6 Advanced WordPress Security Tips Which No-one Will Tell You - Updated 2020

David Kim
David Kim

AI Engineer

 
June 1, 2020 6 min read

Similar to other non-WordPress websites, a WordPress built website seeks constant security checks & implementations. From a newly set up WP site to existing running website, everyone can become a victim of a security breach and hacking attempts.

In this post, we will discuss and execute some advanced WordPress security tips and WordPress security plugins which can help you secure your website and Protect Your WordPress Website from Hackers

Before digging down to the second level of securing WordPress website, let us first take an overview of basic security tips which every WordPress beginner should implement.

You can consider it as a basic guide to WordPress security and should follow it as mentioned.

Basic WordPress security Tips to implement for beginners

It begins with the moment you download WordPress from .org domain of WordPress.

Everyone knows default values and elements of a WordPress and can try to exploit it a different way to gain access to the website.

Basic steps of WordPress Security

1-  While submitting entries at second and third screen of WordPress installation, avoid using “wp_”** as table prefix and admin** as username (admin login credential).

NOTE: In case you have “wp_ “ as table prefix you can change it by following the instructions here.

2- After setting up the whole website, it is recommended to regularly update core and plugins and take regular backups.

  • To enable automatic core and plugin updates, open wp-config.php and add this line for enabling automation.

define( 'AUTOMATIC_UPDATER_DISABLED', false );

  • It is not mandatory to enable auto updating of core, themes and plugins. Often developers tweak theme and plugins to achieve desired look and functionality. See these instructions to modify auto update instructions for your website.
  • To enable automatic backup,go through WordPress plugin directory and choose a plugin.

3- Hide WordPress admin URLand other default URLs so that automatic registrations and login attempts can be disarmed. Read more here.

4-  Limit Login attempts to stop brute force attacks. Download the plugin here.

5-  To enable protection from DDoS attacks, Bad Bots, Spam, SQL Injections etc. firewall is a must. Cloudflare (Freemium) and Sucuri  are companies providing this firewall solution along with other benefits.

Advanced WordPress Security Tips

After acknowledging basics of WordPress security, most owners gain a sense of security, which unfortunately is a layer of cloud between their perception and the bitter truth.

Hackers know way around things and how to execute/exploit to takeover websites or perform unauthorized actions and even take them down.

Before proceeding forward in this topic, I would like to shed light on WPScan Vulnerability Database and WPScans which are great resources to know about latest WordPress vulnerabilities and scanning your WordPress website for any vulnerabilities. Do try them!

Now let us discuss some advanced security tips for your WordPress website and make it more secure.

1. Remove WordPress version from website

WordPress can track your website with the help of footprints it leaves within the software. It also allows the access to version of WordPress, which your website is currently running on. It is publicly accessible by anyone.

Upon visiting wpvulndb.com you will see list of vulnerabilities along with the WordPress version number.

In case you haven’t updated your WordPress or have been waiting for the newest update, you can easily become victim of script kiddies and automated tools which are programmed to search and exploit specific WordPress versions.

The WordPress version number appears in three main areas of website.

  • Generator Meta tag in header
  • On Stylesheets and Scripts in form of queries If a Stylesheet or Script doesn’t specify a version number when enqueued, the current version of WordPress is used instead.

custom.min.css?ver=4.7.1

  • In RSS Feeds (Generator Tags)

http://WordPress.org/?v=4.7.1

To remove the WordPress version from above three areas, add this code in functions.php file:

2. Limit XML-RPC functionality:

By exploiting XML-RPC vulnerability, DDoS attack can be initiated. Read more about this vulnerability here.

What is XML-RPC?

XML-RPC on WordPress is actually an API. It gives developers and other services the ability to talk to your WordPress site.

The XML-RPC API that WordPress provides gives developers a way to code applications that can do numerous things that you can perform while logged into WordPress via the web interface.

Here is a full list of the WordPress API functions available to developers via XML-RPC.

You can disable XML-RPC by installing Disable XML-RPC plugin or by adding these entries in .htaccess file.

Disable XML-RPC using .htaccess.

# Block WordPress xmlrpc.php requests

order deny,allow

deny from all

Practically it is not worth disabling this functionality. Commonly this functionality is used by Jet Pack, tracking Pingbacks, WordPress mobile app and IFTTT and disabling XML-RPC can hamper their functionality.

