WordPress is the most popular content management system (CMS), with 43.2% of all websites running on its software. Unfortunately, its popularity attracts all sorts of cybercriminals who exploit the platform’s security vulnerabilities.

This doesn’t mean that WordPress has a terrible security system – security breaches can also happen due to the users’ lack of security awareness. Therefore, it’s best to apply precautionary security measures before your website becomes a hacker target.

We will discuss 22 methods to improve WordPress security and protect your site from various cyberattacks. The article will include best practices and tips – with or without WordPress plugins. Some methods are also applicable to other platforms than WordPress.

Why Do You Need to Secure a WordPress Website?

If your WordPress website gets hacked, you risk losing important data, assets, and credibility. Furthermore, these security issues can jeopardize your customers’ personal data and billing information.

The cost of cybercrime damages can reach up to $10.5 trillion per year by 2025. Surely you don’t want to become a hacker target and contribute to that.

Based on WPScan Vulnerability Database, these are some of the most common types of WordPress security vulnerabilities:

• Cross-site request forgery (CSRF) – forces the user to execute unwanted actions in a trusted web application.
• Distributed denial-of-service (DDoS) attack – incapacitates online services by flooding them with unwanted connections, thus rendering a site inaccessible.
• Authentication bypass – gives hackers access to your website’s resources without verifying their authenticity.
• SQL injection (SQLi) – forces the system to execute malicious SQL queries and manipulate data within the database.
• Cross-site scripting (XSS) – injects malicious code that turns the site into a transporter of malware.
• Local file inclusion (LFI) – forces the site into processing malicious files placed on the web server.

WordPress Security Checklist and Additional Tips

Implementing one or two WordPress security measures won’t be enough to make your WordPress website completely safe.

Download our WordPress Security Checklist to help track your progress in applying important security measures to your website. We also share some WordPress security tips to help you protect your site further.

General Best Practices to Improve Website Security

In this section, we will go over six general WordPress security tips that don’t require advanced technical knowledge and high-risk investments. Even a beginner will be able to do these simple tasks, like updating WordPress software and removing unused themes.

1. Keep Your WordPress Version Up to Date

Regularly updating your WordPress version is crucial for improving performance and maintaining security. These updates not only enhance the functionality of your site but also safeguard it against potential cyber threats.

Updating your WordPress version is one of the simplest yet most effective ways to bolster WordPress security. Surprisingly, around 50% of WordPress sites continue to operate on outdated versions, leaving them more susceptible to vulnerabilities.

To ensure that you have the latest WordPress version, simply log in to your WordPress admin area and navigate to the Dashboard → Updates section in the left menu panel. If it indicates that your version is not up to date, we strongly advise updating it promptly.

By keeping your WordPress version current, you can fortify your website’s security and enjoy the enhanced features and improvements provided by the latest updates.

Stay informed about upcoming update release dates to ensure that your site remains up to date with the latest version of WordPress.

We also strongly recommend keeping your installed themes and plugins updated. Outdated themes and plugins can potentially clash with the newly updated WordPress core software, leading to errors and increasing the risk of security vulnerabilities.

Follow these steps to remove outdated themes and plugins:

1. Access your WordPress admin panel and navigate to Dashboard → Updates.
2. Scroll down to the Plugins and Themes sections and review the list of available updates for both.
3. You have the option to update them collectively or individually.
4. Click on “Update Plugins” to update your plugins.

By regularly updating your themes and plugins, you ensure compatibility with the current version of WordPress, minimize errors, and maintain a secure website.

2. Use Secure WP-Admin Login Credentials

One of the most common errors users make is using easily guessable usernames like “admin,” “administrator,” or “test.” This significantly increases the risk of brute force attacks on your site. Attackers specifically target WordPress sites with weak passwords, making it crucial to strengthen both your username and password.

We highly recommend creating a unique and complex username and password to enhance your site’s security.

