6 Advanced WordPress Security Tips Which No-one Will Tell You - Updated 2020

Some advanced WordPress security tips and security plugins which can help you secure your website from security breach and hacking attempts.

Kartik Jhakal
Kartik Jhakal
July 01, 2020
6 min read

Discover the possibilities with Social9

Use Social sharing plugin, Cloud Commenting tool, URL shortener, and Twitter post scheduler(Beta) at No Cost.

Free Sign UpIndustry Leading Solutions . Simple & Free

Similar to other non-WordPress websites, a WordPress built website seeks constant security checks & implementations. From a newly set up WP site to existing running website, everyone can become a victim of a security breach and hacking attempts.

In this post, we will discuss and execute some advanced WordPress security tips and WordPress security plugins which can help you secure your website and Protect Your WordPress Website from Hackers

Before digging down to the second level of securing WordPress website, let us first take an overview of basic security tips which every WordPress beginner should implement.

You can consider it as a basic guide to WordPress security and should follow it as mentioned.

Basic WordPress security Tips to implement for beginners

It begins with the moment you download WordPress from .org domain of WordPress.

Everyone knows default values and elements of a WordPress and can try to exploit it a different way to gain access to the website.

Basic steps of WordPress Security

1-  While submitting entries at second and third screen of WordPress installation, avoid using** “*wp_”* as table prefix and **admin as username (admin login credential).

NOTE: In case you have “wp_ “ as table prefix you can change it by following the instructions here.

2- After setting up the whole website, it is recommended to regularly update core and plugins and take regular backups.

  • To enable automatic core and plugin updates, open wp-config.php and add this line for enabling automation.


  • It is not mandatory to enable auto updating of core, themes and plugins. Often developers tweak theme and plugins to achieve desired look and functionality. See these instructions to modify auto update instructions for your website.
  • To enable automatic backup,go through WordPress plugin directory and choose a plugin.

3- Hide WordPress admin URLand other default URLs so that automatic registrations and login attempts can be disarmed. Read more here.

4-  Limit Login attempts to stop brute force attacks. Download the plugin here.

5-  To enable protection from DDoS attacks, Bad Bots, Spam, SQL Injections etc. firewall is a must. Cloudflare (Freemium) and Sucuri  are companies providing this firewall solution along with other benefits.

Advanced WordPress Security Tips

After acknowledging basics of WordPress security, most owners gain a sense of security, which unfortunately is a layer of cloud between their perception and the bitter truth.

Hackers know way around things and how to execute/exploit to takeover websites or perform unauthorized actions and even take them down.

Before proceeding forward in this topic, I would like to shed light on WPScan Vulnerability Database and WPScans which are great resources to know about latest WordPress vulnerabilities and scanning your WordPress website for any vulnerabilities. Do try them!

Now let us discuss some advanced security tips for your WordPress website and make it more secure.

1. Remove WordPress version from website

WordPress can track your website with the help of footprints it leaves within the software. It also allows the access to version of WordPress, which your website is currently running on. It is publicly accessible by anyone.

Upon visiting wpvulndb.com you will see list of vulnerabilities along with the WordPress version number.

In case you haven’t updated your WordPress or have been waiting for the newest update, you can easily become victim of script kiddies and automated tools which are programmed to search and exploit specific WordPress versions.

The WordPress version number appears in three main areas of website.

  • Generator Meta tag in header

<meta name="generator"``content="WordPress 4.7.1"``/>

  • On Stylesheets and Scripts in form of queries If a Stylesheet or Script doesn’t specify a version number when enqueued, the current version of WordPress is used instead.


  • In RSS Feeds (Generator Tags)


To remove the WordPress version from above three areas, add this code in functions.php file:

* Hide WP version strings from scripts and styles
* @return {string} $src
* @filter script_loader_src
* @filter style_loader_src
function social9_remove_wp_version_strings( $src ) {
global $wp_version;
parse_str(parse_url($src, PHP_URL_QUERY), $query);
if ( !empty($query['ver']) && $query['ver'] === $wp_version ) {          $src = remove_query_arg('ver', $src);}     
return $src;}
add_filter( 'script_loader_src', 'social9_remove_wp_version_strings' );
add_filter( 'style_loader_src', 'social9_remove_wp_version_strings' ); 
/* Hide WP version strings from generator meta tag */
function s9bg_remove_version() {return '';}
add_filter('the_generator', 's9bg_remove_version');

2. Limit XML-RPC functionality:

By exploiting XML-RPC vulnerability, DDoS attack can be initiated. Read more about this vulnerability here.

What is XML-RPC?

