10 Little-Known, Super Effective Tips to Secure Your WordPress Blog

Getting a blog hacked and losing years upon years of blogging work overnight is a sad reality that people actually have gone through. In fact, research shows that 37,000 websites are hacked every day, and with WordPress powering approximately 25.4% of all websites, you can be sure that a good deal of WordPress blogs are hacked every day.

WordPress security is an entirely different ballgame; once you own a WordPress blog, tips like having a username that is difficult to guess and a password that is as hard as rock is no longer sufficient. A single buggy theme, the wrong plugin, or an incorrectly protected file can result in your blog being hacked overnight.

Whether you’re inexperienced with WordPress, or you’ve been using the platform since its existence, this article has 10 practical and supper effective ways to secure your WordPress blog that anybody can implement. You won’t find most of these tips in popular "how to secure your blog" articles, but they could very well save your blog one day!

1. Disable the WordPress Theme & Plugin Editor

WordPress has a handy feature that give site owners more flexibility by allowing them to customize and edit their themes and plugins right from the WordPress dashboard, but this feature has been the undoing of most blogs.

With this feature, a slight error can crash your site and lock you out of your own website. Hackers can easily insert malicious code into your theme to give them backdoor access to your site, or even take over your site completely, by gaining control of an account that has enough privileges to use the theme and plugin editor.

You can protect yourself by disabling the plugin and theme editor, making it impossible to modify your themes and plugins without FTP access.

Do this by adding the following code to your wp-config.php file:

define( 'DISALLOW_FILE_EDIT', true );

2. Enable Two-Factor Authentication

Two-factor authentication is quickly becoming one of the most reliable ways to protect your online accounts, and most reliable websites will insist that their users enable it.

While WordPress does not necessarily have two-factor authentication built into it, you can enable two-factor authentication on your blog by installing the following plugins:

3. Limit Logins Based on Number of Failed Attempts

There are many ways hackers try to gain access to your blog, and one of the most common techniques used is a bruteforce attack: a hacker tries a combination of usernames and passwords, over and over again, until he/she is able to successfully access your blog.

By default, WordPress isn’t protected against this attack. By installing plugins that limit logins after a certain number of failed attempts from a particular IP, you can make it much more difficult for hackers to gain access to your blog.

The Jetpack Protect Module plugin can also protect you from bruteforce attacks.

4. Regularly Scan Your Blog

Theme files, plugins, links, and other seemingly harmless elements can be used to gain access to your blog. Don’t wait until your website is fully infected before you take measures. Instead, install security scanning plugins to regularly scan your website and notify you if your files changes.

A good example of a security scanning plugin is Wordfence. Besides giving you the option to manually/automatically scan your WordPress blog, it also instantly notifies you when suspicious activity is going on your blog.

It also sends information about potentially malicious comments, and it compares your theme and plugin files with the WordPress repository to let you know if your version of a plugin or theme has been modified and can potentially serve as a backdoor for hackers to your site.

Other security plugins that can help you scan your blog for malware and exploits are:

5. Change Your Host

While this sounds like simplistic advice, it actually has a lot of weight. Research shows that 41% of hacked WordPress websites were hacked through security vulnerability on their hosting platform. This is much more than from other sources, including having a weak password.

Your host can play a major role in whether you will be hacked or not; make sure you only go for reliable web hosts that have stood the test of time and that comply with industry best practices.

6. Hide Your WordPress Version Number

By default, WordPress displays your WordPress version number; this makes it easy for WordPress to keep track of how many WordPress blogs are active worldwide. However, this can also be a huge source of problem; hackers and bots can scan the web for blogs using a WordPress version number with a known vulnerability, making you an easy target.

You can easily solve this problem by hiding your WordPress version number. To hide your WordPress version number, simply add the following code to your functions.php file:

add_filter( 'the_generator', '__return_null' );

7. Disable PHP Error Reports

When a plugin or theme isn’t working well on your WordPress blog, PHP error reports can help by showing you a message that reveals the cause of the error. However, in this advantage lies a disadvantage: when PHP error is being reported, it includes the full server path of the error, revealing information that hackers can use against you.

You can protect yourself by disabling PHP error reporting. Simply add the following code to your wp-config.php file:

  @ini_set(‘display_errors', 0);

8. Work on Your WordPress File Permissions

When it comes to preventing your WordPress site from security exploits, it is essential to ensure that you have the right file permissions. This makes it difficult for a hacker to manipulate plugins, themes, or files on your server to take over your website.

Make sure that WordPress folder permissions are set to 755 or 750; file permissions are set to 640 or 644; and that wp-config.php permission is set to 600.

9. Ensure Regular Backups

Even big websites with a team of security experts and consultants get hacked, and while following best practices can make your website stronger than 99.9% of websites, things can still break.

The best security you have against WordPress hack attacks is a good backup; make sure you’re making backups of your site on a regular basis – if possible, daily. This way, if your website is hacked you have your files in place and can restore things immediately.

Here are some of the best WordPress backup plugins:

10. Limit Access to Your Login Page

When push comes to shove, you just might have to take some drastic action. A very reliable way to protect your blog from hack attempts is by entirely blocking access to your wp-admin and wp-login.php page.

This is only recommended if you use one IP address that doesn’t change (you don’t want to lock yourself out of your blog!). You can still use this option if you use more than one IP address but keep track of those addresses.

To limit access to your login page, add the following code to your .htaccess file:

  <IfModule mod_rewrite.c>
  RewriteEngine on
  RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
  RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
  RewriteCond %{REMOTE_ADDR} !^Your IP address 1$
  RewriteCond %{REMOTE_ADDR} !^ Your IP address 2$
  RewriteCond %{REMOTE_ADDR} !^ Your IP address 3$
  RewriteCond %{REMOTE_ADDR} !^ Your IP address 4$
  RewriteCond %{REMOTE_ADDR} !^ Your IP address 5$
  RewriteRule ^(.*)$ - [R=403,L]

Be sure to edit Your IP address 1 through to Your IP address 5 with the different IP addresses you want to give access to; you can simply add or remove a line to allow or prevent more IPs from accessing your site.


Of course, you shouldn’t ignore basic security tips like not using a predictable username, having a strong password, updating your WordPress installation regularly, etc. However, the above are some little-known, often-ignored security tips that can make your WordPress blog just a bit more secure.

Editor’s note: This guest post is written for Hongkiat.com by John Stevens. John is a WordPress and hosting expert. He is the founder and CEO of HostingFacts.com, a portal where he reviews and rates web hosts based on performance.