Alternatively, you can follow these steps to create a new WordPress administrator account with a different username:

1. Access your WordPress Dashboard and go to Users → Add New.
2. Create a new user and assign it the Administrator role.
3. Generate a strong password by incorporating numbers, symbols, uppercase and lowercase letters. We advise using a password that is longer than 12 characters, as longer passwords are significantly more challenging to crack.
4. Once you have entered the details, click the “Add New User” button to finalize the process.

By implementing a strong and distinctive username and password combination, you significantly reduce the risk of unauthorized access to your WordPress site, enhancing its overall security.

If you need help generating a strong password, use online tools like LastPass and 1Password. You can also use their password management services to store strong passwords safely. That way, you don’t have to memorize them.

After creating a new WordPress admin username, you’ll need to delete your old admin username. Here are the steps to do so:

1. Log in with your newly created WordPress user credentials.
2. Navigate to Users → All Users.

3. Select the old admin account that you want to delete. Change the Bulk Actions dropdown menu to Delete, and click Apply.

To keep your site safe, it’s also important to check the network before logging in. If you’re unknowingly connected to a Hotspot Honeypot, a network operated by hackers, you risk leaking login credentials to the operators.

Even public networks such as a school library’s WiFi may not be as secure as it appears. Hackers can intercept your connection and steal unencrypted data, including login credentials.

For that reason, we recommend using a VPN when you connect to a public network. It provides a layer of encryption to the connection, making it harder to intercept data and protecting your online activities.

3. Configure Safelists and Blocklists for the Admin Page

To enhance the security of your login page and protect it from unauthorized access and brute force attacks, it is recommended to set up safelists and blocklists. This can be achieved by utilizing a web application firewall (WAF) service like Cloudflare or Sucuri.

When using Cloudflare, you can configure a zone lockdown rule that specifies the URLs you want to lock down and the IP range that is permitted to access those URLs. This ensures that only IP addresses within the specified range can access the designated URLs, preventing unauthorized access.

Similarly, Sucuri offers a feature called URL path blacklist. By adding your login page URL to the blocklist, you can restrict access to it. Additionally, you can safelist authorized IP addresses to allow access to the login page.

Alternatively, you can restrict access to your login page by configuring your site’s .htaccess file. Access the file by navigating to your site’s root directory.

Important: It is highly recommended to create a backup of the existing .htaccess file before making any changes. This allows for easy restoration in case of any issues.

To restrict access to wp-login.php from all locations except a specific IP address, you can add the following rule to your .htaccess file:

Block IPs for login (Apache 2.2)

<files /wp-login.php> order deny,allow allow from MYIP allow from MYIP2 deny from all </files>

Block IPs for login (Apache 2.4)

<Files “wp-login.php”> Require all denied </Files>

Ensure that this rule is placed after the “# BEGIN WordPress” and “# END WordPress” statements in your .htaccess file.

By implementing these safelist and blocklist configurations, you strengthen the security of your WordPress login page and restrict access to authorized users, mitigating potential risks from malicious login attempts

This rule applies even if you don’t have a static IP, since you can restrict logins to your ISP common range.

You can also use this rule to restrict other authenticated URLs, such as /wp-admin.

4. Choose Reliable WordPress Themes

It is crucial to avoid using nulled WordPress themes, which are unauthorized versions of premium themes. Although these themes are often offered at discounted prices, they come with significant security risks.

Nulled themes are typically distributed by hackers who have tampered with the original premium theme by inserting malicious code, including malware and spam links. Additionally, these themes can serve as entry points for other exploitations that can jeopardize the security of your WordPress site.

Since nulled themes are obtained illegally, users do not receive any support from the original developers. Consequently, if issues arise with your site, you will need to troubleshoot and secure your WordPress site on your own.

To safeguard your website and minimize the risk of being targeted by hackers, it is advisable to select WordPress themes from the official repository or trusted developers. Alternatively, you can explore third-party themes available on reputable theme marketplaces like ThemeForest, which offer a wide range of premium themes.

