How to secure wordpress from hackers

WordPress is most popular CMS for blog, news, small businesses and has been a top target among hackers. Just follow below easy steps to secure your wordpress site.

Most of website owners do not think about security until it is hackers hacked the website.  There are many secure tips to make safer blog or website.

Block Plugin Updates and Installation

Plugins help for rapid application development at the same time they are the key resource to get website hack. Plugins are develop and available to install. But all are not safe.

Make sure that users of your website are not allowed to update and plugins or install any new plugins.  For that you can use the following code snippet. Add below snippet into your wp-config.php file it will disable access to new updates or installations.

Disable File Edits from the WordPress Admin

As wordpress has taxonomies. Different user roles are defined to respective to their work. But in few roles assigned sometimes user has access to your WordPress admin area then they will have access to all the files. When you have access to the files you can open the theme in the in-built editor and start changing the HTML of the theme. They can do spelling error or need to switch a CSS class in the HTML but if someone doesn’t know what they are doing they can easily break the look of the site. which are currently installed on WordPress also includes all plugins and themes.

Disable to edit PHP files in your WordPress themes and plugins is one way to keep a away from hacker in making significant changes to your WordPress website without your permission. Mostly, the first thing a hacker will go to WordPress admin after gaining access for themes and plugins.

You can stop all users from having access to edit the files in the WordPress admin area. The only option to change the files would be to upload the files through a FTP.

  • Step 1: In root folder open Wp-config.php file through a FTP
  • Step 2: Now add the below line of code to the wp-config.php file.

Securing WordPress with the .htaccess File

There are many plug-ins where you can make .htaccess file to protect. In conjunction with plug-ins and regular updates will tighten up your site’s security and give you that extra level of protection.

The below are the great tips to protect some of the essentials in your WordPress install and show you how and where to add the code snippets; you don’t have to use every single one, just whatever you feel would help you secure your site.

The typical WordPress .htaccess file looks similar to this:

Securing the wp-includes Directory

If you know the basics of the WordPress directory’s htaccess file, let’s try a practical example of how to use it to secure your wp-includes directories more sensitive files with htaccess rules. Here is the code you would put after the WordPress commented section in your htaccess file to block access to critical files in your wp-includes directory:


If you are not aware with .htaccess files and  mod_rewrite rules, need not worry, you can simply copy and paste the above code into your .htaccess file and move to main WordPress folder and you will be fine. The one rule on the fifth line above won’t work for multi-site installations that need to write images, but everything else should work in almost all cases. Any thing to comment out or delete the fifth line and you will still have tighter security for wp-includes than you had prior to adding the above code. It does lessen security a little to comment out the fifth line. If you had issue with with WordPress sites do that. If you only have one, it won’t be an issue.

Securing the wp-config.php File

The main file where you configure the database is wp-config.php. You can secure access to the wp-config.php file using one more .htaccess file. Add the below declaration to the file at the top before anything else and no one will be able to access the file via FTP or otherwise:

Further step is you can also move your wp-config.php file up one directory, where wp-includes are more tighten security. This method should be used only by those who know the implications because it has been talked about extensively and there are many arguments both for and against moving the wp-config.php file up one directory.

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *