Best strategy for latest WordPress Security

WordPress is currently the most popular CMS – Content Management System based on PHP and MySQL. According to wikipedia 33.6% top 10 million websites in the internet is built on WordPress. This is a huge number. WordPress has the biggest community of users, developers and hackers.

In January 2017, security auditors at Sucuri identified a vulnerability in the WordPress REST API that would allow any unauthenticated user to modify any post or page within a site running WordPress 4.7 or greater. The current WordPress version is 5.3.1

Every time WordPress releases an update – it means one or more security patches either minor or major have been fixed. So, it is very common that hackers will find out what was the problem on older version and they plan to attack on older versions. It is generally accepted that if a WordPress website is not updated to its latest version within 10 days, there is a possibility of the site get hacked. Well hacking is not that easy but affecting your website speed, up-time and server due to DDoS attacks is considered as implicit hacking. To secure your WordPress blog, forum, gallery or website it is important to follow best practice security strategy.

Following are the most recommended and proved way to keep WordPress sites secured –

#1. Back up the website first

Its important to keep a full backup of the website before making any changes like upgrading plugins, themes and WordPress.

#2. Update plugins, themes and WordPress

This is the most important step to keep a WordPress website secured. Update all plugins, themes and WordPress core. After update check if the design and functionality of the website is same as before. For WordPress 5.2.2 PHP version must be 5.6.40 or above

#3. Secure contact forms

Contact forms are most frequently targeted by the hackers and spammers. Secure all the contact forms with recaptcha.

#4. Secure WordPress login page

Secure WordPress login page with recaptcha. It is also a good practice to change the WordPress login URL. There are lots of security plugin where it can be done easily. I have used WPS Hide login.

#5. Restrict access to files and folders

Change the file permissions to 644 and Folder permissions to 755. 644 means, Administrator can read, write but can’t execute, Group and Others can read only. 755 means, Administrator can read, write and execute. Group and Others can read, execute but can’t write.

#6. Disable directory Indexing

Copy and paste the following code snippet at the beginning of the .htaccess file. This will remove directory indexing and make the server respond with a 403 forbidden message.

# Disable directory Indexing
Options -Indexes

#7. Block access to potentially sensitive files

WordPress sensitive files are commonly wp-config.php, xmlrpc.php and .htaccess. Normally, WordPress core makes .htaccess files protected by default. But other files like wp-config.php and xmlrpc.php files are not protected by WordPress by default. So, blocking hackers to get access to these files will help to reduce bot attacks because these two files are most frequent victim of DDoS. Add this following code Snippet at the bottom of the .htaccess file.

<Files xmlrpc.php>
Require all denied
<Files wp-config.php>
Require all denied

#8. Enable bot protection

Enable Web application firewall in the server. If not available in the server, then install a firewall plugin. For example: WordFence Security , Sucuri etc. Bot protection by firewall is very effective. It blocks the internet IP of the suspected visitor or the suspected website user. In such cases, make sure you make your own internet IP white listed by the firewall.

#9. Disable file editing in WordPress Dashboard

Disallow editing WordPress plugins and theme files from the dashboard. Also, it is recommended to disable “add new” and “update now” functionality of plugins, themes from WowrdPress dashboard. Add the following line of code in the .htaccess file under the database credentials block.

define(‘DISALLOW_FILE_EDIT’, true);

#10. Turn off ping backs

Linking to your own posts . Means interlinking, which is great for SEO. However with pingbacks enabled on your site, and WordPress automatically creates for your site can become annoying. These pingbacks appear in the comments section of your posts. Spammers might take advantage of this feature to spam your comment box. Add the following code snippet into theme’s functions.php file.

function no_self_ping( &$links ) {
    $home = get_option( 'home' );
    foreach ( $links as $l => $link )
        if ( 0 === strpos( $link, $home ) )
add_action( 'pre_ping', 'no_self_ping' );

#11. Forbid execution of PHP scripts in the wp-includes and wp-content/uploads directory

Change the file permissions inside the wp-includes directory to 644 and wp-content/uploads directory to 666. So that Groups and Others don’t have the write and execute permissions.

#12. Block unauthorized access to to wp-config.php

Add the following code snippet in .htaccess file if you have not already added in the previous steps.