By opting for reliable themes from trusted sources, you can ensure the security and stability of your WordPress site while benefiting from ongoing support and updates from the theme developers.

5. Install SSL Certificate

Ensure Secure Data Transfer with SSL

To enhance the security of your WordPress website and protect the data exchanged between your site and its visitors, it’s essential to implement Secure Sockets Layer (SSL), a data transfer protocol that encrypts sensitive information. SSL makes it significantly more challenging for attackers to intercept and steal important data.

Additionally, SSL certificates provide SEO benefits by positively impacting your WordPress site’s search engine rankings and attracting more visitors.

Identifying websites with SSL certificates is easy as they use HTTPS instead of HTTP in their URLs.

Most hosting companies include SSL certificates as part of their hosting plans. For instance, Hostinger offers a free Let’s Encrypt SSL certificate with all its hosting packages.

Once you have obtained an SSL certificate for your hosting account, you need to activate it on your WordPress website.

Plugins such as Really Simple SSL or SSL Insecure Content Fixer can assist you in handling the technical aspects and activating SSL with just a few clicks. The premium version of Really Simple SSL even allows you to enable HTTP Strict Transport Security headers, ensuring that your site is accessed exclusively via HTTPS.

After activating SSL, remember to update your site’s URL from HTTP to HTTPS. Simply navigate to Settings → General and modify the Site Address (URL) field accordingly.

By implementing SSL and transitioning to HTTPS, you fortify the security of your WordPress website, instilling trust in your visitors and contributing to improved search engine performance.

6. Remove Unused WordPress Plugins and Themes

Keeping unused plugins and themes on the site can be harmful, especially if the plugins and themes haven’t been updated. Outdated plugins and themes increase the risk of cyberattacks as hackers can use them to gain access to your site.

Follow these steps to delete an unused WordPress plugin:

1. Navigate to Plugins → Installed Plugins.
2. You’ll see the list of all installed plugins. Click Delete under the plugin’s name.

Note that the delete button will only be available after deactivating the plugin.

Meanwhile, here are the steps to delete an unused theme:

1. From your WordPress admin dashboard, go to Appearance → Themes.
2. Click on the theme you want to delete.
3. A pop-up window will appear, showing the theme details. Click the Delete button on the bottom-right corner.

How to Utilize WordPress Security Plugins

The next method to improve WordPress security is by using WordPress plugins.

It’s a convenient way to protect your website, but remember not to install all of these plugins at once without further consideration since too many plugins can slow down your site.

First, identify your needs to choose the most effective plugins for your website.

1. Enable Two-Factor Authentication for WP-Admin

Activate two-factor authentication (2FA)to reinforce the login process on your WordPress website. This authentication method adds a second layer of WordPress security to the login page, as it requires you to input a unique code to complete the login process.

The code is available only to you via a text message or a third-party authentication app.

To apply 2FA on your WordPress site, install a login security plugin like Wordfence Login Security. Additionally, you’ll need to install a third-party authentication app such as Google Authenticator on your mobile phone.

Expert Tip

If you’re not sure which two-factor authentication plugin to use, choose the most frequently updated and reviewed one.

Dominykas V.

Cyber Security Specialist

Once you have installed the plugin and the authentication app, follow these steps to enable two-factor authentication:

1. Go to the plugin page on your WordPress admin. If you’re using Wordfence Login Security, navigate to the Login Security menu on the left menu panel.
2. Open the Two-Factor Authentication tab.

3. Use the app on your mobile phone to scan the QR code or enter the activation key.
4. Enter the code generated on your mobile phone app to the available field under the recovery codes section.
5. Click the ACTIVATE button to complete the setup.

Also, download the provided recovery codes in case you lose access to the device that contains the authentication app.

2. Back Up WordPress Regularly

Regularly creating a WordPress site backup is an important mitigation task because it will help you recover your site after incidents, such as cyberattacks or physical damage to the data center. The backup file should include your entire WordPress installation files, like your database and the WordPress core files.

