6 Advanced WordPress Security Tips Which No-one Will Tell You - Updated 2020

David Kim
David Kim

AI Engineer

 
June 1, 2020 7 min read

Similar to other non-WordPress websites, a WordPress built website needs constant security checks and implementations. From a newly set up WP site to an existing running website, anyone can become a victim of a security breach and hacking attempts.

In this post, we'll dive into some advanced WordPress security tips and discuss WordPress security plugins that can help you secure your website and protect it from hackers.

Before we get into the more advanced stuff, let's cover some essential basic security tips for WordPress beginners. Think of this as your foundation.

Basic WordPress Security Tips to Implement for Beginners

It all starts the moment you download WordPress from the .org domain.

Everyone knows the default values and elements of WordPress, and some might try to exploit them in different ways to gain access to your website.

Basic Steps of WordPress Security

  1. While submitting entries on the second and third screens of the WordPress installation, avoid using "wp_" as the table prefix and "admin" as the username (admin login credential).

    NOTE: If you already have "wp_" as your table prefix, you can change it by following the instructions here.

  2. After setting up your whole website, it's recommended to regularly update the core and plugins and take regular backups.

    • To enable automatic core and plugin updates, open wp-config.php and add this line to enable automation:
      define( 'AUTOMATIC_UPDATER_DISABLED', false );
      This line actually enables automatic updates if they were previously disabled.
    • It's not always mandatory to enable auto-updating of core, themes, and plugins. Often, developers tweak themes and plugins to achieve a desired look and functionality. You can find instructions here to modify auto-update instructions for your website.
    • To enable automatic backups, browse the WordPress plugin directory and choose a backup plugin.

  3. Hide your WordPress admin URL and other default URLs. This can help deter automated registrations and some login attempts, making it harder for bots to scan and target your site. You can read more about changing your WordPress login URL here.

  4. Limit login attempts to stop brute-force attacks. Download a plugin like "WP Limit Login Attempts" here. Once installed, you'll typically find settings within the plugin's dashboard to configure the number of failed attempts before a lockout, the lockout duration, and sometimes whitelisting options for specific IP addresses.

  5. To get protection from DDoS attacks, bad bots, spam, SQL injections, etc., a firewall is a must. Cloudflare (Freemium) and Sucuri are companies that provide this firewall solution along with other benefits.

Advanced WordPress Security Tips

After acknowledging the basics of WordPress security, most owners feel a sense of security. Unfortunately, that's often just a layer of cloud between their perception and the bitter truth.

Hackers know their way around things and how to execute exploits to take over websites, perform unauthorized actions, or even take them down.

Before we move forward, I want to highlight the WPScan Vulnerability Database and WPScans. These are great resources for learning about the latest WordPress vulnerabilities and scanning your WordPress website for any weaknesses. Definitely check them out!

Now, let's discuss some advanced security tips for your WordPress website to make it more secure.

1. Remove WordPress Version from Website

WordPress can track your website with the footprints it leaves within the software. It also makes the version of WordPress your website is running on publicly accessible.

Upon visiting wpvulndb.com, you'll see a list of vulnerabilities along with WordPress version numbers.

If you haven't updated your WordPress or have been waiting for the newest update, you can easily become a victim of script kiddies and automated tools programmed to search for and exploit specific WordPress versions.

The WordPress version number appears in three main areas of your website:

  • Generator Meta Tag in Header
    <meta name="generator" content="WordPress 4.7.1" />
  • On Stylesheets and Scripts in the form of queries. If a stylesheet or script doesn't specify a version number when enqueued, the current version of WordPress is used instead.
    custom.min.css?ver=4.7.1
  • In RSS Feeds (Generator Tags)
    <generator>http://WordPress.org/?v=4.7.1</generator>

To remove the WordPress version from these areas, add this code to your functions.php file. You can add this code at the end of the file, just before the closing ?> tag if it exists, or simply at the very end.

<?php
// Remove WordPress version from header
remove_action('wp_head', 'wp_generator');


// Remove WordPress version from scripts and styles
function remove_wp_version_strings( $src ) {
    if ( strpos( $src, 'ver=' ) )
        $src = remove_query_arg( 'ver', $src );
    return $src;
}
add_filter( 'script_loader_src', 'remove_wp_version_strings' );
add_filter( 'style_loader_src', 'remove_wp_version_strings' );
?>

2. Limit XML-RPC Functionality

By exploiting XML-RPC vulnerabilities, DDoS attacks can be initiated. Read more about this vulnerability here.

What is XML-RPC?

XML-RPC on WordPress is essentially an API. It allows developers and other services to communicate with your WordPress site.

The XML-RPC api that WordPress provides gives developers a way to code applications that can do numerous things you can perform while logged into WordPress via the web interface.

Here is a full list of the WordPress api functions available to developers via XML-RPC.

You can disable XML-RPC by installing the "Disable XML-RPC" plugin or by adding these entries to your .htaccess file.

