7 Steps to Securing WordPress Website

By Responsive DAD     |

Security in WordPress should be taken very seriously. Securing WordPress through these 7 steps prevent hackers from accessing your website. This article will go through some common forms of vulnerabilities, and the things you can do to help keep your WordPress installation secure.

7 Steps for Securing WordPress Websites

1. Enable Automatic Update

Automatic background updates were introduced in WordPress 3.7 in an effort to promote better security, and to streamline the update experience overall. By default, only minor releases – such as for maintenance and security purposes – and translation file updates are enabled on most sites. In special cases, plugins and themes may be updated. 1st step in securing WordPress website is using the latest version of software.

Add the following code in your wp-config.php

WordPress Core Update

define('WP_AUTO_UPDATE_CORE', true);

Plugin Update

add_filter( 'auto_update_plugin', '__return_true' );

Theme Update

add_filter( 'auto_update_theme', '__return_true' );

Disable Update notification Emails

add_filter( 'auto_core_update_send_email', '__return_false' );

2. Disable Plugin & Theme Editor in WordPress admin

2nd step in securing WordPress is disabling file editor in WordPress admin panel. The WordPress Dashboard by default allows administrators to edit PHP files, such as plugin and theme files. This is often the first tool an attacker will use if able to login, since it allows code execution. WordPress has a constant to disable editing from Dashboard. Placing this line in wp-config.php is equivalent to removing the ‘edit_themes’, ‘edit_plugins’ and ‘edit_files’ capabilities of all users:

Add the following code to your wp-config.php

define('DISALLOW_FILE_EDIT', true);

3. Hide Author Usernames

According to DreamHost Blog WordPress leaves the author accounts of your website easily exposed, which makes it vulnerable to attack. Why is this an issue? Because the primary author of the website is most likely the administrator of the website. This exposes the username to the hacker, leaving them with only a password to guess.

By adding following code in your functions.php, you can protect against any attempt to find out any username on your website, which reduces the chances of vulnerabilities and hack attempts. This code redirects visitors who try to visit a URL using the author parameter back to the main page of your website:

Add the following code to your functions.php

add_action(‘template_redirect’, ‘bwp_template_redirect’);
function bwp_template_redirect(){
   if (is_author()){
      wp_redirect( home_url() ); exit;

Or use a plugin called Edit Author Slug. This plugin allows full control of your user permalinks, allowing you to change both the author base (the ‘/author/’ portion of the author URLs), and the author slug (defaults to the username of the author). You can set the author base globally, or you can set it to be user-specific based on a user’s role. You now have the power to craft the perfect URL structure for you Author pages.

4. Protect Files & Directories Using .htaccess



You can move the wp-config.php file to the directory above your WordPress install. This means for a site installed in the root of your webspace, you can store wp-config.php outside the web-root folder.

Note: Some people assert that moving wp-config.php has minimal security benefits and, if not done carefully, may actually introduce serious vulnerabilities. Others disagree.

Note that wp-config.php can be stored ONE directory level above the WordPress (where wp-includes resides) installation. Also, make sure that only you (and the web server) can read this file (it generally means a 400 or 440 permission).

If you use a server with .htaccess, you can put this in that file (at the very top) to deny access to anyone surfing for it:

<files wp-config.php>
order allow,deny
deny from all


A second layer of protection can be added where scripts are generally not intended to be accessed by any user. One way to do that is to block those scripts using mod_rewrite in the .htaccess file. Note: to ensure the code below is not overwritten by WordPress, place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file. WordPress can overwrite anything between these tags.

# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

# BEGIN WordPress

Note that this won’t work well on Multisite, as RewriteRule ^wp-includes/[^/]+\.php$ – [F,L] would prevent the ms-files.php file from generating images. Omitting that line will allow the code to work, but offers less security.

5. Use a firewall

There are many plugins for securing WordPress with firewall. Wordfence is one of the best with 1+ million active Installs. Wordfence secure your website with firewall, malware scan, blocking, live traffic, login security & more.

There are many Security plugins for WordPress. Following are some of the best.

5. Use a backup solutions.

Your WordPress database contains every post, every comment and every link you have on your blog. If your database gets erased or corrupted, you stand to lose everything you have written. There are many reasons why this could happen and not all are things you can control. With a proper backup of your WordPress database and files, you can quickly restore things back to normal.

Back up your database regularly, and always before an upgrade.

How often should you back up?
That depends on how often you blog, how often you want to do this, and how you would feel if your database were lost along with a few posts. It is your decision.

How many backups should I keep?
The general rule of thumb is to keep at least three backups and keep them in three different places or forms, like CD/DVDs, different hard drives, a thumbdrive, web disk, your e-mail account, etc. This prevents problems if a single backup becomes corrupted or damaged.

There are many backup plugins available. Some of the best are listed here

6. Use Strong Passwords

This one of the basic & first method to be taken in securing WordPress webiste. Many potential vulnerabilities can be avoided with good security habits. A strong password is an important aspect of this.

The goal with your password is to make it hard for other people to guess and hard for a brute force attack to succeed. Many automatic password generators are available that can be used to create secure passwords.

WordPress also features a password strength meter which is shown when changing your password in WordPress. Use this when changing your password to ensure its strength is adequate.

Things to avoid when choosing a password:

  • Any permutation of your own real name, username, company name, or name of your website.
  • A word from a dictionary, in any language.
  • A short password.
  • Any numeric-only or alphabetic-only password (a mixture of both is best).

A strong password is necessary not just to protect your blog content. A hacker who gains access to your administrator account is able to install malicious scripts that can potentially compromise your entire server.

In addition to using a strong password, it’s a good idea to enable two-step authentication as an additional security measure.

7. Reduce Plugin Usage

Using more than required plugin affects not just security it affects the site’s speed & performance too. So if your site can function without a particular plugin delete it. Fewer the plugins you have fewer the chances you give hackers to access your website. Most of the time hackers exploit the plugin file loop holes to hack your website. Always make sure to update your plugin as early as possible or consider enabling automatic update for plugins. Instead of using plugins for everything, use custom code whenever possible.

Securing a WordPress website is more than installing a security plugin. Always make sure you use the latest version of WordPress & plugin/theme files.