With WordPress, backing up a site can be done using a plugin like All-in-One WP Migration. Follow these steps to create a backup file with this plugin:

1. Install and activate the plugin.
2. Navigate to the All-in-One WP Migration menu at the left menu panel.
3. Select Backups.
4. Click Create Backup.

5. Once the backup is created, it will appear in a list on the Backups page.

6. Download and save the backup to the storage. To do so, go to All-in-One WP Migration → Export.
7. Click the EXPORT TO drop-down menu, select File. This will generate a backup for your site.

8. Once the process is complete, click the download link and save your site backup to designated safe storage, preferably not a location on the same server as your website. This is because backups stored on your web server are publicly accessible, making it vulnerable to cyberattacks.

In case of an incident, you can restore your WordPress site using All-in-One WP Migration’s importing tool.

Hostinger users can also create backups without a WordPress plugin by using the hPanel’s backup feature.

Expert Tip

I wouldn’t recommend storing website backups on a personal computer. Instead, use storage applications like Google Drive. But if you decide to do so, the best way would be to store it in at least three locations, such as your computer, a USB flash drive, and an external storage like Dropbox.

Mantas S.

Site Availability Engineer

3. Limit Login Attempts

WordPress allows its users to make an unlimited number of login attempts on the site. Unfortunately, hackers can brute force their way to your WordPress admin area by using various password combinations until they find the right one.

Thus, you should limit login attempts to prevent such attacks on the website. Limiting failed attempts also helps monitor any suspicious activities on your site.

Most users only need a single try or a few failed attempts, so you should be suspicious of any questionable IP addresses that reach the attempt limit.

One way to limit the login attempts in order to increase WordPress security is by using a plugin. There are many great options available, such as:

• Limit Login Attempts Reloaded – configures the number of failed attempts for specific IP addresses, adds users to the safelist or blocks them entirely, and informs website users about the remaining lockout time.
• Loginizer – offers login security features such as 2FA, reCAPTCHA, and login challenge questions.
• Limit Attempts by BestWebSoft – automatically blocks IP addresses that reach the login attempt limit and adds them to a deny list.

One of the risks of implementing this WordPress security measure is getting a legitimate user locked out of WordPress admin. However, you shouldn’t be worried about that, as there are many ways to recover locked-out WordPress accounts.

4. Change the WordPress Login Page URL

To take a step further to protect your website from brute force attacks, consider changing the login page’s URL.

All WordPress websites have the same default login URL – yourdomain.com/wp-admin. Using the default login URL makes it easy for hackers to target your login page.

Plugins like WPS Hide Login and Change wp-admin Login enable custom login URL settings.

If you use the WPS Hide Login plugin, here are the steps to change your WordPress login page URL:

1. On your dashboard, go to Settings → WPS Hide Login.
2. Fill in the Login URL field with your custom login URL.
3. Click the Save Changes button to finish the process.

5. Log Idle Users Out Automatically

Many users forget to log out of the website and leave their sessions running. Hence, letting someone else who will use the same device access their user accounts and potentially exploit confidential data. This especially applies to users who use public computers in internet cafes or public libraries.

Therefore, it’s crucial to configure your WordPress website to log inactive users out automatically. Most banking sites use this technique to prevent unauthorized visitors from accessing their sites, ensuring that their client’s data is safe.

Using a WordPress security plugin like Inactive Logout is one of the easiest ways to log out idle user accounts automatically. Aside from terminating idle users, this plugin can also send a custom message to alert idle users that their website session will end soon.

6. Monitor User Activity

Identify any unwanted or malicious actions that put your website in danger by tracking activities in your admin area.

We recommend this method for those who have multiple users or authors accessing their WordPress website. That’s because users may change settings that they should not, like altering themes or configuring plugins.

By monitoring their activities, you will know who is responsible for those unwanted changes and if an unauthorized person has breached your WordPress website.

