How to secure WordPress without using plugin?

Sharing is caring!

WordPress is a very popular CMS and that’s why it is highly targeted by hackers.

Although latest updates have made it one of the most used tools for e-commerce website, news portals or a business blog. There are a many ways to protect your WordPress Blog from being hacked.

We have collected some of the best practices which will help you to Secure your WordPress Website :

Disable File Editing:

Using the below code we can disable the File editor of admin side so hacker will not able to open the files if he/she want to do any change in file. By default WordPress allows user to edit the file using the editor through the admin panel.

define(‘DISALLOW_FILE_EDIT’,true);

Protect your .htaccess file

.htaccess is a important file of WordPress. .htaccess file is mostly use for rewriting URL’s. .htaccess file will found in root directory of WordPress.

Why .htaccess file is not visible directly in folder ?

This is because of dot extension. If you will add dot after any file that file will not visible directly so the same concept is applied on .htaccess file.

Using the below code we can protect the .htaccess file.

#Protect .htaccess
<files ~ “^.*\.([Hh][Tt][Aa])”>
order allow,deny
deny from all
satisfy all
</files>

Protect your wp-config.php file

Config file is most important file of WordPress. This file contains our configuration details so it’s a important to safe database details from hackers. Using the below code we can easily protect the config file. 

# Protect wp-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>

In config file, we insert below details of site. To get the file contain hacker will easily get the details of database like database name, db username and db password.

// ** MySQL settings – You can get this info from your web host ** //
/** The name of the database for WordPress */
define( ‘DB_NAME’, ‘database_name_here’ );

/** MySQL database username */
define( ‘DB_USER’, ‘username_here’ );

/** MySQL database password */
define( ‘DB_PASSWORD’, ‘password_here’ );

/** MySQL hostname */
define( ‘DB_HOST’, ‘localhost’ );

Protect your error_log file

It’s important to protect the broken code of file. Hacker can easily access the PHP value using the error log so it a important to hide the error log of site.

Need to add the below code in .htaccess file:

#Protect error_log
<files error_log>
order allow,deny
deny from all
</files>

Also we can hide the error log using config.php file. To hide the error log need to put the below code in config file:

define( ‘WP_DEBUG_DISPLAY’, false );

Protect your WordPress Website from SQL Injection

This is widely used technique to change(manipulate) in database. Hacker can easily manipulate input field data by inserting malicious code. Also hacker can insert, update and delete the data in the database.

Protect from SQL Injection

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (< |%3C).script.(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

Restrict Direct Access to Plugin and Theme PHP files

Using the below code so hacker will get 404 page when hacker will try to access the file of plugin and theme.

Restrict Direct Access to Plugin and Theme PHP files

RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude.php
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
RewriteRule wp-content/plugins/(..php)$ – [R=404,L] RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude.php RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/ RewriteRule wp-content/themes/(..php)$ – [R=404,L]

Secure the wp-includes Directory

Using the below code we can easily protect the wp-includes folder.

Protect Include-Only files

RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ – [F,L] RewriteRule !^wp-includes/ – [S=3] RewriteRule ^wp-includes/[^/]+.php$ – [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+.php – [F,L] RewriteRule ^wp-includes/theme-compat/ – [F,L]

Leave a Reply

Your email address will not be published. Required fields are marked *

Got Project on mind? Let's ConnectContact Us

Secured By miniOrange