WordPress now powers over 27% of the websites on the internet.
With this popularity, it also draws hackers to this popular CMS.
Since the code is man made, it is not perfect. Thankfully, the WordPress core contributors are constantly releasing updates when vulnerabilities are discovered.

There is no excuse for not “Hardening” your WordPress website.
With an inexhaustible amount of information on the web, many of the articles reaffirm the basic steps that every WordPress site should have already incorporated. Everything from hiding your login page to not using Admin as your user name.

To upgrade your security, here are a few additional steps that can help harden your website. If you are not a tech person, you may need to have a designer or developer configure some of these steps.

Here we go:
Limit the number of login attempts to prevent Brute Force attacks.

Hackers are determined, they will try over and over until they crack your username and password. Don’t make it easy for them, after a certain amount of failures, block their IP address.
This can be accomplished two ways:
1) Most security plugins such as Wordfence, All In One WP Security, IThemes Security, and Sucuri offer this feature.
2) Specialized Plugins such as Limit Login Attempts, User Locker, and Login Lockdown can control the failed login attempts.

Delete Plugins that are deactivated
Take a look at your installed plugins, all those plugins that are light colored are deactivated. If you are not using them, remove them.
The more plugins you have, the more opportunity for hackers to find a vulnerability, especially if they are not updated immediately. Additionally, an excessive number of plugins can slow down your website performance.

Don’t download unauthorized premium plugins
Premium plugins involve a cost of some kind, such as a one-time payment, or annual renewal. They usually offer additional features and functionality over their free counterparts. If you search the internet, you may be able to find sites that offer a pirated version of a particular plugin for free. Please don’t be fooled, they most likely contain malware hidden inside the code.
This warning also pertains to free themes for basically the identical reason. See the post on Free Themes.

Hide the Author’s name
Normally you want to give credit to the author of a post or page.
For security reasons, you should not allow this.
The reason is that through the WordPress default, the Administrator’s name is also the author. This gives a hacker one up on you if they already know your User name. All they have to do is look at a page or post to see your name or they can type in the following after your URL:




The result displayed if author name was hidden:

forbidden - number in author name not allowed = 1

There are two techniques to hide the Author’s name;
1) Use one of these plugins: ShowHideAuthor, or WP Meta and Date Remover.
2) Add a script to functions.php file:

add_action(‘template_redirect’, ‘bwp_template_redirect’);
function bwp_template_redirect()
if (is_author())
wp_redirect( home_url() ); exit;

Note: this does apply to guest authors who write for you. You may have to leave their name within the post to give them credit.

Turn off PHP error reporting
Although this report may be helpful when debugging or troubleshooting, it could disastrous if it falls into the wrong hands. As all your server information will be made public.
To disable this featue, add this script to your wp-config.php file:




Using the .htaccess file
Unless you know how to download/upload and edit this file, I recommend that you bypass this section, because you can break your website if performed incorrectly. In any case, everyone should have a backup of this important configuration file.

Brief intro to .htaccess:

  • A hidden (.in front of the file name) configuration file.
  • Controls functionality and features for protection from spammers, hackers, and threats.
  • A few things it can do: basic redirects, lock outside access to key files, password protection, and prevent image hotlinking.

Protect the .htaccess file, add this script:

 <files ~="" "^.*\.([hh][tt][aa])"="">
order allow,deny
deny from all
satisfy all

Protect the wp-config.php file, it contains the login information for your WordPress database.
Add this script to the .htaccess file:

<files wp-config.php="">
order allow,deny
deny from all


Block directory browsing, this prevents unauthorized people from viewing your WordPress files and directories.
Add this script to the .htaccess file:

# disable directory browsing
Options All -Indexes


Block access to PHP files, this prevents hackers from viewing your plugin and theme’s PHP files:
Add this block of script to your .htaccess file:

RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L]
RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
RewriteRule wp-content/themes/(.*\.php)$ - [R=404,L]

These extra steps give you another level of protection for your valuable website.
The goal is to close every door that the thief may enter through.

Keep Coding
Gerald Watanabe

Share This