The easiest way to track user activity is by using a WordPress plugin, such as:

• WP Activity Log – monitors changes on multiple website areas, including posts, pages, themes, and plugins. It also logs newly added files, deleted files, and modifications to any file.
• Activity Log – monitors various activities on your WordPress admin panel and lets you set rules for email notifications.
• Simple History – in addition to recording activity log on WordPress admin, it supports multiple third-party plugins like Jetpack, WP Crontrol, and Beaver Builder, recording all activity related to them.

7. Check for Malware

The AV-TEST Institute registers over 450,000 new malware and potentially unwanted applications (PUA) every day. Some malware even have a polymorphic nature, meaning they can modify themselves to avoid security detection.

Thus, it’s crucial to regularly scan your WordPress site for malware since attackers always develop new types of threats.

Fortunately, many great WordPress hack scanner plugins can scan malware and improve WordPress security.

Our experts recommend these security plugins to install on your site:

• Wordfence – a popular WordPress security plugin with real-time malware signature updates and alert notifications that inform if another site has blocklisted yours for suspicious activity.
• BulletProof Security – helps secure your WordPress website with an idle session logout feature, hidden plugin folders that aren’t visible in the WordPress plugins section, and database backup and restoration tools.
• Sucuri Security – one of the best security plugins on the market, offering various SSL certificates, remote malware scanning, and post-hack security action features.

Expert Tip

If your WordPress website is infected with malware, follow these key points:
1. Be sure to always have your wp-admin area accessible, perform a scan, and get rid of the malware.
2. Make sure that your plugins, themes, and WordPress core software are up to date.
3. Check for vulnerabilities in your database to see if your plugins or themes are listed there as a risk.

Mantas S.

Read Also:  How to Fix “cURL Error 28” on WordPress Websites

Site Availability Engineer

How to Secure WordPress Without Using Plugins

It’s also possible to enhance your website security without using plugins. Most of these tasks will involve tweaking your site’s code, but no need to worry – we’ll show you how to do it step by step.

1. Disable PHP Error Reporting

The PHP error reporting displays the full information about your website’s paths and file structure, making it a great feature for monitoring your site’s PHP scripts.

However, showing your website’s vulnerabilities on the backend is a serious WordPress security flaw.

For example, if it displays a specific plugin on which the error message has appeared, cybercriminals could use that plugin’s vulnerabilities.

There are two ways to disable PHP error reporting – via the PHP file or your hosting account’s control panel.

Modifying the PHP File

Follow these steps to modify your PHP file:

1. Open your site’s wp-config.php file using an FTP client such as FileZilla or your hosting provider’s File Manager.
2. Add the following code snippet to the file. Make sure to add it before any other PHP directive.

error_reporting(0);
@ini_set(‘display_errors’, 0);

3. Click Save to apply the change.

Changing PHP Settings Using the Control Panel

If you don’t want to code, disable the PHP error reporting via your hosting provider’s control panel. Here’s how to do so via hPanel:

1. From your hPanel dashboard, navigate to the Advanced section. Then, click PHP Configuration.
2. Go to the PHP Options tab, uncheck the displayErrors option.

3. Click Save.

2. Migrate to a More Secure Web Host

Multiple WordPress security measures won’t matter much if the hosting environment is prone to cyberattacks. Your hosting provider should guarantee a safe space for all your website data and files on their server, so it’s critical to choose the one that has an excellent security level.

If you think your current web hosting company is not secure enough, it’s time to migrate your WordPress website to a new hosting platform. Here’s what you need to consider when searching for a secure web host:

• Type of web hosting – shared and WordPress hosting types tend to be more vulnerable to cyberattacks than other types of hosting due to resource sharing. Select a web host that also offers VPS or dedicated hosting to isolate your resources.
• Security – a good hosting provider monitors its network for suspicious activity and periodically updates its server software and hardware. They also need to have server security and protection against all types of cyberattacks.
• Features –regardless of the hosting type, having automatic backups and security tools for preventing malware is a must-have feature to safeguard your WordPress site. In the worst-case scenario, you will be able to use it to restore a compromised website.
• Support – choosing a hosting company with a 24/7 support team with excellent technical knowledge is essential. They will help you protect your data and tackle any technical and safety problems that may occur.

