Ultimate Guide to improve your WordPress security


WordPress security is a hot topic since we know that WordPress is a very popular CMS solution in order to build beautiful websites. Unfortunately this makes it a popular target for hackers. Sucuri analyzed more than 30.000 infected websites and found out that more than 80% of those infected websites run with WordPress, whilst other CMS solutions like Joomla, Typo3, Drupal, etc. seem to have just little exposure to get infected.

Knowing this leaves you with two choices: either choosing a non WordPress CMS that has just little exposure to getting infected or reducing the risk of getting your WordPress website infected by taking additional security precautions. If you choose the latter, then this article will be gold for you, because you will find several suggestions on how to improve your WordPress security.

Steps to improve your WordPress security

I will disclose the easier measures first. Furthermore you will probably need a FTP software to get some work done and don’t forget to backup your website beforehand (including your .htaccess file).

1. Use strong and long passwords

Regularly changing your WordPress password and choosing a long and difficult to guess password is the key to make it harder for hackers to access your website. Here you find an article how to create a strong password which is also memorable for you.

2. Change the default username

Since the default username of WordPress is usually admin or wordpressadmin it’s wise to change that, because every hacker knows that. To change that you need to:

  • Login into your wordpress admin site.
  • Go to Users and create a new user with admin permissions.
  • Then logout and login with your new user.
  • Go to Users and delete the old administration user.

3. Regularly update your WordPress version, plugins and theme

Not every software is perfect and sometimes hackers detect glitches or bugs in it, which give them the ability to harm your website. In order to prevent misuse of a software, good software developers regularly release patches of their software and that’s why you should regularly update your WordPress core version, plugins and your theme. WordPress usually indicates when there is any update available. The picture below shows that there’s one update available for a plugin.


4. Regularly run backups

No matter how secure your website is, there will always be a risk of getting hacked. Once that happens you better have a recent backup of your website in place to restore the state of your website before it got hacked. You can use the free UpdraftPlus Backups plugin to do that.

5. Delete unused/outdated plugins and themes

It can happen that a plugin you use hasn’t been tested with your current WordPress version or that it hasn’t been updated for years. In that case the plugin poses a security risk and that’s why you should delete it from your website.

6. Limit login attempts

In order to prevent brute force attacks it can be very useful to prevent the number of login attempts someone can make. You can use a plugin (e.g. WP Limit Login Attempts) which does the magic for you.

7. Change the default url of your login page

Everybody knows that the default url of the WordPress admin login page is either /wp-admin or /wp-login.php. To customize your admin login page url you can use a plugin like WPS Hide Login.

If you are using a caching tool make sure that you exclude that specific url from being indexed.

Now it will get a bit more technical by editing your .htaccess file

Note: editing your .htaccess rules might result into breaking your website. That’s why it’s important that you backup your website and your current .htaccess file before hand. If you don’t have much technical knowledge, you can also ask me to help you securing your WordPress site.

Furthermore make sure that all new rules are inserted before the “# BEGIN WordPress” line.

8. Restrict access to important files

Add the following lines in your .htaccess in the root directory (via ftp).

# Restrict access

<FilesMatch "^.*(error_log|readme\.html|license\.txt|install.*\.php|wp-config\.php|php.ini|\.[hH][tT][aApP].*)$">

Order allow,deny

Deny from all


<Files "plugin-install.php">

Allow from all


This restricts somebody from accessing importing website files. You can check if it worked by trying to access one of those files (e.g. wp-config.php) via your browser. That shouldn’t be possible anymore.

9. Restrict access to theme and plugin php files

In order not to give hackers direct access to theme and plugin php files (because they might not be able to handle direct http calls) you need to add the following to your .htaccess file:

# Restrict access to PHP files from plugin and theme directories

# RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php

# RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/

RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L]

# RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php

# RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/

RewriteRule wp-content/themes/(.*\.php)$ - [R=404,L]

This will redirect any calls of theme and plugin php files to a 404 page.

You can test this by trying to access a theme or plugin php file (e.g. /wp-content/themes/index.php) in your browser.

Important note: Sometimes some plugins/themes need to do http requests to other php scripts. If that’s the case you can put those files/directories on a whitelist with the annotated code snippet above.

10. Restrict access to /wp-includes

Your wp-includes folder contains all necessary WordPress core files to run WordPress without any plugin or theme. Thus, nobody should be able to access it. Insert into your root .htaccess file the following snippet:

# Block wp-includes folder and files

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteBase /

RewriteRule ^wp-admin/includes/ - [F,L]

RewriteRule !^wp-includes/ - [S=3]

RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]

RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]

RewriteRule ^wp-includes/theme-compat/ - [F,L]


You can test it by trying to access a php file in your wp-includes folder (e.g. /wp-includes/functions.php).

11. Allow only certain files in /wp-content

The wp-content directory contains most of the themes, plugins and media uploads. Therefore we want to set certain restrictions on that directory.

  1. Go to /wp-content and create a new .htaccess file.
  2. Set file permissions to 644.
  3. Insert the snippet into the file.
# Disable access to all file types except the following

Order deny,allow

Deny from all

<Files ~ ".(xml|css|js|jpe?g|svg|png|gif|pdf|docx|rtf|odf|zip|rar|woff|woff2|ttf|otf|map)$">

Allow from all


This snippet restricts access to all filetypes except for the mentioned ones (white list principle). You can test this snippet by creating a test file in the wp-content folder (e.g. test.ini) and try to access it in your browser.

Note: If your website requires any special filetypes (e.g. like .otf) you just need to add them in the file type regex string above.

