Hardening WordPress


In order to harden our WordPress sites, we need to follow some steps to secure differents sections of our environment,not only users and passwords, but file access/edition, spammers, redirections and more.

Let´s start by assigning the right role to each user

Setting roles to users

  • Super admins: have access to the site network administration features across all sites
  • Admins: have access to administration features within a single site
  • Editors: can publish and manage posts, not only theirs but other user´s posts
  • Authors: can manage and publish their own posts
  • Contributors: can write and manage their own post but cannot publish them
  • Subscribers: can only manage their own profile

Admins are the ones who can assign roles to users.

You can do this via WP dashboard or using a Plugin

Securing wp-config file

We have several ways to do this:

  • Securing .htaccess
  • Moving wp-config.php from public folder (public access) to another location
  • Changing file permissions

Securing .htaccess

Edit the .htaccess file and include these lines of code at the end of it:

#protecting wpconfig.php
order allow, deny
deny from all

Once done, save.

These lines will block internal access and code modifications to our wp-config.php.

Moving wp-config.php from public folder (public access) to another location

Ok, let´s start by locating our wp-config file with FTP or Cpanel, your choice. Once done let´s copy all the code and save it to a new file named config.php in the root directory, NOT within public.html

we put this code inside wp-config.php

include ('..config.php');

and within the new config.php file, the ciode that was inside wp-config.php

If we refresh the page all should go right, nothing happened to the user´s eye.

We can also use an ABSOLUTE path. To find out the path we must add a line of code within config.php

echo phpinfo();

if we refresh the page we´ll see this

Let´s find PHP variables,documentation and use the path MINUS the public_html at the end,

in my case I have /home/freelancerwriter/

so I have this code


include ('/home/freelancerwriter/config.php');

save and refresh page, it must work the same (remember to delete the echo phpinfo(); line from config.php)

 Changing file permissions for wp-config.php

The wp-config file contains all the information about base configuration AND the database connection information. We better use the appropriate file permission for this file -> 400.

With this we are sure the user has permission to ONLY read and others will not be able to access the file.

Restrict access by IP to WordPress admin

Here is how to restrict wp-admin access:

  • Step 1 – Use an FTP client like Filezilla or cPanel to access your wp site
  • Step 2 – Navigate to public_html/wp-admin/
  • Step 3 – Create a .htaccess file there
  • Step 4 – Paste the following code in this file and save it.
Order Deny, Allow
Deny from all
Allow from [Your IP]

Disable User Registration

There is a Register link on your WordPress login page. 
You can disable this Registration form to discourage access to wp-admin.
Disable user registration on your WordPress:
1 – Go to your WP dashboard ->general ->settings
2 – Uncheck ‘Anyone can register’ option 
3 – Save the changes.

Fix WordPress files and folders permissions

Ok, let´ps connect to our site via sftp or cpanel and get thios changes done

select -> public_html directory.
Set these permissions to files/folders:

All .php files644
All folders755
wp-config.php (public_html folder)400/440
index.php (public_html folder)444/644

Remeber the values for reading, writing, execute:

r: 4

w: 2

x: 1

In case you don´t know about file permissions, this article will make things clear

Change Database Prefix 

WordPress database is another target. It stores critical information/data about your sites. We can secure it by changing the DB prefix, which is always set to wp_ if we do not choose another name when creating our site.

To change WordPress DB prefix:

  • Log in to an sFTP client or cPanel to your website
  • Go to ‘public_html
  • Right-click on wp-config file and edit the default prefix ‘wp_’ ($table_prefix = ‘wp_’ to whatever you choose like $table_prefix = ‘mysite’)
  • Run an SQL command to render this prefix in all the tables (chapter below)

wp db contains 11 tables which include tables for – users data, site URLs, posts, pages, comments, etc.

Run an SQL command to render this prefix in all the tables

  • Open your database management tool like phpMyAdmin
  • Find the SQL tab
  • Run SQL queries as follows-
RENAME table `wp_commentmeta` TO `YourChoiceHere_commentmeta`;

RENAME table `wp_comments` TO `YourChoiceHere_comments`;

RENAME table `wp_links` TO `YourChoiceHere_links`;

RENAME table `wp_options` TO `YourChoiceHere_options`;

RENAME table `wp_postmeta` TO `YourChoiceHere_postmeta`;

RENAME table `wp_posts` TO `YourChoiceHere_posts`;

RENAME table `wp_terms` TO `YourChoiceHere_terms`;

RENAME table `wp_termmeta` TO `YourChoiceHere_termmeta`;

RENAME table `wp_term_relationships` TO `YourChoiceHere_term_relationships`;

RENAME table `wp_term_taxonomy` TO `YourChoiceHere_term_taxonomy`;

RENAME table `wp_usermeta` TO `YourChoiceHere_usermeta`;

RENAME table `wp_users` TO `YourChoiceHere_users`;

  • Run this SQL query to change the prefix in options table:
UPDATE `prefix_options` SET `option_name`=REPLACE(`option_name`,'wp_','YourChoiceHere_') WHERE `option_name` LIKE 'wp_%';

  • Run this SQL query to change the prefix in usermeta table:
UPDATE `prefix_usermeta` SET `meta_key`=REPLACE(`meta_key`,'wp_','YourChoiceHere_') WHERE `meta_key` LIKE 'wp_%';

You can check wpbeginner too if need more info.

