14 Easy Ways To Make Your WordPress Website More Secure
  1. Move wp-config.php up one directory

    If your host allows you to access non-public directories on your server above your WordPress directory, simply move the wp-config.php file up one directory. WordPress has built-in this feature so it won’t break your site when you do so. If for some reason it does, just move it back. This way it will be a lot harder for hackers to find and/or access your wp-config.php file, which is very important because your wp-config.php file contains your database credentials.

  2. Make it so failed logins are ambigious

    By default failed login attempts to WordPress will tell you whether your username or your password is wrong. This gives hackers more helpful information than you want them to have. Add the following lines of PHP code to your WordPress theme’s functions.php file so it simply returns “Wrong username or password.” instead:

    function wrong_login() {
      return 'Wrong username or password.';
    add_filter('login_errors', 'wrong_login');
  3. Make your admin username anything other than “admin”

    “admin” is the default admin username for WordPress and hackers take full advantage of this. So if you currently have an admin user with the username “admin”, simply delete or rename the username for this user. Avoid any obvious alternatives (e.g. “administrator”).

  4. Disable the WordPress file editor

    If you don’t use the WordPress file editor, it’s a good idea to disable it. If you’d like to do so, simply add the following line of PHP code to your WordPress theme’s functions.php file:

    define('DISALLOW_FILE_EDIT', true);
  5. Delete or rename readme.html

    The WordPress readme.html file also contains the WordPress version in it, so simply delete it or rename it.

  6. Delete or rename install.php

    The install.php file located in the /wp-admin/ folder isn’t needed after you’ve done the initial WordPress installation. Hackers may be able to exploit this if you leave it as is, so simply delete or rename the install.php file.

  7. Delete or rename upgrade.php

    The upgrade.php file is in the same situation as the install.php file, which is also located in the /wp-admin/ folder, so delete or rename the upgrade.php file as well.

  8. Remove WordPress version from page meta data

    If you see the following when you look at your WordPress website’s source code:

    <meta name="generator" content="WordPress 4.4.1" />

    You can remove this by adding the following lines of PHP code to your WordPress theme’s functions.php file:

    function remove_version() {
      return '';
    add_filter('the_generator', 'remove_version');
  9. Delete user with ID “1”

    Having an admin user with ID “1” on your WordPress website can aid hackers in rare situations. If you want to be extra safe, simply create a new admin user and then delete the first user created on your WordPress website.

  10. Disable the “Anyone can register” option

    If you don’t need anyone to be able to register, it’s best to make sure this option is disabled in the WordPress Dashboard under Settings > General.

  11. Avoid using the default database prefix “wp_”

    This can be rather tedious to change after you’ve already installed your website, but just make sure to avoid it when you install new WordPress websites in the future. Using an alternative, custom prefix is best (e.g. “w0rd_”).

  12. Ensure WordPress debug mode is disabled

    Not only does debug mode slow down your WordPress website, but it confuses visitors and provides potentially valuable information to potential hackers as well. In order to make sure debug mode is turned off, simply edit your wp-config.php file, look for the following line and make sure it’s set to false:

    define('WP_DEBUG', false);

    Do the same for WordPress JavaScript debug mode by ensuring the following line is set to false:

    define('SCRIPT_DEBUG', false);
  13. Delete unused WordPress themes & plugins

    If you don’t use it, lose it. Leaving these files around simply provides for more opportunities for hackers.

  14. Make sure everything is up-to-date

    Last but not least, of course make sure everything is as up-to-date as possible at all times (i.e. WordPress core, WordPress plugins & WordPress themes)! Services such as ManageWP and InfiniteWP make this easy to do, even if you manage multiple WordPress websites.


  1. This article about WordPress security is more timely as ever since hacking events have been escalating exponentially. #2 is a suggestion I occasionally see though rarely implemented by plugins and other security-related articles. It makes complete sense: why give a hacker a clue as to what they are doing wrong. Can you please suggest a way to implement #2 in a WP Multisite? Does it have to be added to every sites’ functions.php?

  2. I would make a new file called globalfunctions.php or something like that and then just include it in the functions.php file for all your WP Multisite websites. This way, at least next time you need to make a global change to all your WP Multisite websites you would only need to edit one file =)

    Sorry I don’t know of a better way.

  3. Hi Andy,
    Thanks for the great advice to protect WordPress Blog from hacking attempts or virus. All steps are really important and latest techniques to protect a WP blog.


Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.