β²οΈ Estimated reading time: 4 min
For strong WordPress security, you should focus on the most critical steps first. Below is a priority-based approach to securing your WordPress site.
π Must-Do for Basic WordPress Security (Top Priorities)
These are essential and should be done immediately for a secure WordPress setup.
1. Change Default Administrator Username
- If your admin username is
admin, change it. - Create a new admin user, log in with it, and delete the old one.
2. Use Strong Passwords & Two-Factor Authentication (2FA)
- Use unique, long passwords (16+ characters) for admin, hosting, database, and FTP.
- Enable 2FA using plugins like:
- Google Authenticator
- Wordfence
- iThemes Security
3. Keep WordPress, Plugins, and Themes Updated
- Enable automatic updates for WordPress core and plugins.
- Delete unused plugins/themes.
4. Disable File Editing in WordPress Dashboard
Prevents hackers from modifying files via WordPress.
πΉ Add this to wp-config.php:
define('DISALLOW_FILE_EDIT', true);
5. Block Access to wp-config.php
Prevents direct access to your database settings.
πΉ Add this to .htaccess (for Apache):
<Files wp-config.php>
Order Allow,Deny
Deny from all
</Files>
For Nginx:
location ~* wp-config.php {
deny all;
}
6. Block Directory Browsing
Prevents users from seeing your folder structure.
πΉ Add this to .htaccess:
Options -Indexes
7. Limit Login Attempts (Basic WordPress Security)
- Install Limit Login Attempts Reloaded or Wordfence to block brute-force attacks.
8. Install a Security Plugin
- Use one of these for automated security protection:
- Wordfence (best for firewall & malware scanning)
- iThemes Security
- Sucuri Security (great for website monitoring)
β οΈ Important for Enhanced Security
These steps add an extra layer of protection and should be applied if possible.
9. Disable XML-RPC (Unless Needed)
Hackers use xmlrpc.php for brute-force attacks.
πΉ Add this to .htaccess:
<Files xmlrpc.php>
Order Allow,Deny
Deny from all
</Files>
10. Change Default Database Table Prefix
Avoid using wp_ as the default prefix.
- Change it in
wp-config.php:$table_prefix = 'custom_'; - Use iThemes Security to rename database tables.
11. Enable a Web Application Firewall (WAF)
- Cloudflare Free Plan protects against bots and DDoS.
- Wordfence Firewall adds application-level protection.
12. Block Execution of PHP in wp-content/uploads
Malware often hides here.
πΉ Create an .htaccess file inside wp-content/uploads/:
<FilesMatch "\.php$">
deny from all
</FilesMatch>
13. Enable Bot Protection
πΉ Block bad bots using .htaccess:
RewriteEngine On
RewriteCond %{HTTP_USER_AGENT} ^.*(bot|crawler|spider|wget|curl|scraper).* [NC]
RewriteRule .* - [F,L]
π Advanced Security (Basic WordPress Security Extra Hardening)
If you want maximum protection, apply these too.
14. Disable PHP Execution in Cache Directories
πΉ Create an .htaccess file inside /wp-content/cache/:
<FilesMatch "\.php$">
deny from all
</FilesMatch>
15. Block Access to .htaccess and .htpasswd
πΉ Add this to .htaccess:
<FilesMatch "^\.ht">
Order Allow,Deny
Deny from all
</FilesMatch>
16. Block Author Scans
Prevents hackers from finding usernames.
πΉ Add to .htaccess:
RewriteEngine On
RewriteCond %{QUERY_STRING} author=\d
RewriteRule ^ - [F]
17. Configure Strong Security Keys
Go to this link and replace existing keys in wp-config.php:
define('AUTH_KEY', 'your-new-key');
define('SECURE_AUTH_KEY', 'your-new-key');
define('LOGGED_IN_KEY', 'your-new-key');
define('NONCE_KEY', 'your-new-key');
18. Move wp-config.php One Level Up
If your hosting allows it, move wp-config.php outside the public folder (public_html).
- Move
wp-config.phpone level up from your root folder. - Add this to
index.php:require_once(dirname(__FILE__) . '/../wp-config.php');
19. For Maximum Basic WordPress Security Use SSL & HTTPS
- Get an SSL certificate (many hosts offer free SSL).
- Force HTTPS with a plugin like Really Simple SSL.
π― Summary: What You Should Do First
β Critical (Do these immediately)
- Change admin username & use strong passwords.
- Install Wordfence or iThemes Security.
- Disable file editing in
wp-config.php. - Block directory browsing.
- Limit login attempts.
- Keep WordPress & plugins updated.
β οΈ Recommended for More Security
- Disable XML-RPC.
- Change database prefix.
- Enable Cloudflare WAF.
- Block PHP execution in
uploads/andcache/. - Use SSL & HTTPS
π Advanced (For Maximum Protection)
- Move
wp-config.phpone level up. - Block .htaccess access.
- Block author scans.
π Want Full Automation?
You can use iThemes Security Pro or Wordfence Premium to handle many of these automatically.
Let me know if you need help implementing any of these! ππ₯
Only logged-in users can submit reports.
Discover more from HelpZone
Subscribe to get the latest posts sent to your email.