Disable XML-RPC using .htaccess.

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

Practically, it's not always worth disabling this functionality entirely. Commonly, this functionality is used by Jetpack, tracking pingbacks, the WordPress mobile app, and IFTTT. Disabling XML-RPC can hamper their functionality.

So, it's recommended to be selective about allowing and disallowing rather than disabling it completely.

You can optionally disable and enable XML-RPC for specific services using .htaccess or by using plugins.

Optionally Enable XML-RPC using .htaccess

# Allow specific WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from xxx.xxx.xxx.xxx // service ip address which you want to allow.
</Files>

To Disable XML RPC for a Plugin

To disable this service for a plugin, add this line to the plugin code:

add_filter('xmlrpc_enabled', '__return_false');

3. Use WordPress Security Keys

Some of you might have seen this before but with different values. These are WordPress Security Salt Keys and are found in the wp-config.php file.

They are a set of random variables that improve the encryption of information stored in a user's cookies while they are on a WordPress website.

These security keys complicate password cracking attempts, which increases your WordPress website's security.

To use these keys on your WordPress installation or change the default key set, generate a random set of keys online by visiting here. It's recommended to use WordPress's random salt key generator and avoid creating your own.

Go to your wp-config.php file, search for "AUTH_KEY" and replace the values with the newly generated key set. You can generate another pair by refreshing the page.

NOTE: If your website was previously hacked and restored, or you're experiencing something fishy with your WordPress site, it's recommended to change your WordPress salt keys. This helps invalidate any potential lingering access or compromised credentials.

4. Disallow File Editing

If a user has admin access to your dashboard, they can edit any file that's part of the WordPress installation, including plugins and themes.

Nevertheless, disabling editing functionality for plugins and themes can prevent unauthorized access (hackers) from modifying theme and plugin files.

Disabling Editing of Theme and Plugin Files in WordPress

Add the following code to your wp-config.php file.

define('DISALLOW_FILE_EDIT', true);

NOTE:

  • Place this code at the end of the wp-config.php file.
  • Disallow it when the site is completed and doesn't require any further modifications in themes and plugins. Leaving it enabled during development allows for quick edits, but it's a security risk once the site is stable.

5. Block Malicious URL Requests

This is a very popular method of hacking by requesting certain parameters that are direct queries to the database. Queries like CONCAT, base64, eval(") etc., can reveal certain sensitive information that can then be used to gain access or extract information from the website.

To block these types of URL requests, use the "BBQ: Block Bad Queries" plugin. It checks all incoming traffic and quietly blocks bad requests. The plugin is generally configured out-of-the-box to block common malicious patterns. You can find it here. While it blocks many common threats, for more granular control or to define custom block rules, you might need to explore its settings or consider more advanced firewall solutions.

6. Hide/Protect wp-config.php and .htaccess

Hiding/protecting these files fulfills a unique goal of protecting unauthorized access to the wp-config and .htaccess files.

If anyone has remote access to these files, they can turn off security and compromise the website.

To access and edit these files, you'll typically need to use an FTP client (like FileZilla) or your web hosting provider's file manager. Navigate to your WordPress installation's root directory.

Protecting/Hiding wp-config.php in WordPress

Add this code to your .htaccess file to block unauthorized access to wp-config.php file.

<Files wp-config.php>
order allow,deny
deny from all
</Files>

Protecting/Hiding .htaccess in WordPress

Similarly, this code can be used to block unauthorized access to the .htaccess file.

<Files .htaccess>
order allow,deny
deny from all
</Files>

I hope this article upgrades your knowledge about advanced WordPress security tips and will help you in further securing your WordPress website.

David Kim
David Kim

AI Engineer

 

Full-stack developer building AI-powered social media tools that generate platform-specific content at scale. Expert in machine learning and natural language processing.

Related Articles

subcultures for kids

Contemporary Subcultures: A Guide for Young Learners

Explore contemporary subcultures with this kid-friendly guide! Learn about different youth movements, their values, and how they influence society today. Perfect for young learners curious about the world around them.

By David Kim October 2, 2025 5 min read
Read full article
AI content creation

Discovering Hidden Gems in AI-Driven Content Creation

Explore the untapped potential of AI in content creation. Discover hidden tools and strategies to elevate your social media marketing and engagement.

By Michael Johnson September 30, 2025 6 min read
Read full article
content creation trends

What Trends Can Teach Businesses About Content Creation

Discover how current trends, including AI and social media shifts, can inform and improve your business's content creation strategy. Learn to leverage data, adapt to new platforms, and create engaging content.

By Alex Chen September 28, 2025 17 min read
Read full article
AI academic writing

AI for Academic Writing: Essays, Papers, and Theses

Discover how AI tools are revolutionizing academic writing. Learn about AI-powered assistance for essays, research papers, and theses, while maintaining academic integrity.

By Alex Chen September 26, 2025 7 min read
Read full article