WordPress is one of the most popular content management systems in the world, more than 30% of all websites on the web. There are lots of themes and plugins for it and you can create any kind of internet site with it. Do you know how many websites are hacked every day? More than sixty thousand WordPress websites have been hacked. In most cases, WordPress websites are hacked due to a lack of security. Most webmasters do not know how to keep their website secure. So in this tutorial, we will share some basic tips on how to keep your WordPress website secure.
1. Choose a perfect hosting provider
Hosting service provider is the first thing to choose wisely to keep the WordPress website secure. Web hosting company works in the behind to protect your websites and data such as hosting provider continuously monitor their network, they have automated security tool to prevent large scale attacks and they also keep their server software and hardware up to date and prevent hackers from exploiting a known security vulnerability.
We recommend using a managed hosting service that is a more secure platform for websites other than general shared hosting services. Managed WordPress hosting usually comes with automatic backup, WordPress updates, advanced security configuration to protect your website, and finally, increase website performance.
2. Correct file permissions and ownership
If file permissions & ownership is incorrect, an attacker can easily read and write system files using compromised files. Which can lead to your site being hacked as well as other websites on the same server. You must ensure that all of your files should have 640 or 644 value as file permission and all directories on your website should have 750 or 755 as permission, wp-config.php should be 600.
Linux command to change file and directory permission:
Directory permission fix: Assumeing that your domain root directory is
Files permission fix: Assumeing that your domain root directory is
3. Protect system files
wp-config.php and .htaccess/nignx.conf are the most important files to keep your website secure. .htaccess/nginx.conf contain serevr rules while wp-config.php contain your WordPress database credentials. These files along other sensitive files such as git directory, readme.html files need to be protected as well to keep your website secure.
Apache server: To protect the wp-config.php, .htaccess, git directory and other sensitive files:
For Nginx server: paste in the following code into nginx.conf to protect system and sensitive files.
4. Change WP-login URL
You shouldn’t keep default WordPress login URL anyway. Default WordPress login URL is:
yoursite.com/wp-admin redirect to login page.
If you keep WordPress default login URL, a lot of botnets will try to break your administrator password daily by brute force. Identifying the administrator username is not so hard. Also if user registration is enabled for subscriber accounts, the website will get a lot of spam registrations. Please use a plugin to change the login URL. “WP better security” plugins is a good one to do that.
5. Limit login attempts
By default, WordPress grant users to try to login as many time as they want. This is one kind of vulnerability of your website because it opens brute force attacks. You can easily stop brute force by limiting the number of failed login attempts. You can use a plugin to limit the failed login attempts.
6. Filter request method
WordPress website may only need to perform two types of requests i.e. GET to retrieve data from database to serve client side request (browser request), POST to send data from client side to server. Your WordPress website will never use request methods like TRACE, TRACK. So we can just block those request methods using .htaccess on Apache
Nginx: paste this code in nginx.conf file
7. Filter suspicious query strings
WordPress websites often suffers from SQL injection hack due to badly coded plugins. If we filter suspicious query strings in URL, we can stop a lot of damage and keep the WordPress website secure in most cases. To filter suspicious query strings, just paste this code in .htaccess file on Apache server.
Nginx: Paste this code in nginx.conf
8. Remove WordPress version number
It’s very easy to find out the WordPress version that you are using. If hackers know which version of WordPress in use, it’s less complicated for them to build the ideal attack. Since each WordPress version has public changelogs that element the listing of bugs and safety patches, they can easily determine which protection holes they could take advantage of. Using this following code in theme function.php file can stop the WordPress version disclosure.
9. Disable XML-RPC in WordPress
Usually, XML-RPC use for connecting the WordPress website with web and mobile apps. It’s also favorite to hackers because they misuse this protocol and execute several commands at once to gain access website. XML-RPC can significantly enhance the brute-force attacks. If you are not using this then we recommend that disable XML-RPC using this code in .htaccess file on Apache server:
10. Disable direct PHP access
You should disable direct PHP file access in some directories to keep secure your WordPress website and harden your website security. This may prevent backdoors and web shells from being executed on these directories. Most targeted directories are uploads, plugins, and themes directories. This security setting won’t break any of your WordPress theme or plugin functionality. Add this code block in .htaccess file on Apache server to disable direct PHP execution in themes, plugins and uploads directory.
11. Disable directory browsing
Directory indexing can be used by other people to search website files, images, directory structure, and other information. While directory indexing is on, there is a high risk of being hacked as hackers may able to gather sensitive information about your website such as which plugin in use, software versions, etc.
Add this code block inside .htaccess on Apache server: Nginx
12. Disable error reporting
Error reporting is beneficial for troubleshooting and figuring out which precise plugin or subject is inflicting an error in your WordPress website. However, once the gadget reports an error, it will display your server path. This is a perfect opportunity for hackers to discover sensitive information about your WordPress website. To disable this you will need to edit wp-config.php file and add the following code.