11 Tips On How To Secure WordPress Without Plugins
After completing up the setup of your website, it’s vital to set up its security. There are plenty of excellent security tools out there, and some are even free. Likewise, the platform itself has a lot of built-in security features that developers audit regularly. Installing a WordPress security plugin can be very helpful at keeping your website very secure. Some of the common ones are WordFence, Succuri Security, and All In One WP Security & Firewall. However, you can also improve the security of your site without installing a WordPress security plugin.
In today’s article, we will provide you with some excellent and useful tips on how to secure your WordPress site that will not require you to use third-party plugins. Applying these can increase the security of your WordPress website remarkably. You can easily perform these best practices via the WordPress admin. On the other hand, you can complete some from your hosting account’s cPanel or by editing a couple of configuration files.
With that in mind, here are 11 tips on how to secure WordPress without installing a plugin.
Perform updates regularly
WordPress has a core team that always monitors any security issue or new vulnerability that threatens the platform. Then, they patch it. You can find the updates of these security patches and bug fixes by accessing Dashboard > Updates in your WordPress admin menu.
Make sure to always be aware of this and update your website regularly. Aside from the WordPress Core, you also need to update your themes and plugins. The reason for this is because their authors usually issue security updates as well whenever they deem necessary.
Apply the Principle of Least Privilege
One of the most common WordPress security issues is users presented with very high privileges by site owners. As per the Principle of Least Privilege or PoLP, you should not give your users as much permission as it is required to do what they need to do on your site. One of the most common WordPress security issues is users presented with very high privileges by site owners. As per the Principle of Least Privilege or PoLP, you should not give your users as much permission as it is required to do what they need to do on your site.
The user management system of WordPress is outstanding and comes with the following distinct roles for every user:
- Subscriber
- Contributor
- Author
- Editor
- Administrator
The only time you want to provide your users with admin privileges is when they really have to perform plugin updates, theme installation, settings modification, and other admin tasks. You can choose a user role easily when adding a new user from a dropdown list. On top of that, you can navigate the Users admin page if you want to change a current user’s role.
You may also want to analyze the Roles and Capabilities table in your WordPress Codex if you want to further secure your site. When you’re done analyzing, you can then make a decision on the type of permissions that all your users need. Doing so does not mean that they may abuse their roles. But once their accounts are hacked or gets compromised, your website will not suffer too much.
Avoid using the default admin username provided by WordPress
You are putting your WordPress security at high risk if you will continue to use the default admin username. Often, the target of automated brute force attacks is the admin user accounts. And they do this in bulk. These attacks are quite common and instead of aiming at a specific site, they look for those that still use the default admin username.
However, changing your admin username is not as simple since the platform will not allow you to change it directly from your admin area. Rather, you have to change it within the database. But there’s an easier way to go about this. What you can do is create a new admin user with a new username. Use it to log in to delete your old username.
High-Level users should utilize strong passwords
It is vital for excellent WordPress security for high-level users to use strong passwords. WordPress typically generates a strong password by default when new users register. Nevertheless, your users can change this to a weaker one. So pay close attention to your editors and admins to ensure that they are using strong passwords. You may also want to advise them to use a password managing tool if they think they will forget the complex passwords.
Get rid of unnecessary themes and plugins
A lot of site owners are guilty of not deleting themes that they don’t really use or overusing plugins. Sometimes, this practice can seriously endanger WordPress security. The more themes and plugins you have, the more vulnerable its security will be. Every time you install a new theme or plugin, you’re increasing the risk of your site being hacked. Hence, keep only the entirely necessary ones.
Moreover, make sure to delete those that you don’t need rather than just deactivating them. And since you can only utilize one theme at a time, there’s no point in leaving other installed themes you are not using. If you want the security of your WordPress to be better, consider removing inactive ones. Reinstalling them in the future is quicker if necessary in comparison to fixing a compromised website.
Backup your site regularly
Content is the most valuable asset of anyone running a highly successful WordPress blog. Whenever there is an attack on your site, all your content is highly at risk, including your pages, posts, and media. To prevent this, you must secure the content of your website by backing up your files regularly.
