How to Secure WordPress Website from Hackers Free

Are you looking for a Quick guide to secure your WordPress website free without using paid plugins?

Here you go – Our WordPress Security Checklist for your WordPress website, blog, or Online store.

WordPress Security Guide

1. Choose a Best Secure WordPress Hosting

A WordPress website hosted on Insecure hosting can increase the possibility of getting hacked.

So, it is important to host on a Secure web hosting with features like Malware Scanner, Web Application Firewall, CloudLinux OS, CageFS Account Isolation, Proactive Server Monitoring, Network Firewall, and Rebootless Secure Kernel.

RankHostingCheapest PlanFree DomainDiscount Link
#1ChemiCloud$2.95 /monthGet Started »
#2HostArmada$2.49 /monthGet Started »
#3A2 Hosting$1.95 /monthGet Started »
#4Hostinger$2.99 /monthGet Started »

Learn more about web hosting & find the right hosting provider from these Best Web Hosting providers.

2. Change The Database Table Prefix

We recommend changing the Default database prefix to prevent possible attacks related to the database.

During manual installation, it can be changed as below

On an existing WordPress website it can be changed in two ways

Method 1: Edit the below line in wp-config.php and rename All Table names in PhpMyAdmin to match the newly changed database table prefix

Example:

$table_prefix = ‘newsite_wp_’;

Method 2: If you are uncomfortable with the above method, install the Brozzme DB Prefix & Tools Addons plugin to change the WordPress table prefix easily.

3. Change WordPress Admin Login URL

Since WordPress Brute-force attacks have become more common, changing the Default URL will prevent hackers from accessing your WordPress admin login page.

The Default WordPress Admin Login URL can be changed by Installing the WPS Hide Login plugin.

Go to Plugins >> Add New section and search “WPS Hide Login” to Install this Plugin. Alternatively, you can Download the plugin directly from the above URL and Upload Plugin

4. Prevent Access To Sensitive Files And Directories

a) Protect sensitive files and directories from hackers by Adding the below lines at the beginning of the main .htaccess file in the website root directory (example – public_html)

# Deny Directory Listing
Options - Indexes

# Block Access to Htaccess
<files .htaccess>
Order allow,deny
Deny from all
</files>

# Block Access to wp-config
<files wp-config.php>
Order allow,deny
Deny from all
</files>

# Block Access to xml-rpc
<files xmlrpc.php>
Order allow,deny
Deny from all
</files>

b) Block install files by creating a .htaccess file in the wp-admin directory with the below code

# Block Install Files
<files install.php>
Order allow,deny
Deny from all
</files>
<files setup-config.php>
Order allow,deny
Deny from all
</files>

c) Block PHP use in Directories. Create a .htaccess file in wp-content >> uploads, wp-content >> plugins and wp-content >> themes directories with the below code

# Block PHP in Directories
<Files *.php>
deny from all
</Files>

Important: If you have configured LiteSpeed Cache for your WordPress website then also add the below lines in the .htaccess file under wp-content >> plugins directory alone.

<Files "guest.vary.php">
allow from all
</Files>

5. Hide PHP Warnings and Notices

Error reports can provide website-related information to hackers like database name, php version, directory path, etc which will put your website at risk.

Add the code below in the main .htaccess file to Disable error reporting for your Website

# Disable Error Reporting
error_reporting( 0 );
ini_set( ‘display_errors’, 0 );

6. Disable Admin Panel File Editing

To disable the file edit option in the WordPress admin panel add the following code in the wp-config.php below line /* Add any custom values between this line and the “stop editing” line. */

define( ‘DISALLOW_FILE_EDIT’, true );

7. Force HTTPS For Sensitive URLs

It is essential to Force the HTTPS connection for URLs that contain sensitive information to avoid Man-in-the-Middle attacks and to securely exchange sensitive information between servers.