Require all denied

#13. Disable scripts concatenation for WordPress admin panel

Add the following line of code in the wp-config.php file. You may place it before or after the database credentials block. I prefer add it before.

 define('CONCATENATE_SCRIPTS', false );

#14. Enable hotlink protection

Hotlink protection restrict unauthorized uses of your website images such as jpg, png, gif etc. This can be achieved from cpanel or .htaccess.

  • If you have cPanel access, most of the time it is just one click to enable “Hotlink protection”.
    • In regular cPanel, there is an option called “Hotlink protection”. Click to enable it.
    • In Plesk control panel it can be found under security check > Enable hotlink protection.
  • Recommended and this is always my favorite to add rules in .htaccess. This is how you will do it from the .htaccess file.

Add the following code snippet at the bottom in the .htaccess file. In the following code snippet, I have authorized,,, and my other wp blog for hot-linking image files. google, facebook and these 3 lines are optional. You can add many more like this.

# Start Prevent image hotlinking
RewriteCond %{HTTP_REFERER} !^$ 
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC] 
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC] 
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC] 
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC] 
RewriteRule \.(jpg|jpeg|png|gif)$ - [F] 
# End Prevent image hotlinking

#15. Block author scans

A popular technique used by hackers to gain unauthorized access to websites is called ‘Brute Force’. Using this technique, hackers use software designed to scan a website for vulnerabilities and gain access by exploiting any of them. One most common entry point that these brute force bots try to exploit is by running an author scans. Simply add this code snippet on your .htaccess file to block author scans.

# BEGIN block author scans
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* - [F]
# END block author scans 

#16. Change default administrator’s username

WordPress creates a default username called “admin” during a new WordPress installation. Often Hackers try to login with this username. Most users change this username during first time installation. If you see that username on site’s user list remove it. Here is how to do it –

  • Create a new user with administrative privileges
  • log out and sign in with newly created user
  • Then remove the admin user. [ Transfer the ownership of post and pages to the new user]

#17. Configure security keys

It is a next level WordPress security measure. By changing WordPress security keys and Salts, you can make your WordPress website more secured. Keys can be changed from the wp-config.php file. This is how to do it –

  • Open wp-config.php file in a text editor such as atom, sublime, notepad++ etc.
  • Scroll down to find the security keys block. Normally this block is just under the database credentials.
  • Replace the random value of each keys with a completely new values. Recommended length for the random value is 60+ characters.
  • Save the wp-config.php file. Done.

#18. Change default database table prefix

WordPress uses a database table prefix by default ” wp_”. 99.99% time a secured WordPress website must have changed this to a different and complex prefix. A complex database prefix helps a lot to prevent SQL injection. SQL injection is very dangerous and its very common.

There are many ways to change WordPress database prefix. It can be done through control panel, manually by modifying wp-config.php and database table names or by using a simple plugin. I recommend you to use a plugin for that. I have used “Change Table Prefix” plugin. There are few more similar plugins. You can try any of those.

#19. Prevent Cross site scripting attacks

Implementing HTTP security headers are an important way to keep your site and your visitors safe from attacks and hackers. Simply add the following code snippet in the .htaccess file-

#Security Headers - X-XSS-Protection
<IfModule mod_headers.c>
  Header set X-XSS-Protection "1; mode=block"

#20. Enable X-Content-Type-Options matching

This code snippet will match the served file extension in the browser with the server file extension of the file. The X-Content-Type-Options header is used to protect against MIME sniffing vulnerabilities.

#Security Headers - X-Content-Type: nosniff
<IfModule mod_headers.c>
  Header set X-Content-Type-Options nosniff

#21. Set .htaccess file permission and wp-config.php file permission specially

Set .htaccess permission to 444 (r– r– r–) and wp-config.php permission to 400 (r– — —)

#22. Enable Web Application Firewall (WAF)

Many servers has this function by default. Some servers has different mod_security rules. Which are very useful. If your server doesn’t have WAF then you can achieve it via installing a WordPress security plugin like WordFence. I use it.


Security is important for all websites in the internet. A non-secured site is vulnerable to all sorts of attacks like Cross scripting, SQL injection, Hot linking, Spamming and server issues. To protect your website reputation and server health, it is recommended for all those who has website.

Leave a Reply