{"id":48553,"date":"2019-08-29T21:27:00","date_gmt":"2019-08-29T13:27:00","guid":{"rendered":"https:\/\/www.hongkiat.com\/blog\/?p=48553"},"modified":"2025-04-04T02:51:50","modified_gmt":"2025-04-03T18:51:50","slug":"wordpress-security-tips","status":"publish","type":"post","link":"https:\/\/www.hongkiat.com\/blog\/wordpress-security-tips\/","title":{"rendered":"10 Tips to Hardening WordPress Security"},"content":{"rendered":"<p>If you are running a WordPress-powered website, its security should be your primary concern. In most cases, WordPress blogs are compromised because their core files and\/or plugin are outdated; outdated files are traceable and it\u2019s an open invitation to hackers.<\/p>\n<p>How to keep you blog away from the bad guys for good? For starters, make sure you are always updated with the latest version of WordPress. But there\u2019s more. In today\u2019s post, I\u2019ll like to share with you some useful plugins as well as some tips to harden your WordPress security.<\/p>\n<div class=\"ref-block ref-block--post\" id=\"ref-post-1\">\n\t\t\t\t\t<a href=\"https:\/\/www.hongkiat.com\/blog\/hardening-wordpress-security\/\" class=\"ref-block__link\" title=\"Read More: 10 Plugins to Harden WordPress Security\" rel=\"bookmark\"><span class=\"screen-reader-text\">10 Plugins to Harden WordPress Security<\/span><\/a>\n<div class=\"ref-block__thumbnail img-thumb img-thumb--jumbo\" data-img='{ \"src\" : \"https:\/\/assets.hongkiat.com\/uploads\/thumbs\/250x160\/hardening-wordpress-security.jpg\" }'>\n\t\t\t\t\t\t\t<noscript>\n<style>.no-js #ref-block-post-10259 .ref-block__thumbnail { background-image: url(\"https:\/\/assets.hongkiat.com\/uploads\/thumbs\/250x160\/hardening-wordpress-security.jpg\"); }<\/style>\n<\/noscript>\n\t\t\t\t\t\t<\/div>\n<div class=\"ref-block__summary\">\n<h4 class=\"ref-title\">10 Plugins to Harden WordPress Security<\/h4>\n<p class=\"ref-description\">\n\t\t\t\t\t\tYou created a website on WordPress, selected a reliable hosting for it, and added a beautiful theme. However,...\t\t\t\t\t\t<span>Read more<\/span><\/p>\n<\/div>\n<\/div>\n<h2>1. Changing Default \"wp_\" Prefixes<\/h2>\n<p>Your website might be at stake for some vulnerabilities (e.g. <a target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/SQL_injection\" rel=\"noopener\">SQL Injection<\/a>) if you are using the predictable <code>wp_<\/code> prefixes in your database tables. The <a target=\"_blank\" href=\"https:\/\/digwp.com\/2010\/10\/change-database-prefix\/\" rel=\"noopener\">following tutorial<\/a> teaches you how to get them changed via phpMyAdmin in 5 easy steps.<\/p>\n<h2>2. Hide login error messages<\/h2>\n<p>Error login messages may expose and give hackers an idea if they\u2019ve gotten username correct\/incorrect, vice versa. It is wise to hide it from unauthorized login.<\/p>\n<p>To hide login error messages, you can simply put the following code in functions.php<\/p>\n<pre>add_filter( 'login_errors', '__return_false' );<\/pre>\n<h2>3. Keep wp-admin Directory Protected<\/h2>\n<p>Keeping \"wp-admin\" folder protected adds an extra layer of protection. Whoever attempts to access files or directory after \"wp-admin\" will be prompt to login. Protecting your \"wp-admin\" folder with login and password can be done in several ways:<\/p>\n<ul>\n<li><strong>WordPress plugin<\/strong> \u2013 Using the WordPress <a target=\"_blank\" href=\"https:\/\/wordpress.org\/plugins\/http-auth\/\" rel=\"noopener\">HTTP Auth<\/a>.<\/li>\n<li><strong>cPanel<\/strong> \u2013 If your hosting supports cPanel admin login, you can set protection easily on any folder via cPanel\u2019s <strong>Password Protect Directories <\/strong>graphical user interface. <a target=\"_blank\" href=\"https:\/\/www.siteground.com\/tutorials\/cpanel\/password-protected-directories\/\" rel=\"noopener\">Find out more<\/a> from this tutorial.