Sometimes you need to allow specific php scripts so that your website is working. To do that just add the following:

<Files "your-file-name.php">

Allow from all


12. Restrict php file execution

Since most hackers upload their malicious code into the /wp-content/uploads directory, it makes sense to restrict any execution of php files there.

  1. Go to wp-content/uploads/ and create a .htaccess file.
  2. Set permissions to 644
  3. Insert the snippet into the file
# Deny php script execution in this directory

<FilesMatch "\.(php|php\.)$">

Order Allow,Deny

Deny from all


This script prevents execution of files e.g. bad-script.php in that directory.

To test if it’s working, just create an empty php file in that directory and try to access it via your browser.

13. Prevent Query Script Injections

Another common method of hacking a website are code injections. To prevent query script injections add the following code to your .htaccess file:

# Prevent php query script injection

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteBase /


RewriteRule ^(.*)$ - [F,L]

RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]

RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]

RewriteCond %{QUERY_STRING} tag\= [NC,OR]

RewriteCond %{QUERY_STRING} ftp\:  [NC,OR]

RewriteCond %{QUERY_STRING} http\:  [NC,OR]

RewriteCond %{QUERY_STRING} https\:  [NC,OR]

RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]

RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]

RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]

RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|"|;|\?|\*).* [NC,OR]

RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR]

RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]

RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]

RewriteCond %{QUERY_STRING} ^.*(insert|union|declare).* [NC]

RewriteCond %{HTTP_COOKIE} !^.*WordPress_logged_in_.*$

RewriteRule ^(.*)$ - [F,L]


This prevents hackers to call php files with a malicious php script code in their url that match the patterns in the snippet above (e.g. example.org/?globals=1)

14. Enforce SSL for WordPress

If you already have a SSL certificate make sure that it’s usage gets enforced. You can do that by adding the following lines to your root .htaccess:

# Enforce SSL connection

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteCond %{HTTP_HOST} example.org

RewriteCond %{HTTPS} !=on

RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]


Make sure you replace example.org with your domain.

You can see if it works by typing in http://example.org and you should get redirected to https://example.org

15. Disable XML-RPC

XML-RPC (Remote Procedure Call) allows you to remotely interact with your website (e.g. with your smartphone). This allows you to use your WordPress credentials and log into any WordPress site the user has access to. So the primary risks here are Brute Force Attacks (hackers trying to guess your password with lots of trial and error) and Denial of Service via Pingback (attacker contacts a lot of WordPress sites and asks WordPress to pingback to a target url). To prevent that just add the following snippet into your root .htaccess file:

<Files xmlrpc.php>

order allow,deny

deny from all


To test if it works you can use the tool on the website https://xmlrpc.eritreo.it and the tool should result in an error.

16. Change prefix of your database tables

The standard prefix of your database tables is “wp_”. To change it you can install the plugin Defender and use the “Change default database prefix” function to fix this issue. Afterwards it’s up to you to deinstall the plugin again.

17. Disable Rest-API

The WordPress REST-API (Representational State Transfer) makes your site available as a web service and thus other applications & websites can interact with your website easily programmatically without the need to use a browser. To deny any REST calls of your WordPress website you can use the Disable REST API plugin to take care of this problem.

To test if it works, you can go to your site http://example.org/wp-json. Replace example.org with your individual WordPress domain. You should receive a 401 error “Only authenticated users can access the REST API”.

Note: some plugins may require REST-API access.

18. Disallow the default WordPress editor

Once a hacker has access to your website the first thing he will probably do is to go to the default WordPress editor and start injecting malicious code there. To prevent that just insert the following code into your /wp-config.php file:

define('DISALLOW_FILE_EDIT', true);

19. Prevent username enumeration and block author url

When somebody enters www.example.org/?author=1 the visitor gets redirected to the author page of the person with the associated ID (1 is usually the default ID for the administrator) and then the person sees the actual username of that author. To prevent that you need to edit your root .htaccess file and add the following:

# Prevent username enumeration and block author url

RewriteEngine On

RewriteCond %{QUERY_STRING} ^author= [NC]

RewriteRule .* - [F,L]

RewriteRule ^author/ - [F,L]

This code restricts urls and queries which contain the keyword “author”.

To see if it is working, just enter www.example.org/?author=1  or www.example.org/author/admin

20. Prevent image hot linking

Image hot linking happens when another website is using an image which is hosted on your website. This typically drains broad width from your website every time when the other website is loaded.

You usually don’t want that and to prevent it you need to place the following snippet into your root .htaccess:

# Prevent image hot linking

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?(example.org|google.com|bing.com|yahoo.com|facebook.com|twitter.com) [NC]

RewriteRule \.(jpg|jpeg|png|gif)$ https://example.org/any-image-link.png [NC,R,L]

Replace example.org with your domain and replace “https://example.org/any-image-link.png” with a different image.

21. Remove WordPress Version

In order to not letting hackers know which WordPress version you are using (because it gives them hints which exploits they can use), add the following to your functions.php in your theme:


* Remove wordpress version


function remove_wp_version() {

return '';

} add_filter('the_generator', 'remove_wp_version');

You can check if your version disappeared in your source code or with https://www.wappalyzer.com/

Final thoughts

  • WordPress security is not an easy thing and it’s impossible to make your website a 100% secure, but following the steps mentioned above dramatically decrease your risk of getting hacked.
  • After installing all those WordPress security measures make sure that you click through your entire website and see if it’s still fully working!
  • Furthermore you can also use a security plugin (e.g. Wordfence) to take away some security work from you.


Leave a Reply

Your email address will not be published. Required fields are marked *

Fill out this field
Fill out this field
Please enter a valid email address.