XML-RPC on WordPress is actually an API. It gives developers and other services the ability to talk to your WordPress site.

The XML-RPC API that WordPress provides gives developers a way to code applications that can do numerous things that you can perform while logged into WordPress via the web interface.

Here is a full list of the WordPress API functions available to developers via XML-RPC.

You can disable XML-RPC by installing Disable XML-RPC plugin or by adding these entries in .htaccess file.

Disable XML-RPC using .htaccess.

# Block WordPress xmlrpc.php requests

order deny,allow

deny from all

Practically it is not worth disabling this functionality. Commonly this functionality is used by Jet Pack, tracking Pingbacks, WordPress mobile app and IFTTT and disabling XML-RPC can hamper their functionality.

So it is recommended to be selective on allowing and disallowing, rather than disabling it.

You can optionally disable and enable XML-RPC for services using .htaccess or by using plugins.

Optionally enable XML-RPC using .htaccess

# Allow specific WordPress xmlrpc.php requests

order deny,allow

deny from all

allow from xxx.xxx.xxx.xxx //service ip address which you want to allow.

To disable XML RPC for plugin

To disable this service for a plugin, add this line in plugin code.

add_filter('xmlrpc_enabled', '__return_false');

3. Use WordPress security keys

Some of you have seen this before but with different values. They are WordPress Security Salt Keys and are found in wp-config.php file.

They are  set of random variables that improve encryption of information stored in the user’s cookies while they are on a WordPress website.

These security keys complicate password cracking attempts, which increases WordPress website’s security.

To use these keys on your WordPress installation or change default key set, generate a random set of keys online by visiting here. It is recommended to use WordPress’s random salt key generator and avoid creating your own.

Go to wp-config.php *file, search for “AUTH_KEY*” and replace the values with newly generated key set. You can generate another pair by refreshing the page.

NOTE: If your website was previously hacked and restored, or you are experiencing something fishy with your WordPress site, then it is recommended to change your WordPress salt keys.

4. Disallow file editing

If a user has admin access to your dashboard, then they can edit any file which is part of WordPress installation which includes plugins and themes.

Nevertheless, disabling editing functionality for plugin and theme can prevent unauthorized access (hacker) from modifying theme and plugin files.

Disabling editing of theme and plugin files in WordPress

Add the following code to wp-config.php file.

define('DISALLOW_FILE_EDIT', true);


  • Place this code at the end of config file.
  • Disallow it when site is completed and does not require any further modifications in theme and plugin.

5. Block malicious URL Requests

It is a very popular method of hacking by requesting certain parameters which are direct queries to database. Queries like CONCAT, base64, eval(“) etc. can bring out certain sensitive information which can then be utilized to gain access or extract information from the website.

To block such type of URL requests use BBQ: Block Bad Queries plugin; which checks all incoming traffic and quietly blocks bad requests.

6. Hide/Protect wp-config.php and .htaccess

Hiding/protecting fulfills a unique goals of protecting unauthorized access to wp-config and .htaccess file.

If anyone has remote access to these files, they can turn off security and compromise the website.

Protecting/Hiding wp-config.php in WordPress

Add this code to* .htaccess* file to block unauthorized access to* wp-config.php* file.

<Files wp-config.php>

order allow,deny

deny from all


Protecting/Hiding .htaccess in WordPress

Similarly this code can be used to block unauthorized access to .htaccess file.

<Files .htaccess>

order allow,deny

deny from all


I hope this article upgrades your knowledge about advanced WordPress security tips and will help you in further** securing your WordPress website**.

Photo by Stephen Phillips - Hostreviews.co.uk on Unsplash

What is Social9?

Welcome! 👋 is a one-stop-shop platform to drive more traffic and increase audience engagement by leveraging the power of social media.

It offers seamless website integrations with the latest technologies, out of the box analytics and many other "FREE" features for you to get started!

Lets get started! - https://social9.com/

Social9 Docs

Discover the possibilities with Social9 and engage your audience

click here

Most Popular Tags

growth academysocial9what the fussengineeringEcommerceGIFLanding PageTwittergetting startedhtml website

What is Social9?

Welcome! Social9 is a one-stop-shop platform to drive more traffic and increase audience engagement by leveraging the power of social media.

Social9 provides free tools such as Social sharing plugin, Cloud Commenting tool, URL shortener, and Twitter post scheduler(Beta) that helps you in growth of your website.

It offers seamless website integrations with the latest technologies, out of the box analytics and many other "FREE" features for you to get started!

Lets get started!

Kartik Jhakal

Kartik Jhakal

Product Manager Social9.com

View Profile