<\/li>\n<li><strong>.htaccess + htpasswd<\/strong> \u2013 Creating a password-protected folder can also be done easily by setting the folders you want to protect inside <em>.htaccess<\/em> and users allowed to access inside <em>.htpasswd<\/em>. <a target=\"_blank\" href=\"https:\/\/www.wpwhitesecurity.com\/securing-wordpress-wp-admin-htaccess\/\" rel=\"noopener\">The following tutorial<\/a> shows you how to do it in 7 steps.<\/li>\n<\/ul>\n<h2>4. Maintaining Backups<\/h2>\n<p>Keeping backup copies of your entire WordPress blog is as important as keeping the site safe from hackers. If all fails, at least you still have the clean backup files to revert. There are two types of backup practice: Full Backup and Incremental backup.<\/p>\n<p>The \u201cfull backup\u201d will include everything within the site including the files and database when creating the backup. This method it\u2019ll take space more than necessary, and may cause a spike on CPU and disk usage when performing the backup. So it\u2019s not quite recommended if your site got limited resources.<\/p>\n<p>The \u201cincremental\u201d backup on the other hand will take the full only the first time and will only take backup of the recently changed items thus more efficient. Today there are a number of options for this type of backups in WordPress with a fair amount of fees such as <a target=\"_blank\" href=\"https:\/\/vaultpress.com\/\" rel=\"noopener\">VaultPress<\/a> and <a target=\"_blank\" href=\"https:\/\/wptimecapsule.com\/\" rel=\"noopener\">WP Time Capsule<\/a>.<\/p>\n<p>Furthermore, we\u2019ve also previously covered a list of solutions to <a target=\"_blank\" href=\"https:\/\/www.hongkiat.com\/blog\/wordpress-database-and-files-backup-solutions-best-of\/\" rel=\"noopener\">backup your WordPress files and database<\/a>, including both <a target=\"_blank\" href=\"https:\/\/www.hongkiat.com\/blog\/wordpress-database-and-files-backup-solutions-best-of\/#plugin\" rel=\"noopener\">useful plugins<\/a> and <a target=\"_blank\" href=\"https:\/\/www.hongkiat.com\/blog\/wordpress-database-and-files-backup-solutions-best-of\/#online-storage\" rel=\"noopener\">backup services<\/a>.<\/p>\n<h2>5. Prevent Directory Browsing<\/h2>\n<p>Another big security loophole is having your directories and its files exposed, and accessible to public. Here\u2019s a simple test to check if your WordPress directories are well protected:<\/p>\n<ul>\n<li>Enter the following URL in browser, without the quotes. \"<code>http:\/\/www.domain.com\/wp-includes\/<\/code>\"<\/li>\n<\/ul>\n<p>If it shows blank or redirect you back to home page, you are safe. However, if you see screen similar to the image below, you are not.<\/p>\n<figure><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/assets.hongkiat.com\/uploads\/wordpress-security-tips\/protect-directory-file-listing.jpg\" width=\"450\" height=\"275\" alt=\"protect directory\"><\/figure>\n<p>To prevent access to all directories, place this code inside your <strong>.htaccess<\/strong> file.<\/p>\n<pre>\r\n# Prevent folder browsing.\r\nOptions All -Indexes<\/pre>\n<p>If your site running on nginx, you can add the following instead.<\/p>\n<pre>autoindex off;<\/pre>\n<h2>6. Keep WordPress Core Files & Plugins updated<\/h2>\n<p>One of the safest ways to keep your WordPress site safe is to make sure your files are always updated to the latest release. Fortunately, WordPress today comes with an automatic update turned-on, so as soon as there\u2019s a security patch available, your site should be immediately updated. Just make sure that you or your developer did not have it turned off.<\/p>\n<h2>7. Pick a Strong Password<\/h2>\n<p>WordPress now comes with a strong password suggestion field that looks like below when creating a new account or updating to a new password. It will indicate whether your password is Strong or Weak. You should pick the Strong password for sure. But the downside of having a strong password is that it\u2019s not easily memorizeable. That\u2019s why I recommend to have a password manager like <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.hongkiat.com\/blog\/go\/1password\">1Password<\/a> or <a target=\"_blank\" href=\"https:\/\/www.lastpass.com\/\" rel=\"noopener\">LastPass<\/a><\/p>\n<figure><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/assets.hongkiat.com\/uploads\/wordpress-security-tips\/wp-password-suggest.jpg\" alt=\"\" width=\"750\" height=\"480\"><\/figure>\n<h2>8. Remove Admin User<\/h2>\n<p>A typical installation of WordPress comes with a default user named \"admin\". If that\u2019s the username to your WordPress site, you are already making hacker\u2019s life 50% easier. Using user \"admin\" should be avoided at all times.