Advanced WordPress Security Tips

Advanced WordPress Security Tips


WordPress is a content management system used by millions of sites around the world. WordPress with its huge user base is an ideal choice for hackers. In this blog we will share the advanced WordPress security tips to avoid all sorts of malicious attacks from internet hackers. My experience as a WordPress admin has helped me to understand  the importance of securing the WordPress sites.

In this blog, we will share some simple, intermediate and advanced levels of security guidelines in WordPress.


Disable HTTP TRACE Method

The HTTP TRACE method is a default functionality of the Apache-powered web servers used for the purpose of debugging.

There is a security attack technique called Cross Site Tracing (XST) which when used together with another attack mechanism called Cross Site Scripting (XSS), exploits the systems that have HTTP TRACE functionality.

You can disable the HTTP TRACE Method by placing the following code in the root .htaccess file:

Restrict Admin Access By IP

This is a simple but useful tip to provide extra security to your WordPress site. Only those IP addresses that can be allowed access are provided to the Admin. This restricts any outside access. Open the .htaccess file and place the below code.

Replace xx.xx.xx.xx with your own IP address.

Restrict File Access

It is important to give access to files for some restricted IP only. This requires modifying your .htaccess file so that your WordPress configuration and login files are protected from hacking. Find the .htaccess file in the root directory of your installation and place the below statements into the file and save it.

The above code prevents people from browsing files in your directory structure, hacking into your configuration files, or modifying your .htaccess file.

Remove header outputs from WordPress

WordPress can frequently add quite a lot of output in your header with reference to various services. The below code shows how we can remove a lot of this output.

A Word of Warning: This can break some functionality if you are not careful. For example, if you are using RSS feeds then you may want to comment that line out.

Add the following code to your themes functions.php file:

Password Protection to Your Admin Area

It is always better to protect the wp-admin directory with additional password protection. Whoever tries to access the directory will need to provide an extra password to open the page.

We can use the following three techniques to execute this:

  • Simple – You can install the AskApache Password Protect WordPress plugin to provide additional password.
  • Intermediate – You can log into your cPanel and use the Password Protected Directories to protect any folder you want with ease.
  • Hard – This technique is usually preferred by those who have knowledge about the directory files. You can create .htaccess and .htpasswd inside the directory you want to protect.

Strong Password Protection

It is really an off beam idea among many WordPress users that simple passwords like “1234” or “password” is enough to keep them safe from the hackers, but in fact these type of passwords can be hacked within a few seconds.

To tackle this, try to create a password comprising of all combinations of alphabets, numbers, special symbols so that it becomes difficult for hackers to crack these passwords.

One can use the following tools to create strong and also easy to remember passwords – There are also some password strength checkers available to check how strong your current password is. For example,

Disable file editing via the Dashboard

In a default WordPress installation, you can navigate to Appearance > Editor and edit any of your theme files right in the Dashboard.

But, if a hacker manages to gain access to your admin panel, he can also edit your files easily and execute whatever code he wants to. So, it’s a good idea to disable the Editor in the Dashboard by adding the following to your wp-config.php file:

Disable Directory Browsing

Someone who knows the directory structure of a WordPress installation may cause some damage if he knows what plug-ins you are using. Use the following code to disable Directory browsing.

Regular Backups for WordPress Site

The need for taking regular and systematic backups is essential because in spite of extensive security measures, there can be at least one loophole left for hackers to compromise the security of your WordPress. For that, you need to create and maintain a backup plan for your site.

In WordPress, there are plugins like BackupBuddy or Backwpup  available to take automated backups of your entire site with ease. These plugins also have the capability to store the backups in a cloud storage like the DropBox for added security.


These Advanced Security Tips for WordPress are very useful and essential to protect the website from all sorts of malicious attacks from internet hackers.

4492 Views 1 Views Today