Hostinger’s WordPress hosting offers the essential resources and features needed to protect your WordPress website, such as a web application firewall and a malware scanner like Monarx. We also provide virtual private servers and cloud hosting service if you prefer to keep resources isolated.

3. Turn File Editing Off

WordPress has a built-in file editor that makes editing WordPress PHP files easy. However, this feature can become a problem if hackers gain control of it.

For this reason, some WordPress users prefer to deactivate this feature. Add the following line of code to the wp-config.php file to disable file editing:

define( 'DISALLOW_FILE_EDIT', true );

If you want to re-enable this feature on your WordPress site, simply remove the previous code from wp-config.php using an FTP client or your hosting provider’s File Manager.

4. Restrict Access Using the .htaccess File

The .htaccess file ensures that WordPress links work properly. Without this file declaring the correct rules, you will get many 404 Not Found errors on your site.

Furthermore, .htaccess can block access from specific IPs, restrict access to only one IP, and disable PHP execution on particular folders. Below we’ll show you how to use .htaccess to harden your WordPress security.

Disabling PHP Execution in Specific Folders

Hackers often upload backdoor scripts to the Uploads folder. By default, this folder only hosts uploaded media files, so it shouldn’t contain any PHP files.

To secure your WordPress site, disable the PHP execution in the folder by creating a new .htaccess file in /wp-content/uploads/ with these rules:

<Files *.php>
deny from all
</Files>

Protecting the wp-config.php File

The wp-config.php file in the root directory contains WordPress core settings and MySQL database details. Thus, the file is usually a hacker’s primary target.

Protect this file and keep WordPress secure by implementing these .htaccess rules:

<files wp-config.php>
order allow,deny
deny from all
</files>

5. Change the Default WordPress Database Prefix

WordPress database holds and stores all crucial information required for your site to function. Therefore, hackers often target the database with SQL injection attacks. This technique injects harmful code into the database and can bypass WordPress security measures and retrieve the database content.

Over 50% of cyberattacks consist of SQL injection, making it one of the biggest threats. Hackers execute this attack because many users forget to change the default database prefix wp_.

Let’s take a look at two methods that you can implement to protect your WordPress database from SQL injection attacks.

Changing Table Prefix

1. From your hPanel dashboard, navigate to the File Manager and open the wp-config.php file. Alternatively, use an FTP client to access the file.
2. Look for the $table_prefix value within the code.

3. Replace the default WordPress database prefix wp_ with a new one. Use a combination of letters and numbers to create a unique prefix for the website.

4. Click Save & Close.
5. Moving back to the hPanel dashboard, go to the Databases section and click phpMyAdmin. Then, open the site’s database by clicking Enter phpMyAdmin.

6. If you have multiple databases, find the database’s name in the wp-config.php file. Look for the following block of code:

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'MySQL Database' );

7. Scroll down to the bottom and click on the Check all button.

8. Click on the With selected: drop-down menu and select the Replace table prefix option.

9. Enter the current prefix along with a new one, and select Continue.

Updating Prefix Values in the Tables

Depending on the number of WordPress plugins installed on your site, you may need to update some values in the database manually. Do this by running separate SQL queries on tables that are likely to have values with the wp_ prefix– these include the options and usermeta tables.

Use the code below to filter all values that contain the following prefix:

SELECT * FROM `wp_1secure1_tablename` WHERE `field_name` LIKE '%wp_%'

wp_1secure1_tablename contains the table name in which you want to perform the query. Meanwhile, field_name represents the name of the field/column where values with wp_ prefix most likely appear.

Here’s how to manually change the prefix value:

1. From the phpMyAdmin dashboard, navigate to a table with the prefix value that you want to update. For example, open wp_1secure1_usermeta.