<\/p>\n<p>A safer approach to logging into your admin securely is to create a new administrator and have \"admin\" removed. And here\u2019s how you do it:<\/p>\n<ol>\n<li>Login to WordPress admin panel<\/li>\n<li>Go to <strong>Users<\/strong> -&gt; <strong>Add New<\/strong><\/li>\n<li>Add a new user with <strong>Administrator<\/strong> role, make sure you use a strong password.<\/li>\n<li>Log out of WordPress, re-login with your new admin user.<\/li>\n<li>Go to <strong>Users<\/strong><\/li>\n<li>Remove \"admin\" user<\/li>\n<li>If \"admin\" have posts, remember to attribute all posts and links back to the new user.<\/li>\n<\/ol>\n<h2>9. Disable XMLRPC<\/h2>\n<p><a target=\"_blank\" href=\"https:\/\/codex.wordpress.org\/XML-RPC_Support\" rel=\"noopener\">XMLRPC in WordPress<\/a> is a common entry point of attack in WordPress. So it\u2019s always good idea to disable it when your site does not require XMLRPC. You can restrict XMLRPC endpoint to certain IPs in case it\u2019s needed, for example:<\/p>\n<h3>Apache<\/h3>\n<pre>&lt;Files xmlrpc.php&gt;\n  order deny,allow\n  allow from 192.0.64.0\/18\n  deny from all\n&lt;\/Files&gt;<\/pre>\n<h3>Nginx<\/h3>\n<pre>\r\nlocation = \/xmlrpc.php {\r\n  allow 192.0.64.0\/18;\r\n  deny all;\r\n  access_log off;\r\n}\r\n<\/pre>\n<h2>10. Add HTTP Security Headers<\/h2>\n<p>Adding HTTP security headers will add extra security layer to your site which helps to mitigate certain attacks. The headers will intruct the browser to behave on certain direction set in the headers. For example, the <code>X-Frame-Options<\/code> will allow you whether your site can be embedded within an iframe. Other type of Headers you can add include: <code>X-XSS-Protection<\/code>, <code>Strict-Transport-Security<\/code>, <code>X-Content-Type-Options<\/code>, <code>Content-Security-Policy<\/code>, and <code>Referrer-Policy<\/code>.<\/p>\n<pre>\r\nHeader always append X-Frame-Options DENY\r\nHeader set X-XSS-Protection \"1; mode=block\"\r\nHeader set Strict-Transport-Security \"max-age=31536000; includeSubDomains; preload\"\r\nHeader set X-Content-Type-Options nosniff\r\nHeader set Content-Security-Policy \"default-src 'self';\"\r\nHeader set Referrer-Policy \"no-referrer\"\r\n<\/pre>\n<h3>Nginx<\/h3>\n<pre>\r\nadd_header X-XSS-Protection \"1; mode=block\";\r\nadd_header Strict-Transport-Security 'max-age=31536000; includeSubDomains; preload';\r\nadd_header X-Frame-Options \"DENY\";\r\nadd_header X-Content-Type-Options nosniff;\r\nadd_header Content-Security-Policy \"default-src 'self';\";\r\nadd_header Referrer-Policy same-origin;\r\n<\/pre>\n<p>To add these headers, you might need to reach out to the hosting company where your site is hosted.<\/p>\n<h2>Bonus: Subscribe to WPVulnDB<\/h2>\n<p>Last but not least, you might want to stay on top of the latest exposed vulnerabilities in WordPress Core, Plugins, and Themes by subscribing to <a target=\"_blank\" href=\"https:\/\/wpvulndb.com\" rel=\"noopener\">WPVulnDB<\/a>. It describes what type vulnerability, what it is, what version is affected, and whether it\u2019s already fixed.<\/p>\n<p>If you find one of your plugins, you\u2019re using are on the report, you should can take immediate action to mitigate it and update the plugins when the fix is available <strong>immediately<\/strong>.