9 Easy Ways to Secure your WordPress Blog or Site

secure wordpress

WordPress Security or Hardening the website is important activity to be followed to prevent from Hackers. Practically we cannot stop Hackers, But there are few configurations which will help in prevent them with these easy ways. Lets start digging into it,


1. Double Layered Authentication for WP-LOGIN.php

Using htpasswd utility of apache web server, we can restrict /wp-login.php/ file using custom username and password, later followed by WordPress authentication. This adds two level authentication. Use the below configurations either in httpd.conf file of apache web server or in .htaccess file located in /var/www/<domainRoot>/htdocs/.htaccess

#Protect wp-login
<Files ~ wp-login.php>
 AuthUserFile /etc/httpd/conf/.htpasswd
 AuthName "Private access"
 AuthType Basic

In the above, .htpasswd is the authentication file used for authentication, which can be created using htpasswd utility. for details about How to use htpasswd , Please follow this article – How to Protect URLs, Files & Directories with Apache htpasswd Utility


2. Restrict xmlrpc.php

spammers or hackers use xmlrpc.php to make your website down. It is safe to restrict completely in .htaccess or in httpd.conf file

 # BEGIN protect xmlrpc.php
<File  xmlrpc.php>
order allow,deny
deny from all
# server httpd reload

Reload the apache httpd server configuring the above using above command.

3.Hide .htaccess file

If we didnt prevent accessing .htaccess file, we are leaking our important rules and configurations to outside world. Again in httpd.conf file, use the below lines to Restrict permanently,

   <Files ~ "^\.ht">
 Order allow,deny
 Deny from all
 Satisfy All

4.File Permission for wp-config.php

Change the file permission of wp-config.php in the linux terminal by using this command, with this permission, you can only make it as read and write permission.

#chmod 600 wp-config.php


5. Avoid using common user names

Hackers will specifically go on attack on weak or common username and passwords. Try avoiding user name such as admin and passwords in the same sequence. This applies to your htpasswd authentication credentials as well.



Leave a Reply

1 Comment threads
0 Thread replies
Most reacted comment
Hottest comment thread
1 Comment authors
Derick Recent comment authors
newest oldest most voted

Renaming the xmlrpc and than adding an empty xmlrpc.php file and .htaccess IP protection are 2 good methods as well. My host https://kickassd.com did these for me.