2. Navigate to the SQL tab at the top menu bar.

3. Enter the code above in the SQL query editor to filter the values containing wp_, and click Go. Be sure to modify the information according to your actual table and field names.

4. The filter results will appear. Click the Edit button next to the targeted field.

5. Change the prefix value, and click Go. Perform steps 4 and 5 to all filtered values.

6. Repeat from step 1 for the rest of the tables within the database to update all values withthe wp_ prefix.

6. Disable XML-RPC

XML-RPC is a WordPress feature for accessing and publishing content via mobile devices, enabling trackbacks and pingbacks, and using the Jetpack plugin on your WordPress website.

However, XML-RPC has some weaknesses that hackers can exploit. The feature lets them make multiple login attempts without being detected by the security software, making your site prone to brute force attacks.

Hackers can also take advantage of the XML-RPC pingback function to perform DDoS attacks. It allows attackers to send pingbacks to thousands of websites at once, which can crash the targeted sites.

To determine whether XML-RPC is enabled, run your site through an XML-RPC validation service and see whether you receive a success message. This means that the XML-RPC function is running.

You can disable the XML-RPC function either by using a plugin or manually.

Disabling XML-RPC Using a Plugin

Using a plugin is the faster and simpler way to block the XML-RPC feature on your website. We recommend using the Disable XML-RPC Pingback plugin. It will automatically turn off some of the XML-RPC functionalities, preventing hackers from performing attacks using this WordPress security flaw.

Disabling XML-RPC Manually

Another way to stop all incoming XML-RPC requests is by doing it manually. Locate the .htaccess file in your root directory and paste the following code snippet:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
 deny from all
 allow from 000.00.000.000
</Files>

To allow XML-RPC to access a particular IP, replace the 000.00.000.000 with the IP address or delete the code line altogether.

7. Hide the WordPress Version

Hackers can break into your site easier if they know which version of WordPress you’re running. They can use that version’s vulnerabilities to attack your site, especially if it’s an older WordPress version.

Luckily, it’s possible to hide the information from your site using the WordPress Theme Editor. Follow the steps to do so:

1. From your WordPress dashboard, navigate to Appearance → Theme Editor.
2. Choose your current theme and select the functions.php file.

3. To remove the version number from the header and RSS feeds, paste the following code to the functions.php file:

function dartcreations_remove_version() {
return '';
} add_filter('the_generator', 'dartcreations_remove_version');

4. WordPress generator meta tag also displays the WordPress version number. Add this line to get rid of it:

remove_action('wp_head', 'wp_generator');

5. Click Update File to save the changes.

8. Block Hotlinking

Hotlinking is the term used when someone displays your website’s asset, usually a picture, on their website. Every time people visit a website with hotlinks to your content, it uses up your web server resources, slowing down your site.

To see if your content was hotlinked, type the following query in Google Images, replacing yourwebsite.com with your domain name:

inurl:yourwebsite.com -site:yourwebsite.com

To prevent hotlinking, use an FTP client, a WordPress security plugin, a CDN, or edit the control panel’s settings.

9. Manage File Permissions

Prevent hackers from gaining access to your admin account by determining which users can read, write, or execute your WordPress files or folders.

You can use your web host’s File Manager, FTP client, or via command line to manage file and folder permissions.

Generally, permissions are set by default, which may vary depending on different files or folders. Specifically for the wp-admin folder and wp-config file, make sure only to allow the Owner to write it.

Conclusion

Cyberattacks may come in different forms, from malware injection to DDoS attacks. WordPress websites, in particular, are common targets for hackers due to the CMS’s popularity. Therefore, WordPress website owners must know how to secure their sites.

However, securing a WordPress site is not a one-time task. You need to continuously reassess it since cyberattacks are ever-evolving. The risk will always be there, but you can apply WordPress security measures to reduce those risks.

We hope this article has helped you understand the importance of WordPress security measures and how to implement them.

Feel free to leave a comment if you have any questions or more WordPress security tips.

How do I Improve WordPress Security FAQ