10 Ways to Secure Your WordPress Site Without Plugins

WordPress is one of the most popular website platforms, but it is also a common target for hackers. Many users rely on security plugins, but you can protect your site manually without them. In this guide, we’ll cover 10 effective ways to secure your WordPress site without using plugins.

Why WordPress Security Matters

As the most widely used CMS, WordPress attracts hackers looking for vulnerabilities. If your site isn’t properly secured, you risk data breaches, malware infections, and even loss of search engine rankings. Google blacklists thousands of sites every day due to security issues, affecting their online presence and business reputation. Implementing WordPress security best practices is crucial for maintaining a secure WordPress website and protecting your sensitive data.

1. Limit Login Attempts with .htaccess

Brute-force attacks occur when hackers try multiple password combinations to gain access to your site. You can prevent repeated login attempts by adding rate-limiting rules to your .htaccess file:

RewriteEngine on
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-login.php*
RewriteCond %{REMOTE_ADDR} !^Your.IP.Address$
RewriteRule .* - [F,L]

2. Disable XML-RPC

The xmlrpc.php file is often targeted for brute-force and DDoS attacks. You can disable it by adding the following line to your .htaccess file:

<Files xmlrpc.php>
Order Deny,Allow
Deny from all
</Files>

Alternatively, you can add this to your functions.php file:

add_filter('xmlrpc_enabled', '__return_false');

Disabling XML-RPC enhances your WordPress security and helps prevent attacks targeting this file.

3. Change the Default Login URL

Hackers and bots commonly target the /wp-admin login page. Changing the login URL adds an extra layer of security. You can manually change it by adding the following to your functions.php file:

function custom_login_url() {
return '/my-custom-login'; // Change this to your desired login URL
}
add_filter('login_url', 'custom_login_url');

Using a custom WordPress login URL makes it harder for hackers to locate your admin panel.

4. Set Proper File Permissions

Incorrect file permissions can give hackers access to sensitive files. Ensure the correct file permissions are set:

• Directories: 755
• Files: 644

This prevents unauthorized users from modifying files or gaining control of your site. Ensuring secure WordPress file permissions reduces the risk of security breaches.

5. Protect wp-config.php

Your wp-config.php file contains sensitive database credentials. Secure it by adding this to your .htaccess file:

<Files wp-config.php>
order allow,deny
deny from all
</Files>

This prevents direct access to the file, keeping your site’s configuration safe. Hiding wp-config.php from attackers is a critical step in WordPress security.

6. Disable Directory Indexing

Directory indexing allows attackers to see the files in your directories, increasing the risk of exploits. To disable it, add this line to your .htaccess file:

Options -Indexes

This simple tweak stops hackers from browsing your site’s files, improving WordPress security without plugins.

7. Force HTTPS

HTTPS encrypts data transmission between your website and users, making it harder for attackers to intercept sensitive information. Add the following to your .htaccess file to force HTTPS:

RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]

This ensures that all connections to your site are encrypted and secure. Enabling HTTPS on WordPress improves security and is also a ranking factor in Google’s search algorithm.

8. Hide WordPress Version

Displaying your WordPress version can help hackers find vulnerabilities. Hide it by adding this line to your functions.php file:

remove_action('wp_head', 'wp_generator');

This prevents your WordPress version from appearing in your site’s source code, reducing exposure to exploits targeting specific versions. Hiding the WordPress version number is a small but effective security measure.

9. Secure wp-admin Access

Restrict access to your wp-admin dashboard by allowing only specific IP addresses. Add this code to your .htaccess file:

<Files wp-admin>
order deny,allow
deny from all
allow from YOUR_IP_ADDRESS
</Files>

Replace YOUR_IP_ADDRESS with your actual IP to ensure that only you can access the admin area. Limiting WordPress admin access by IP significantly reduces the risk of unauthorized logins.

10. Backup Your Database Regularly

No security measure is foolproof, so regular backups are crucial. Schedule database backups manually using phpMyAdmin or a cron job to ensure you always have a recent copy of your site’s data. Also, test your backups periodically to ensure they work when needed. Performing regular WordPress backups ensures quick recovery in case of an attack.

Additional WordPress Security Tips

• Keep your WordPress core, themes, and plugins updated.
• Use strong passwords and enable two-factor authentication (2FA) for admin users.
• Regularly check your server logs for suspicious activity.
• Scan your website for malware using online tools.Remove unused WordPress themes and plugins to reduce potential vulnerabilities.

Conclusion

Website security isn’t a one-time task. Regularly check your server logs, update your software, and review your settings to stay ahead of potential threats. Implementing these steps will significantly enhance your WordPress security without relying on plugins.

By following these WordPress security best practices, you can protect your website from hackers and ensure a safe online experience for your visitors.

Have you tried any of these steps? Let me know what works for you or if you have other tips!