5 Steps to Making Your WordPress More Secure

I am not sure what are exact numbers today but just a couple of years ago it was said that WordPress powered over 60 million websites with 100,000 more popping up each day. The only thing I know that this numbers didn’t decrease. WordPress is a robust, flexible, 100 percent free platform for building all types of websites – personal, e-store, magazine – anything. Because the code is available to everyone and because so many people use it, WordPress has become an attractive target for hackers.

old fashioned pc in a safeFortunately, with such a huge community, WordPress doesn’t leave any issues unresolved for very long. However, this doesn’t mean you shouldn’t educate yourself and take appropriate steps to secure your WordPress.

There are so many ways to harden your WordPress and I will admit that I am not taking an advantage of them all, but here are just a few simple steps you can do today to significantly reduce your chances of being hacked. It’s something I tried and found very easy to implement.

Before you begin back up your .htaccess file and wp-config.php file and save somewhere safe. You are going to do changes to these important files and while you probably will be fine save the original copy just in case anything went wrong. It could be as simple as deleting a character without realizing and voilà – your entire site displays server error. Don’t blame me in that case, okay? This by itself doesn’t do anything bad to your site, only good. But you might miss something without realizing or have whatever special configuration I can’t know about. Backup your files and save the copy of this post for future reference.

Deny access to wp-config.php

One of the first things you want to secure is wp-config.php It contains sensitive information such as your database username and password.

Open your .htaccess file and paste this at the very top (before anything):

<files wp-config.php>
order allow,deny
deny from all

Some suggest to exclude your own IP, but the official WordPress recommendation seems to be this particular code as mentioned here, so that’s what I am currently doing.

Protect your wp-includes.php

Following recommendations of the same source here I protect my wp-includes.php by placing this code in my .htaccess

# Block the include-only files.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

Prohibit Directory Views

If you aren’t friends with your cPanel you might be not aware that your site consists of multiple folders. Unless each of this folders contains its own index.html ot index.php you (or anyone for that matter) can navigate there and see your file structure. It would look like this

This is dangerous. I used to create index.html with clever messages to hackers in each folder before, but recently I learned that you can simply add

Options -Indexes

to your .htaccess and have it fixed all at once.

Disable Theme and Plugin Editors

WordPress allows admins to edit PHP files, which might be handy when you want to edit theme files or plugins. Unfortunately this comes with its price by making your website vulnerable to hackers as it’s the first tool the attackers will typically use (according to WordPress Codex here)

You can disable the editors by adding this line to your wp-config.php

define('DISALLOW_FILE_EDIT', true);

Protect your install.php

Install.php is located in your wp-admin folder. Generally once the installation is done you don’t need it anymore but it’s still there unless you delete it of course. In some cases if your database fails this file might “assume” there is no WordPress installation on your site and load an installation wizard. This will allow anyone to create a new installation with admin account on your domain. There is a number of things you could do to protect yourself from this, including simply deleting this file. I personally chose to add this to my .htaccess

# PROTECT install.php
<Files install.php>
 Order Allow,Deny
 Deny from all
 Satisfy all

You can learn more about other solutions for install.php here.

Last but not the least, always keep your WordPress installation and all plugins and themes up to date. Install only necessary plugins and get rid of anything you don’t use. Some things can be done without plugins by working with raw code. For example, Google Analytics can be inserted right into template. Automatic database backup can be set up using cron jobs. If you have sufficient skills for this, consider doing it yourself.

Obviously, there are many more ways to secure your WordPress, but even if you implement only these simple steps you will much more secure than before.

One more security tip here »

9 Replies to “5 Steps to Making Your WordPress More Secure”

  1. Oops!
    Internal Server Error…. My entire site is down.
    I added the codes at the top of .htaccess but obviously I have done something wrong.
    I tried to delete all the codes I added but it doesn’t come back to normal.
    I have a backup in dropbox but how can I restore my htaccess???

    Thanks in advance for your help Elena… 🙂


      1. Also don’t worry, it’s something fixable and you don’t even need to restore your site’s backup, only .htaccess 🙂

  2. If you have backup copy of .htaccess it’s as simple as reuploading your old version of .htaccess (or pasting it instead of what you have there right now and saving).

    You could also mess up something in wp-config.php if you edited it. Just to eliminate any confusion. Since the post above teaches you to edit both. So if you have wp-config.php and you edited it and suspect the problem could be there you also should return to old version.

    Please let me know how you are doing 🙂

  3. Hi Elena,

    I’ve tried to simply paste the old code but I still have the same internal server error.
    Now I can’t even access wp-admin…
    What do you mean by reupload the .htaccess file? How do I do it?

    Regarding the wp-config.php, I don’t know if I could edit anything in this file as I don’t even know how to open it.
    But now I understand that I made an error:
    Instead of adding the following code in wp-config:
    define(‘DISALLOW_FILE_EDIT’, true);
    I added it in htaccess!

    So I put all the codes at the very beginning of htaccess.

    Should I go to cPanel, delete htaccess in public_html and then copy my backup there?



    1. If you had a copy of your .htaccess version before you edited it following this tutorial pasting that copy and saving right in your cPanel should work. Don’t worry about reuploading, it’s the same if you edit it directly from cPanel. I am not sure why pasting old version of .htaccess didn’t help you. Did you back it up just before doing these changes? Did you save copy of it in text editor or in something like Word? If you used something like Word it could change some characters in it.

  4. Elena, you saved me again 🙂
    Thank you soooo much!

    I have 2 backup of htaccess, 1 “normal” that I transferred directly from Filezilla to dropbox to make sure I have exactly the same file (even if I have nothing on my computer to open such a file) + 1 that I copied from WordPress to my notepad to be able to copy/paste again.

    Again, thank you so much for your help!

    Bless you!


    1. yes .htaccess is a very important file. It tells your site how to do stuff, so any mistake can mess up the whole site. Most of the times if you have backup copy you can restore your site’s functionality though. Also when you install WordPress it adds some WordPress code which is important to keep.

Comments are closed.