There are a couple of ways you can approach this. The first one is by creating database backups through your hosting account’s cPanel by navigating to File > Backups. Then, download your SQL backup file. You can instantly recover your entire database if something goes wrong using your backup file. There are even hosting plans that offer an option for automated database backup. So consider opting for a hosting plan where your host ping provider handles the backup if you plan to secure your database.
The second option and easiest option is to download UpdraftPlus. This WordPress backup, restore, and clone plugin will take care of everything for you. You can perform complete manual or scheduled backups of all your databases, files, themes, and plugins. It also allows you to set backup schedules every four, eight, or 12 hours, as well as daily, weekly, fortnightly, or monthly. If you want to restore your backups, you can do it directly from your WordPress control panel.
Disable your plugin and theme modifications
Admin users are allowed to edit plugin and theme files by default via the WordPress admin. Although this may seem like a remarkable feature, it can also become dangerous when a malicious attacker gains access to their accounts.
To disable your admin’s capability to edit plugins and themes, add the line below to your wp-config file:
1 2 3 |
define( 'DISALLOW_FILE_EDIT', true ); |
If you don’t only want to disable the plugin and theme editors but also want to prevent administrators from updating plugins and themes from the WordPress admin use the following rule:
1 2 3 |
define( 'DISALLOW_FILE_MODS', true ); |
Remember to use only one of these constants at a time. You can update your plugins and themes as a WordPress admin by implementing:
DISALLOW_FILE_EDIT
If you want to perform updates via SFTP from the background instead, use:
DISALLOW_FILE_MODS
Do not allow unfiltered HTML
WordPress also enables editors and admins to post JavaScript code and HTML markup from comments, widgets, posts, and pages. But when their accounts are compromised, this can become harmful to your site. If you want to filter the HTML they post, add the rule below to your wp-config file:
1 2 3 |
define( 'DISALLOW_UNFILTERED_HTML', true ); |
Doing this will ensure that whatever JavaScript and HTML they post will not be displayed. Instead, what will appear on your site is a string of plain text.
Deny access to your wp-config file
Your wp-config file is accessible to anyone by default. This file holds all your highly sensitive data, including password, username, salt, and database name. Therefore, it just makes sense to deny access to your wp-config file.
If you don’t want anyone to access all your configurations, add this code snippet to your .htaccess file:
1 2 3 4 5 6 |
<Files wp-config.php> Order Allow,Deny Deny from all </Files> |
In the default WordPress .htaccess file, the snippet above should be placed below the Rewrite rules and above the closing </IfModule> tag.
Deny access to your .htaccess file
Your .htaccess file is located in your WordPress install, and it is possible as well to deny any unauthorized access to it. The file holds the configuration of your Apache server. Nevertheless, anyone can access these on the internet.
To check if your .htaccess file is available publicly, type https://your-website-url.com/.htaccess into the URL bar of your browser. If it is accessible by anyone, you can protect your .htaccess files by applying the .htaccess rule below:
1 2 3 4 5 6 7 |
<Files ~ "^.*\.([Hh][Tt][Aa])"> Order Allow,Deny Deny from all Satisfy all </Files> |
Disable directory browsing
Most WordPress users are not aware that some WordPress directories can appear in the browser, meaning anyone can access them at any time. If your directory tree is accessible publicly, you are putting your WordPress security in extreme danger. Moreover, this also means that just about any hacker can obtain many sensitive data regarding your install.
To disable this feature, add the line below to your .htaccess file:
1 2 3 |
Options -Indexes |
As long as you follow the WordPress security tips and best practices we listed, securing your site will not be as hard. Keep in mind that before making any kind of changes, make sure to back up your website first. Did you encounter any security issues with your site? Share your experience in the comment section below, as well as other helpful tips you have in mind.
Aileen Cuaresma
Aileen is a Technical and Creative writer with an extensive knowledge of WordPress and Shopify. She works with companies on building their brand and optimizing their website. She also runs a local travel agency with her family. On her free time, she loves reading books, exploring the unknown, playing with her two adorable dogs, and listening to K-pop.
Get 10% discount with coupon code ESTATE10
Ha, nice trick to protect even the .htaccess with itself, didnt know that, thanks! 🙂
Thanks. Some good tips. But – As an administrator level user, I don’t think it’s handy to block adding or editing plugins/themes etc.