Ok, it may seem a hard way to do it, we can always…

Change prefix with the help of a plugin

1 – Install ‘Change Table Prefix’ plugin

2 – Navigate to ‘Settings’ on your wp dashboard -> change table prefix

3 – Enter custom prefix

You´ll get something like this after clicking the button

Important note: changing prefix DO NOT stop attackers to find the new one, thay can do it with a query, but it is another way to make things difficult to attackers.

Setup Secret Keys For Strong Cipher Suite

To increase the security of your WordPress installation, you should apply secret keys. This MUST be part of the standard installation process.

Changing keys will invalidate all sessions and users will need to re-authenticate.

how you can set up secret keys:

1 – Get unique secret keys and copy them from WordPress secret key generator

2 – Access your site with an sFTP client or cPanel, and go to -> public_html directory.

3 – Open wp-config.php file and paste the keys.

4 – Save it and upload back to the server.

Check that everything work ok.

This is easy; once you copy and paste the new keys from WordPress secret key generator, the site will ask you to log in again.

Disable Directory Listing

Directory Listing or browsing is when you can browse a website’s files and folders and it displays ALL the files and directories within. This is because the web server that hosts a site can not only display web pages, but also the content of your web directories and other files because there is no index file (index.html, index.php, etc) in the directory.

When a browser sends a request to access a web page, the webserver processes that request. We can configure the webserver to prioritize which web pages to display whenever it receives the requests.

Usually, the index.html or index.php is the first file the webserver serves when receives a request. However, in the absence of an index file, the webserver displays the entire contents of the directory that was requested by the browser. This means all the files and folders inside the directory are on display!

Of course, this kind of information will give any attacker lots of insights about our site, themes, plugins, and more info that can be used against us.

To avoid this we have a simple line to add within out .htaccess:

Options -Indexes


HOW TO Secure WordPress Login Page And Admin Page

Ok, to secure the login page we should detect failed attempts, brute force attacks and so. We can even whitelist or blacklist IPs,

Regardind admin page, we´ll just rename it to another thing (no more /wp-login)

We are gonna get this done with two Plugins, you can choose whatever you like, I´ll just suggest the ones I use.

  • Loginizer – “Loginizer is a WordPress plugin which helps you fight against a brute-force attack by blocking login for the IP after it reaches maximum retries allowed. You can blacklist or whitelist IPs for login using Loginizer. You can use various other features like Two Factor Auth, reCAPTCHA, PasswordLess Login, etc. to improve the security of your website…”
  • WPS Limit Login – Limit the number of possible login attempts through the login page and by using auth cookies. WordPress by default allows unlimited login attempts either through the login page or by sending special cookies. This allows passwords (or hashes) to be cracked via brute force relatively easily. WPS Limit login limits login attempts and blocks sending further attempts to an Internet address after reaching a specified limit, making a brute force attack difficult if not impossible…”
  • Protect WP Admin – “Give extra protection to your WordPress admin by rename default WordPress admin URL i.e /wp-admin and set numbers of unsuccessful attempts. WP Protect Admin WordPress plugin will save your site from hackers and give you extra features like (change the existing user name and track user login history log) to make secure your website…”

Well, this is the end…or just the beginning of your WordPress security actions.

There are too many things to do from now on, so don´t be lazy and keep learning and moving.

Good luck!

WPScan WordPress Vulnerability Database

A really useful resource to test your sites for any WordPress Core Vulnerabilities, Plugin Vulnerabilities and Theme vulnerabilities.


Further reading

How can you mitigate WordPress Security Issues?

Invest in the right web hosting from a reputed and well-known hosting provider.

Make a habit of taking backups of your WordPress installation. A backup can be a boon in despair.

Use a strong password and use reCAPTCHA to secure important files.

Limit login attempts and use two-factor Authentication for login.

Change the WordPress Login URL and Default Username.

Define permissions for different WordPress user roles.

Change the WordPress default username.

Keep WordPress user logs updated.

Uninstall or delete unused Plugins or Themes.

Set .htaccess Rules.

Deny access to sensitive files in WordPress.

Use .htaccess to harden security.

Hide WordPress version.


Astra WordPress Firewall

15 Useful WordPress Configurations Tricks

How to secure WP-Config.php File

Commonly Hacked WordPress Files. How to Scan & Fix Infected WordPress Files?

How to fix the WordPress admin dashboard (wp-admin) hack

How to Super Secure Your WordPress Admin from Hackers – Changing Admin URL, Adding IP Restrictions & htpasswd

How to Fix WordPress File or Folder Permissions – Step by Step Procedure

How Hackers Exploited your WordPress Website in 2018

25 Best WordPress Security Practices (Updated 2021)

How to Remove WP-VCD Malware Attack in WordPress

Hide WP-includes, WP-content/uploads From Your WordPress Site – FREE Plugin & Via .htaccess

WordPress Security Issues & How Can You Fix Them – Step By Step Guide

Commonly Hacked WordPress Files. How to Scan & Fix Infected WordPress Files?

Generate Secret-keys

Leave a Reply

Your email address will not be published. Required fields are marked *