Add the below code in the wp-config.php file below line /* Add any custom values between this line and the “stop editing” line. */

define('FORCE_SSL_LOGIN', true);
define('FORCE_SSL_ADMIN', true);

8. Add HTTP Security Headers

Improve your Website security by adding HTTP Security headers to the main .htaccess file in the website root directory

# HTTP Security Headers
Header always set X-Xss-Protection "1; mode=block"
Header always set X-Frame-Options "SAMEORIGIN"
Header always set Content-Security-Policy "default-src https: data: 'unsafe-inline' 'unsafe-eval'"
Header always set X-Content-Type-Options "nosniff"
Header set Referrer-Policy "strict-origin-when-cross-origin"
Header always set Strict-Transport-Security "max-age=31536000; includeSubDomains"
Header unset X-Powered-By
Header set Permissions-Policy "geolocation=(self "https://yourdomain.com"), microphone=()"

9. Allow POST Requests Only From Authorized Sources

Prevent Unauthorized Remote POST submissions to your Website by adding the following code to the main .htaccess file in the website root directory

## Allow POST Requests Only from Authorized URLs
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{HTTP_REFERER} !(.*)yourdomain.com(.*)
## Uncomment below Line if you have Integrated Payment Gateway
#RewriteCond %{HTTP_REFERER} !(.*)paymentgatewaydomain.com(.*)
## Uncomment below Line if you have Configured Cloudflare
#RewriteCond %{HTTP_REFERER} !(.*)cloudflare.com(.*)
## Uncomment below Line if you are Configured Quic.Cloud
#RewriteCond %{HTTP_REFERER} !(.*)quic.cloud(.*)
RewriteRule .* - [F,L]
</IfModule>

Note: Add this code at the end of the .htaccess file. And if you face any problem in obtaining a QUIC Cloud Domain Key then Ignore this WordPress Security Step.

10. Hide WordPress Version

It is highly suggested to hide your WordPress version from the view source to prevent hackers from knowing any vulnerability of a specific WordPress version and trying to hack through the same.

The WordPress version can be hidden from the view source by adding the below code in the functions.php file of your theme

// Remove WordPress Version from View Source
function wpversion_remove_version() {
return '';
}
add_filter('the_generator', 'wpversion_remove_version');

Alternatively, you can use the Code Snippets plugin to do this instead of editing the functions.php file

11. Disable REST API

Add this Snippet to the Code Snippets plugin to Disable the REST API

/* Show REST API only for Admins */
add_filter( 'rest_authentication_errors', function( $result ) {
  if ( ! empty( $result ) ) {
    return $result;
  }
  if ( ! is_user_logged_in() ) {
    return new WP_Error( 'rest_not_logged_in', 'You are not currently logged in.', array( 'status' => 401 ) );
  }
  if ( ! current_user_can( 'administrator' ) ) {
    return new WP_Error( 'rest_not_admin', 'You are not an administrator.', array( 'status' => 401 ) );
  }
  return $result;
});

12. Turn On Auto Updates For WordPress

It is important to keep your WordPress website up to date as most of the reasons for the WordPress website getting hacked is the use of WordPress version with Vulnerabilities, Outdated plugins, or themes.

To enable Auto Updates for WordPress Core add the below code in the main .htaccess file

define( ‘WP_AUTO_UPDATE_CORE’, true );

To enable Auto Updates for WordPress Plugins and themes add the below code in the functions.php file of your theme or use the Code Snippets plugin

// Enable Auto Updates for Plugins and Themes
add_filter('auto_update_plugin', '__return_true' );
add_filter('auto_update_theme', '__return_true' );

13. Use Only Themes And Plugins From Trusted Providers

About 60% of WordPress website hack attacks are due to the Use of Vulnerable themes and plugins. So, it is highly recommended to use themes and plugins only from official and reputed websites. You can check the reputation of a website with factors like reviews, comments, downloads, last updates, etc.

14. Enable Captcha For Forms

If your Website forms are not protected with Captcha then it is vulnerable to automated spam submissions which may lead to the suspension of your hosting account as most web hosting providers nowadays have enforced strict policies on spam in any form. You can use Google reCAPTCHA with WPForms and ContactForm7 to enable captcha protection for your Web forms.

15. Disable Trackbacks & Pingbacks

Disable trackbacks and pingbacks feature and avoid spammers from getting a backlink from your WordPress website. To disable this, navigate to Settings >> Discussion and Uncheck the option “Allow link notifications from other blogs (pingbacks and trackbacks)”. This will disable trackbacks and pingbacks for the entire site.

16. Delete The Readme.html File

It is not that important. But we do recommend deleting the readme.html from the website’s root directory

2 thoughts on “How to Secure WordPress Website from Hackers Free”

  1. I know this web page provides quality based articles or reviews and other data, is there any other web site which offers these kinds of data in quality?

    Reply

Leave a Comment