<\/p>","protected":false},"excerpt":{"rendered":"<p>If you are running a WordPress-powered website, its security should be your primary concern. In most cases, WordPress blogs are compromised because their core files and\/or plugin are outdated; outdated files are traceable and it\u2019s an open invitation to hackers. How to keep you blog away from the bad guys for good? For starters, make&hellip;<\/p>\n","protected":false},"author":113,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[49],"tags":[4663,4601,3325,252],"topic":[],"class_list":["entry-content","is-maxi"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO Premium plugin v22.8 (Yoast SEO v27.6) - https:\/\/yoast.com\/product\/yoast-seo-premium-wordpress\/ -->\n<title>10 Tips to Hardening WordPress Security - Hongkiat<\/title>\n<meta name=\"description\" content=\"If you are running a WordPress-powered website, its security should be your primary concern. In most cases, WordPress blogs are compromised because their\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.hongkiat.com\/blog\/wordpress-security-tips\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"10 Tips to Hardening WordPress Security\" \/>\n<meta property=\"og:description\" content=\"If you are running a WordPress-powered website, its security should be your primary concern. In most cases, WordPress blogs are compromised because their\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.hongkiat.com\/blog\/wordpress-security-tips\/\" \/>\n<meta property=\"og:site_name\" content=\"Hongkiat\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/hongkiatcom\" \/>\n<meta property=\"article:published_time\" content=\"2019-08-29T13:27:00+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2025-04-03T18:51:50+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/assets.hongkiat.com\/uploads\/wordpress-security-tips\/protect-directory-file-listing.jpg\" \/>\n<meta name=\"author\" content=\"Thoriq Firdaus\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@tfirdaus\" \/>\n<meta name=\"twitter:site\" content=\"@hongkiat\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Thoriq Firdaus\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/wordpress-security-tips\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/wordpress-security-tips\\\/\"},\"author\":{\"name\":\"Thoriq Firdaus\",\"@id\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/#\\\/schema\\\/person\\\/e7948c7a175d211496331e4b6ce55807\"},\"headline\":\"10 Tips to Hardening WordPress Security\",\"datePublished\":\"2019-08-29T13:27:00+00:00\",\"dateModified\":\"2025-04-03T18:51:50+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/wordpress-security-tips\\\/\"},\"wordCount\":1089,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/wordpress-security-tips\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/assets.hongkiat.com\\\/uploads\\\/wordpress-security-tips\\\/protect-directory-file-listing.jpg\",\"keywords\":[\"ad-divi\",\"Security and Privacy\",\"WordPress Security\",\"WordPress Tips\"],\"articleSection\":[\"WordPress\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/wordpress-security-tips\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/wordpress-security-tips\\\/\",\"url\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/wordpress-security-tips\\\/\",\"name\":\"10 Tips to Hardening WordPress Security - Hongkiat\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/wordpress-security-tips\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/wordpress-security-tips\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/assets.hongkiat.com\\\/uploads\\\/wordpress-security-tips\\\/protect-directory-file-listing.jpg\",\"datePublished\":\"2019-08-29T13:27:00+00:00\",\"dateModified\":\"2025-04-03T18:51:50+00:00\",\"description\":\"If you are running a WordPress-powered website, its security should be your primary concern. In most cases, WordPress blogs are compromised because their\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/wordpress-security-tips\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/wordpress-security-tips\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/wordpress-security-tips\\\/#primaryimage\",\"url\":\"https:\\\/\\\/assets.hongkiat.com\\\/uploads\\\/wordpress-security-tips\\\/protect-directory-file-listing.jpg\",\"contentUrl\":\"https:\\\/\\\/assets.hongkiat.com\\\/uploads\\\/wordpress-security-tips\\\/protect-directory-file-listing.jpg\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/wordpress-security-tips\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"10 