WordPress security tricks to secure Websites

WordPress is the king of open-source CMS. It is effortless to customize and easy to get a Website up and running. As we all know that WordPress has some security vulnerability if we do not follow the security standards.

Chances of getting hacked

A WordPress site gets hacked for many reasons. Following are some reasons with percentage.

  • Hosting 41%
  • Themes 29%
  • Plugins 22%
  • Weak Passwords 8%
About 83% of WordPress sites are hacked for not being updated to the latest WordPress version. There are 30,000 Websites are hacked every day. On Average, one Website is hacked every 5 seconds

Disable execution of PHP code inside wp-content

We can disable the execution of PHP files inside wp-content directory using .htaccess file. We can use the following code to achieve that:

<Files *.php>
deny from all

From WordPress admin disable theme file editor

There are some wp-config settings that help us secure WordPress. The file edit option inside the theme in the admin panel is vulnerable. This file edit has the ability to execute server-side PHP code in it. We can disable is using the following settings:

define( ‘DISALLOW_FILE_EDIT’, true );

Restrict access of wp-config.php file

In the WordPress eco-system, the wp-config file plays a vital role in many settings. Especially the DB settings. We should try to restrict the access of wp-config file. We can do it using .htaccess file. Add the following code inside .htaccess file.

<files wp-config.php>
order allow,deny
deny from all

FORCE_SSL_ADMIN for wp-admin

We should try to force all the requests to use HTTPS to make WordPress more secure. We can force the wp-admin to use HTTPS at the webserver level. The same thing can be achieved using wp-config settings like below:

define(‘FORCE_SSL_ADMIN’, true);

File and directory permission

The file permission needs to be properly set otherwise many damages can happen. If the world has the execute permission to all WordPress files or folders that will be vulnerable.

Following is the correct file and folder permission of the WordPress file system.

For Directories:
find /private/var/www/html/wp/testwp/ -type d -exec chmod 755 {} \;
For Files:
find /private/var/www/html/wp/testwp/ -type f -exec chmod 644 {} \

What are the correct file permissions for WordPress site?

Restricting Database User Privileges

MySQL database user only needs data read and data write privileges to the MySQL database; SELECT, INSERT, UPDATE and DELETE.

Therefore any other database structure and administration privileges, such as DROP, ALTER, and GRANT can be revoked. By revoking such privileges you are also improving the containment policies.