So it is recommended to be selective on allowing and disallowing, rather than disabling it.

You can optionally disable and enable XML-RPC for services using .htaccess or by using plugins.

Optionally enable XML-RPC using .htaccess

# Allow specific WordPress xmlrpc.php requests

order deny,allow

deny from all

allow from xxx.xxx.xxx.xxx //service ip address which you want to allow.

To disable XML RPC for plugin

To disable this service for a plugin, add this line in plugin code.

add_filter('xmlrpc_enabled', '__return_false');

3. Use WordPress security keys

Some of you have seen this before but with different values. They are WordPress Security Salt Keys and are found in wp-config.php file.

They are  set of random variables that improve encryption of information stored in the user’s cookies while they are on a WordPress website.

These security keys complicate password cracking attempts, which increases WordPress website’s security.

To use these keys on your WordPress installation or change default key set, generate a random set of keys online by visiting here. It is recommended to use WordPress’s random salt key generator and avoid creating your own.

Go to *wp-config.php *file, search for “AUTH_KEY” and replace the values with newly generated key set. You can generate another pair by refreshing the page.

NOTE: If your website was previously hacked and restored, or you are experiencing something fishy with your WordPress site, then it is recommended to change your WordPress salt keys.

4. Disallow file editing

If a user has admin access to your dashboard, then they can edit any file which is part of WordPress installation which includes plugins and themes.

Nevertheless, disabling editing functionality for plugin and theme can prevent unauthorized access (hacker) from modifying theme and plugin files.

Disabling editing of theme and plugin files in WordPress

Add the following code to wp-config.php file.

define('DISALLOW_FILE_EDIT', true);

NOTE:

  • Place this code at the end of config file.
  • Disallow it when site is completed and does not require any further modifications in theme and plugin.

5. Block malicious URL Requests

It is a very popular method of hacking by requesting certain parameters which are direct queries to database. Queries like CONCAT, base64, eval(“) etc. can bring out certain sensitive information which can then be utilized to gain access or extract information from the website.

To block such type of URL requests use BBQ: Block Bad Queries plugin; which checks all incoming traffic and quietly blocks bad requests.

6. Hide/Protect wp-config.php and .htaccess

Hiding/protecting fulfills a unique goals of protecting unauthorized access to wp-config and .htaccess file.

If anyone has remote access to these files, they can turn off security and compromise the website.

Protecting/Hiding wp-config.php in WordPress

Add this code to .htaccess file to block unauthorized access to wp-config.php

file.

order allow,deny

deny from all

Protecting/Hiding .htaccess in WordPress

Similarly this code can be used to block unauthorized access to .htaccess file.

<Files .htaccess>

order allow,deny

deny from all

I hope this article upgrades your knowledge about advanced WordPress security tips and will help you in further securing your WordPress website.

David Kim
David Kim

AI Engineer

 

Full-stack developer building AI-powered social media tools that generate platform-specific content at scale. Expert in machine learning and natural language processing.

Related Articles

content repurposing

Unlocking Efficiency: Automated Content Repurposing Workflows for Social Media Domination

Discover how to leverage automated content repurposing workflows to maximize your content's reach and impact across all social media platforms using AI-powered tools.

By Nikita Shekhawat June 30, 2025 11 min read
Read full article
AI personalization

Revolutionizing Social Media: How AI-Driven Personalization is Transforming Content Creation

Discover how AI-driven personalization is transforming social media content creation. Learn about advanced techniques, ethical considerations, and future trends.

By Michael Johnson June 30, 2025 10 min read
Read full article
generative AI

Unlocking Creativity: How Generative AI is Revolutionizing Visual Content Creation for Social Media

Explore how generative AI tools are transforming visual content creation for social media, boosting engagement, and streamlining workflows.

By Michael Johnson June 30, 2025 12 min read
Read full article
AI content ethics

Navigating the Ethical Minefield: AI Content Generation for Social Media

Explore the ethical considerations of using AI for content generation in social media. Learn to create responsible and engaging content while avoiding pitfalls.

By Alex Chen June 30, 2025 12 min read
Read full article