Tips to Hardening WordPress Security\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/\",\"name\":\"Hongkiat\",\"description\":\"Tech and Design Tips\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/#organization\",\"name\":\"Hongkiat.com\",\"url\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/wp-content\\\/uploads\\\/hkdc-logo-rect-yoast.jpg\",\"contentUrl\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/wp-content\\\/uploads\\\/hkdc-logo-rect-yoast.jpg\",\"width\":1200,\"height\":799,\"caption\":\"Hongkiat.com\"},\"image\":{\"@id\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/www.facebook.com\\\/hongkiatcom\",\"https:\\\/\\\/x.com\\\/hongkiat\",\"https:\\\/\\\/www.pinterest.com\\\/hongkiat\\\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/#\\\/schema\\\/person\\\/e7948c7a175d211496331e4b6ce55807\",\"name\":\"Thoriq Firdaus\",\"description\":\"Thoriq is a writer for Hongkiat.com with a passion for web design and development. He is the author of Responsive Web Design by Examples, where he covered his best approaches in developing responsive websites quickly with a framework.\",\"sameAs\":[\"https:\\\/\\\/thoriq.com\",\"https:\\\/\\\/x.com\\\/tfirdaus\"],\"jobTitle\":\"Web Developer\",\"url\":\"https:\\\/\\\/www.hongkiat.com\\\/blog\\\/author\\\/thoriq\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"10 Tips to Hardening WordPress Security - Hongkiat","description":"If you are running a WordPress-powered website, its security should be your primary concern. In most cases, WordPress blogs are compromised because their","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.hongkiat.com\/blog\/wordpress-security-tips\/","og_locale":"en_US","og_type":"article","og_title":"10 Tips to Hardening WordPress Security","og_description":"If you are running a WordPress-powered website, its security should be your primary concern. In most cases, WordPress blogs are compromised because their","og_url":"https:\/\/www.hongkiat.com\/blog\/wordpress-security-tips\/","og_site_name":"Hongkiat","article_publisher":"https:\/\/www.facebook.com\/hongkiatcom","article_published_time":"2019-08-29T13:27:00+00:00","article_modified_time":"2025-04-03T18:51:50+00:00","og_image":[{"url":"https:\/\/assets.hongkiat.com\/uploads\/wordpress-security-tips\/protect-directory-file-listing.jpg","type":"","width":"","height":""}],"author":"Thoriq Firdaus","twitter_card":"summary_large_image","twitter_creator":"@tfirdaus","twitter_site":"@hongkiat","twitter_misc":{"Written by":"Thoriq Firdaus","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.hongkiat.com\/blog\/wordpress-security-tips\/#article","isPartOf":{"@id":"https:\/\/www.hongkiat.com\/blog\/wordpress-security-tips\/"},"author":{"name":"Thoriq Firdaus","@id":"https:\/\/www.hongkiat.com\/blog\/#\/schema\/person\/e7948c7a175d211496331e4b6ce55807"},"headline":"10 Tips to Hardening WordPress Security","datePublished":"2019-08-29T13:27:00+00:00","dateModified":"2025-04-03T18:51:50+00:00","mainEntityOfPage":{"@id":"https:\/\/www.hongkiat.com\/blog\/wordpress-security-tips\/"},"wordCount":1089,"commentCount":0,"publisher":{"@id":"https:\/\/www.hongkiat.com\/blog\/#organization"},"image":{"@id":"https:\/\/www.hongkiat.com\/blog\/wordpress-security-tips\/#primaryimage"},"thumbnailUrl":"https:\/\/assets.hongkiat.com\/uploads\/wordpress-security-tips\/protect-directory-file-listing.jpg","keywords":["ad-divi","Security and Privacy","WordPress Security","WordPress Tips"],"articleSection":["WordPress"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.hongkiat.com\/blog\/wordpress-security-tips\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.hongkiat.com\/blog\/wordpress-security-tips\/","url":"https:\/\/www.hongkiat.com\/blog\/wordpress-security-tips\/","name":"10 Tips to Hardening WordPress Security - Hongkiat","isPartOf":{"@id":"https:\/\/www.hongkiat.com\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.hongkiat.com\/blog\/wordpress-security-tips\/#primaryimage"},"image":{"@id":"https:\/\/www.hongkiat.com\/blog\/wordpress-security-tips\/#primaryimage"},"thumbnailUrl":"https:\/\/assets.hongkiat.com\/uploads\/wordpress-security-tips\/protect-directory-file-listing.jpg","datePublished":"2019-08-29T13:27:00+00:00","dateModified":"2025-04-03T18:51:50+00:00","description":"If you are running a WordPress-powered website, its security should be your primary concern. In most cases, WordPress blogs are compromised because their","breadcrumb":{"@id":"https:\/\/www.hongkiat.com\/blog\/wordpress-security-tips\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.hongkiat.com\/blog\/wordpress-security-tips\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.hongkiat.com\/blog\/wordpress-security-tips\/#primaryimage","url":"https:\/\/assets.hongkiat.com\/uploads\/wordpress-security-tips\/protect-directory-file-listing.jpg","contentUrl":"https:\/\/assets.hongkiat.com\/uploads\/wordpress-security-tips\/protect-directory-file-listing.jpg"},{"@type":"BreadcrumbList","@id":"https:\/\/www.hongkiat.com\/blog\/wordpress-security-tips\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.hongkiat.com\/blog\/"},{"@type":"ListItem","position":2,"name":"10 Tips to Hardening WordPress Security"}]},{"@type":"WebSite","@id":"https:\/\/www.hongkiat.com\/blog\/#website","url":"https:\/\/www.hongkiat.com\/blog\/","name":"Hongkiat","description":"Tech and Design Tips","publisher":{"@id":"https:\/\/www.hongkiat.com\/blog\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.hongkiat.com\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.hongkiat.com\/blog\/#organization","name":"Hongkiat.com","url":"https:\/\/www.hongkiat.com\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.hongkiat.com\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.hongkiat.com\/blog\/wp-content\/uploads\/hkdc-logo-rect-yoast.jpg","contentUrl":"https:\/\/www.hongkiat.com\/blog\/wp-content\/uploads\/hkdc-logo-rect-yoast.jpg","width":1200,"height":799,"caption":"Hongkiat.com"},"image":{"@id":"https:\/\/www.hongkiat.com\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/hongkiatcom","https:\/\/x.com\/hongkiat","https:\/\/www.pinterest.com\/hongkiat\/"]},{"@type":"Person","@id":"https:\/\/www.hongkiat.com\/blog\/#\/schema\/person\/e7948c7a175d211496331e4b6ce55807","name":"Thoriq Firdaus","description":"Thoriq is a writer for Hongkiat.com with a passion for web design and development. He is the author of Responsive Web Design by Examples, where he covered his best approaches in developing responsive websites quickly with a framework.","sameAs":["https:\/\/thoriq.com","https:\/\/x.com\/tfirdaus"],"jobTitle":"Web Developer","url":"https:\/\/www.hongkiat.com\/blog\/author\/thoriq\/"}]}},"jetpack_featured_media_url":"https:\/\/","jetpack_shortlink":"https:\/\/wp.me\/p4uxU-cD7","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/www.hongkiat.com\/blog\/wp-json\/wp\/v2\/posts\/48553","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.hongkiat.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hongkiat.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hongkiat.com\/blog\/wp-json\/wp\/v2\/users\/113"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hongkiat.com\/blog\/wp-json\/wp\/v2\/comments?post=48553"}],"version-history":[{"count":3,"href":"https:\/\/www.hongkiat.com\/blog\/wp-json\/wp\/v2\/posts\/48553\/revisions"}],"predecessor-version":[{"id":73744,"href":"https:\/\/www.hongkiat.com\/blog\/wp-json\/wp\/v2\/posts\/48553\/revisions\/73744"}],"wp:attachment":[{"href":"https:\/\/www.hongkiat.com\/blog\/wp-json\/wp\/v2\/media?parent=48553"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hongkiat.com\/blog\/wp-json\/wp\/v2\/categories?post=48553"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hongkiat.com\/blog\/wp-json\/wp\/v2\/tags?post=48553"},{"taxonomy":"topic","embeddable":true,"href":"https:\/\/www.hongkiat.com\/blog\/wp-json\/wp\/v2\/topic?post=48553"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}