Skip to main content

Top 10 WordPress Security Tips (for advanced users)

By November 1, 2017July 20th, 2022No Comments

Last week I’ve provided some ways for WordPress beginners to secure their site. If you count yourself to the pro users, join me in exploring more advanced WordPress security options.

It goes without saying that before you attempt to edit the files mentioned below, you should always backup your site. The backup will act as your safety net. If something goes wrong, you can always switch out the affected files and try again.

1. Disable the Editor

Unless you or one of your team members frequently uses the theme editor, I’d recommend disabling it. The reason behind this is that every WordPress user account that has access to the editor poses a security risk, in case their account gets hacked.

To disable the editor, you will need to make a small code change to the wp-config.php configuration file:

2. Secure your WordPress Configuration File

Your website’s wp-config.php file is one of the most important files, besides the .htaccess file. The configuration file includes all your confidential database information and is generated during the installation process. Without it, your WordPress site won’t work and you will get the ‘error establishing database connection‘ error.

Securing this file is an important step in protecting your site. To protect it, add the following code snippet to your .htaccess file:

3. Protect your .htaccess and .wp-config.php files

To protect access to your .htaccess file, configuration file, error logs, and many more, you can list them in this snippet of code, which you add to your .htaccess file:

4. Disable php error reports

Normally, error reports seem pretty great for helping your site stay secure, until they become a security risk of course. When a plugin doesn’t execute as it should, an error report is created and sent, revealing your full server path. A feast for hackers. To ensure that this information is not readily available, you will need to add a little code snippet to your wp-config.php file:

5. Limit access to certain IP addresses

If you have a static IP address and don’t plan to access your site from public wifi, you can allow access to wp-admin from your IP addresses by listing them out. Each IP you would like to give access to your site, goes onto a new line.

Simply add the following code into .htaccess:

6. Hide your author username

There are plugins that can do this for you, but as we discussed in the previous post, it’s best to avoid plugins whenever you can. Here is the DIY way of hiding your author name. The code goes into your functions.php file:

7. Hide your directory

Any user who comes to your site can easily see all files in your directory by pointing their browser to

A hacker can now easily locate a file of interest and target it. By adding a simple line to your .htaccess file, you can disable your directory:

8. Change the "admin" username

Prior to WordPress version 3, the default username for WordPress was “admin.” If this is your username, I would strongly recommend changing it. I’ve dug out a great article with simple steps of how to change this to secure your site.

9. Hide your WordPress version

Online security is always evolving as security vulnerabilities are being found and updated. A serious hacker likely knows the security flaws of previous WordPress sites and how those can be exploited. One security measure, besides always updating to the newest WordPress version, is to hide your WordPress version number, which by default is always shown.

Add the following code to your functions.php file:

10. Delete old website files

If you kept old website files on your server (often labeled with “old_”) you’re inviting trouble, so this bears repeating. These old website files can be compromised by hackers, especially if their WordPress theme and plugins and not updated (and why would they if the site is not live).

Hackers could call the files even though these themes or plugins are inactive and gain access to your server. Outdated files are always a security risk (on your active site as well as inactive websites) and hackers know the security vulnerabilities of these outdated versions.

Do yourself a favour and delete all files you no longer need. You can back them up to your hard drive (or an external drive) before you delete them if you really can’t let them go.

With all these steps implemented, you’ve now increased your WordPress security immensely. Website security is an evolving field, though. Stay updated on the newest developments and continue to educate yourself on how to keep your site safe from intruders.