Secure WordPress site without using any plugin

WordPress security is like empowering your army with new and upgrade weapons so that they don't get defeated. It’s all about bolstering the border gates and putting lookouts on every watch tower. But that term doesn’t always allow you to realize the details that go into improving site security.

Hello WordPress developer, today I'm going to teach you how to secure your WordPress site without the use of any plugin. As there are lots of ways to secure secure your site from being hacked by anyone so I have divided this tutorial into several parts, so I'll urge you to go through each and every part of the tutorial and take the necessary steps. So let's begin.

1. Delete index.php

First of all delete all index.php from the following location.

Now you may have questions as why to delete this files as they are the important files and also helps in protecting from director listing. Most of the malicious code or software target this index file and from there they get access to the full site, because everyone know the director structure of WordPress and where this index files are present.
In WordPress many index file controls this code only

// Silence is golden.

Which is of no use.
So after deleting the file just add this line into your .htaccess file which will prevent from directory listing

Options -Indexes

2. File Permissions

Now one of the most important part is to give the correct file permission to the files and folders, I have listed some the important file and folder which are need to be taken a specials care.

# Name File/Folder Recommended Permissions
1 Root Directory /path/to/your/wordpress/install/ 0755
2 wp-includes/ /path/to/your/wordpress/install/wp-includes 0755
3 .htaccess /path/to/your/wordpress/install/.htaccess 0644
4 wp-admin/index.php /path/to/your/wordpress/install/wp-admin/index.php 0644
5 wp-admin/js/ /path/to/your/wordpress/install/wp-admin/js/ 0755
6 wp-content/themes/ /path/to/your/wordpress/install/wp-content/themes 0755
7 wp-content/plugins/ /path/to/your/wordpress/install/wp-content/plugins 0755
8 wp-admin/ /path/to/your/wordpress/install/wp-admin 0755
9 wp-content/ /path/to/your/wordpress/install/wp-content 0755
10 wp-config.php /path/to/your/wordpress/install/wp-config.php 0644

You can also write the following code into your .htaccess file

# Block the include-only files.

RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

# BEGIN WordPress

3. Disable PHP File Editing via the dashboard

In many occasions the client by mistakenly edit the theme file and saves it, but if the code is not correct then the site does not opens. Moreover if the hacker get access to the admin panel then they add the malicious code on this files and saves it, so as the things are not altered so we can get any clue that the files has been edited. So it is the best practice to disable it. So to do that just add the following code into the function.php file of your active theme.

//disable file editing from admin dashboard
define('DISALLOW_FILE_EDIT', true);

4. Securing wp-config.php

wp-config.php is one of the most important file it host the database and and site configuration so it need to be secure and disallowed to be used by browser. So to do that just add the following code into your root .htaccess file

<files wp-config.php>
order allow,deny
deny from all

5. Don't use the "admin" username

In 12% occasion it has been found that the WordPress site has been hacked became of the common username for the Super Administrator role which is admin. So it is highly recommend after development and before site is been lived you should change the username and give some strong and unpredictable username.

6. Strengthen up the password

The above statistics is also valid for the this point as well, because as developer work at a multiple projects at the same time so it become difficult for them to remember the password for each project so they gives the common password, or same username and password. As WordPress have introduce and strong auto generator password from Version 4.3. So you should take this advantage and give a strong password for the admin.

wp security tips

7. Update all the things

You must always update the WordPress library as soon as they arrive never ignore any updates, because in every update WordPress fix security issues and changes some of the function work flow so it becomes difficult for the hacker or malicious code to effect your site. The same goes with wp themes and wp plugin, so you should also update them whenever there is a update.

What are some things you do to secure your WordPress sites? Did I miss any of them and you think it is detail here that you think is vital? Feel free to sound off in the comments below. In a mean while I'll come back with the second edition of this.

Raunak Gupta

Raunak Gupta

I'm Raunak Gupta, a seasoned software developer with over 9 years of experience in a wide range of programming languages, frameworks, and tools. I started my journey as a WordPress & CakePHP developer in 2014, diving deep into the world of OOPs, Request handling, and SEO. Along the way, I crafted numerous dazzling WooCommerce stores, tamed payment gateways, optimized for full filament functionality, and achieved ultra-low latency for lightning-fast load times. My expertise extends to BI tools, website builders, DevOps, and team leadership. I like to help upcoming developers, so I share my experience through this blog and by assisting fellow developers on Stack Overflow, where I've earned a stellar reputation with over 10k+ points of recognition.

Articles: 29


  1. I’ve changed the prefix on new WP install for a while now as it is a quick change but I never bothered doing it on existing sites until I started using Defender recently. While it’s not all that important, every little bit helps.

Leave a Reply

Your email address will not be published. Required fields are marked *