Secure WordPress Website (Without Installing Any Extra Plugins)

Being one of the most popular CMS on the Internet makes WordPress an attractive target for hackers. You should securing your WordPress website right from the start when you first set it up!

I like to keep my WordPress website lightweight. This post teaches you how to secure your WordPress website, through a strong configuration and good security habits, without installing any other 3rd party plugins.

1. Delete themes and plugins that you don’t use

Remove unused themes and plugins as they may leave your blog open and vulnerable to attacks.

Besides, you also get to shave some weight off your WordPress website when you uninstall those unused plugins.

2. Don’t use a weak password

Probably the single most important thing when it comes to security. Go for 12 characters and a mix of numbers and alphabets.

Struggling to come up  a good one, try this free password generator by LastPass.

3. Don’t use the username “admin”

Another default option that you should change when setting up your WordPress website.

Don’t be lazy, change it. Anything other than admin would work way better!

4. Secure your website with SSL

SSL is a great way to secure your WordPress website. Gone are the days where you need to pay for a SSL certificate. Today, you can get one for free via Let’s Encrypt.

SiteGround hosting plans comes default with Let’s Encrypt integrated into their cPanel interface. Installing and activating on your website is such a breeze. Learn more about it here.

5. Secure WordPress config file

The wp-config.php contains many important configurations, that shouldn’t be accessed by anyone else.

Add the following codes to .htaccess file.

<files wp-config.php>
order allow,deny
deny from all

6. Protect wp-includes directory

Add the following codes to .htaccess file. Take note not to paste this within the # BEGIN WordPress ... # END WordPress section.

# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

7. Disable File Editing from WordPress dashboard

By default you can edit your themes, plugins via the editor inside your WordPress dashboard. By disabling this function, any hacker that manages to login cannot make any other changes to your files via the dashboard.

Add the following code to the bottom of your wp-config.php file.

/** Disables file editing from Dashboard **/
define('DISALLOW_FILE_EDIT', true);

8. Allow only a whitelisted IP to access your WordPress login

Prevent unauthorised people from accessing your WordPress admin.

Add the following codes to .htaccess file. Find the IP address of your home or workplace. Replace the XX.XXX.XXX.XXX with your IP address.

<Files wp-login.php>
order deny,allow
Deny from all
Allow from

9. Update your WordPress regularly

This is a no-brainer. New updates from WordPress fixes bugs that patches old bugs that could be exploited by attackers. The same goes for any update for 3rd party plugins and themes.

To auto-upgrade WordPress core, insert this code into your wp-config.php file:

define( 'WP_AUTO_UPDATE_CORE', true );

For plugins, use:

add_filter( 'auto_update_plugin', '__return_true' );

For themes downloaded from official WordPress repository, use:

add_filter( 'auto_update_theme', '__return_true' );

These 9 methods would be useful for anyone who wants to secure their WordPress website! If you know of any other ways to improve the security without installing any plugins, do drop your suggestions below!

Leave a Reply

Your email address will not be published. Required fields are marked *