is in use, it’s less complicated for them to build the ideal attack. Since each WordPress version has public changelogs that element the listing of bugs and safety patches, they can quickly determine which protection holes they could take advantage of. The following code in the theme function.php file can stop the WordPress version disclosure.
9. Disable XML-RPC in WordPress
Usually, XML-RPC use for connecting the WordPress website with web and mobile apps. It’s also a favorite of hackers because they misuse this protocol and execute several commands to gain access to the website. XML-RPC can significantly enhance brute-force attacks. If you are not using this, then we recommend that you disable XML-RPC using this code in the .htaccess file on Apache server:
10. Disable direct PHP access
You should disable direct PHP file access in some directories to keep secure your WordPress website and harden your website security. This may prevent backdoors and web shells from being executed on these directories. The most targeted directories are uploads, plugins, and theme directories. This security setting won’t break any of your WordPress theme or plugin functionality. Add this code block in the .htaccess file on Apache server to disable direct PHP execution in themes, plugins, and uploads directory.
11. Disable directory browsing
Directory listing may expose potentially sensitive information to attackers. The Exposed information can provide an attacker with the information necessary to launch further attacks against the website. The directory listing may also compromise private or confidential data.
Add this code block inside .htaccess on Apache server: Nginx
12. Disable error reporting
Error reporting is beneficial for troubleshooting and figuring out which precise plugin or subject is inflicting an error in your WordPress website. However, once the gadget reports an error, it will display your server path. This is a perfect opportunity for hackers to discover sensitive information about your WordPress website. To disable this, you need to edit the wp-config.php file and add the following code.