Security Methods for WordPress, Prevent Hacking your Website (Part 2)

Security Methods for WordPress, Prevent Hacking your Website (Part 2)
Last updated on

In part 2 of series “Security methods for WordPress, prevent hacking your website” (20 WP security tips), we will continue with 10 security methods. They will help you prevent hacking website (avoid being attacked) or losing control of the website.

If you don’t know how to do or encounter difficulties or get some problems when processing don’t hesitate to contact us for help.

Explore more: Security Methods for WordPress, Prevent Hacking your Website (Part 1)

11. Two-Factor Authentication for your website

Nowadays two factor authentication is widely applied for such primary accounts as Google, Facebook or bank account. Are you looking for a way to secure your WordPress login page with two-factor authentication method?

Once setting two-factor authentication for WordPress, though your password is hacked by the hacker, it is still a challenge to log in because it requires your mobile phone to go through one more layer of authentication.

You can set the two factor authentication for your website with the plugin: Google Authenticator

12. Using SSL

HTTPS Website - Oh I Will Blog

When your website uses SSL (https) then all of your data will be encoded before being transferred through Internet (safe data when being transferred from server to user’s browsers). This data format after being encoded becomes safer, since nobody else can use it except for us.

Furthermore using SSL also helps your website SEO better, helping you ran higher on Google keyword searches.

There are many hosting providers providing free SSL at the moment. We can install and use SSL after a few simple steps.

13. Don’t use null Theme and Plugin (Themes, Plugins premium that are shared online)

Null products that we are mentioning are paid products such as paid plugins or paid themes, which are publicly and widely shared and the websites specializing in sharing WordPress Themes and Plugins.

It is important to know that using shared paid produces like that seriously violates copyright and also directly leads to malicious codes. The majority of null themes, plugins on the internet have malicious codes and they can illegal exploit your hosting resources, add hidden blacklink or even worse,your website is down.

You can buy WordPress Themes and Plugins from MyThemShop, it’s very reliable and too cheap.

14. Turn off File Editing function

As you know, for WordPress, you can directly edit files when you log in your administration panel. Despite being convenient, it can cause damages. You can cause errors when editing and cannot backup what you have done.

If hackers gain the rights to access you administration panel, the first thing they think of is File Editors in order to interfere website’s files. You should entirely turn off this function after installation to secure your WordPress files more. It can be turned off by editing wp-config.php by adding the following command:

define('DISALLOW_FILE_EDIT', true);

15. Disable directory browsing with .htaccess

Disable directory browsing with htaccess

For example if you want to display the plugins you installed you can check out by going to:   in your browser. Thus makes it easy for website to have information easily revealed and gotten attacked.

You can prevent this by adding the following code to .htaccess file:

Options All –Indexes

16. Remove WordPress version

Delete WordPress version info

Certainly finding out what WordPress version you are using helps hackers to find the weaknesses more easily and they have more time to learn how to attack. When we delete the WordPress version we’re using it would be different the spoilers. They don’t know what version of WordPress you’re using, which causes more difficulties for them to attack.

In order to do this, you can add the following code to functions.php file as following:

remove_action('wp_head', 'wp_generator');

17. Disable XML-RPC

Since 3.5 version XML-RPC function is defaultly activated to help connect your WordPress with mobile applications specifically for WordPress. For example, to post an article from a far distance.

However, hackers can take advantage of XML-RPC to execute attacks via brute-force to continuously log in the admin panel.

This is the reason why shouldn’t use XML-RPC. Deactivate it to make it safer.

To do this, we can add this code to .htaccess file:

<Files xmlrpc.php>
order deny,allow
deny from all

Or you can add this code to the file of functions.php

add_filter('xmlrpc_enabled', '__return_false');

18. Use secured plugins like Sucuri Security or iThemes Security

Sucuri Security is created by, which is one of the top website security companies in the world. Sucuri Security is perfect for paid customers and is considered good for free customers. If your budget is low then the free version already secures your website very well.

Seucri Security plugin

With Sucuri Security you can use security functions:

  • Failed Login Password Collector: collect data of failed logins
  • User Comment Monitor: collect comment data, prevent spamming comments
  • Audit Log Statistics: collect data of file editing history
  • Firewall

With Ithemes Security you can set up security:

  • Write to File: This option allows other plugins automatically add content to wp-config.php and .htaccess, you are recommended to choose it to install other functions of  iThemes Security or auto cache plugins.
  • Notification Email: your email address receives notifications concerning iThemes Security, you can add various emails separated by a line
  • Host Lockout Message: a message to notify errors for failure of logins due to IP lock
  • Log Type: record activity log of plugin. It is recommended to choose Database Only.
  • Allow Data Tracking: allowing iThemes to collect your usage datas to be analysed

19. Update Operating System, Browsers, FTP Client you are using

This is not noticed by many people. Securing your website starts by guaranteeing the safety of your computer.

If your computer, browser, FTP Client you’re using to access server, hosting or admin panel are not updated (or Operating System (OS) doesn’t contain good Antivirus software) then they are likely to be affected by virus, malware or vulnerability. Your computer or website can be attacked for information or other purposes.

Therefore, the most important is to follow the very primary security principles

  • Constantly update OS, browsers, FTP Client…
  • Install antivirus software on your computer and usually scanning.
  • Don’t log in your website via public WiFi or computer.

20. Back up your website often

This doesn’t lower the possibility of WordPress being attacked but instead it helps lower the damaging degree after the attack. If you backup your data often then after being attacked and losing database you can still restore the website by restoring the backup data.

Furthermore, this method helps you restore your blog after editing your database.

You can make use of such plugins as WP Complete Backup, BackupBuddy to back up your website.


Post a Comment

Please keep in mind that all comments are read and moderation.
Your email address WILL NOT be published. Please DO NOT use keywords in the Real Name field. Thank you !

Get $100 Free from Vultr to accelerate your website and application Register a Domain Name on Namesilo