Skip to main content

It is no doubt that WordPress is the most popular Content Management System (CMS) platform for most businesses, constituting more than half of all websites on the internet, and is even expected to grow by 10% over the years, according to verified statistics.

Wordpress Market Share

Unfortunately, WordPress’ popularity and open-source website creation format have attracted all sorts of cybercriminals who exploit the platform’s security vulnerabilities.

Another 2023 verified study has shown that over 13,000 websites are hacked daily. Cybercriminals won’t even stop at that; they are increasing significantly. They are expected to grow exponentially by as much as 15% over the next five years, and by 2025, cybercrime is estimated to cost the world roughly $10.5 trillion annually.

However, your website doesn’t have to be in jeopardy before you take safety precautions and measures to protect it.

In this tutorial, we cover 7 simple ways to secure your WordPress website without plugins, all by yourself, right from the comfort of your home, even if you have little or no idea about cybersecurity.

Why without Plugins you ask?

Because plugins can create further security and performance issues if they are not well-built or maintained. This is why we recommend a non-plugin solution as much as possible.

All you have to do is follow the below 7 steps, and you are good to go!

[lwptoc skipHeadingLevel=”h1,h2,h4,h5,h6″]

1. How to Disabling XML-RPC without Plugins?

XML-RPC is a protocol that allows you to remotely post to your blog using online blog clients such as Windows Live Writer or the Jetpack plugin, which uses to connect your website to

This can be an open door to hackers.

So, disabling XML-RPC is recommended and it is a very simple solution to strengthening your website’s security.

How do I do this?

Just copy and paste the below code into your website’s .htaccess file and save it.

# Disable XML-RPC requests 
<Files xmlrpc.php> 
order deny,allow
deny from all

We told you it’s simple!

2. How to disable PHP execution on WordPress?

WordPress can enable users to effortlessly upload content such as themes, plugins, images, PDF files, and videos onto their website by automatically granting “write” access to certain directories.

To be deemed as writable, a directory should be able to undergo modifications or revisions.

Enabling “write” access for specific users can enhance site usability, but it may also provide a backdoor for hackers to upload malware.

You can use the .htaccess file to avoid this issue and stop PHP execution in specific directories.

How to do this?

  1. Copy the below code.
  2. Navigate to the wp-includes folder, create a new file, and call it .htaccess.
  3. Paste the code you copied and upload it to the server.
  4. Also, navigate to the wp-content folder and open up the uploads folder to do the same in this directory.
# Disable PHP Execution
<Files *.php>
deny from all

This will increase your website’s protection and prevent malicious files from being added to these directories.

3. How to disable directory indexing and browsing on WordPress?

By using directory browsing, hackers can navigate through your website’s files and content to detect any known vulnerabilities on your site. This enables them to exploit such files and gain unauthorized access to your website.

They can:

  1. See your files and explore the directory structure of your website
  2. Copy/download content
  3. And perform any similar authorized actions

This is why it is very important to disable directory indexing and browsing on your website, and it is done with a simple, one-line code that you should copy from below and upload to the end of the .htaccess file right after the comment # END WordPress

# Disable directory indexing and browsing
Options -Indexes

4. How to restrict files and folder permissions on WordPress?

Every website comprises of intricately coded and systematically named files and directories.

And for that reason, it’s crucial to restrict access to modify, delete, or add to the files and directories that constitute your website to specific individuals.

Ensuring the safety of your WordPress website by strengthening the permissions of files and directories is a great idea and can be done effortlessly.

So, how do you do this?

  1. Open your File Manager from cPanel, or use an FTP client to access your root directory.
  2. Select the file/folder you want to manage and click the File Permissions option and set permissions according to your needs.

It is recommended to have the folders set to 755 and files 644

Please Note:  Depending on your host, your server might override some of the permissions you set, it is best to contact your server for recommendations.

File Permissions

5. How to reset the default WordPress security keys and salts?

In this section, we will strengthen the login sections of our website to avoid unauthorized access to the backend of our site.

We will reset the default WordPress security keys.

Some Manage WordPress hosting providers will do this automatically for you, but it is a good and harmless idea to do it anyway.

How to do it?

  1. Go to the WordPress Security Key URL. (Every time you refresh the page, it will generate new sets of keys.
  2. Copy all the keys
  3. Go to your FTP client and find the wp-config.php file
  4. Navigate to the section that says “Authentication Unique Keys and Salts.”
  5. Below it you will see the security keys. Replace the default keys with the new ones you just generated
  6. Save the changes and you are done.
How To Reset The Default Wordpress Security Keys And Salts?

To strengthen your login and admin section even further, please read the below tutorials:
How to protect WordPress Admin and Login sections

6. How to safely remove WordPress version numbers?

Protecting against hacking attempts by safeguarding sensitive information is crucial for strong security.

WordPress tends to reveal its version number in your website’s source code, CSS, JavaScript, and feeds.

Hackers use this information to know the version of WordPress you are using to make it easier to gain access to your website. This is extra information and is not necessary.

Some instances to demonstrate are:

WordPress, by default, shows its version number in webpage headers through the “meta generator” tag.

<meta name= “generator” content= “WordPress 4.5.2” />

RSS Feed, CSS and JavaScript


There are more examples we could name, but you get the idea!

So, how to go about removing the version numbers?

  1. Open your FTP client, go to your current theme (or child theme), and open its functions.php file.
  2. Copy the below code and paste it at the end of the functions.php file.
  3. Save it, and publish.
// remove version from head
remove_action('wp_head', 'wp_generator');

// remove version from rss
add_filter('the_generator', '__return_empty_string');

// remove version from scripts and styles
function shapeSpace_remove_version_scripts_styles($src) {
if (strpos($src, 'ver=')) {
$src = remove_query_arg('ver', $src);
return $src;
add_filter('style_loader_src', 'shapeSpace_remove_version_scripts_styles', 9999);
add_filter('script_loader_src', 'shapeSpace_remove_version_scripts_styles', 9999);

Now, let’s check if the code is working or not.

  1. Open your web page’s source code.
  2. Do a quick search of the version number, for example, type 6.1. If you do not see the version number anywhere that means the code is working and WordPress is hiding the version number.

After checking the web page, check the RSS feed.

  1. Open the RSS feed. Usually
  2. Do a search again, if you don’t see the version number then all is good!

7. How to deactivate error displaying to tighten your WordPress site security?

During website development, displaying PHP errors and warnings in the browser can be helpful.

However, this can be a security risk on a live production site and should be avoided.

In this last step, we will make sure the displaying of errors is deactivated and sensitive information about your server and setup are hidden from the public.

Revealing errors publicly on your site can potentially provide an opportunity for hackers to access sensitive information such as the full server path, function names, and other details that they can use for their advantage.

Your website will be inaccessible to the site visitors also.

By the way, the error display is turned off by WordPress as default, however, your web developer or host might have turned it on during the development or troubleshooting process and you have no clue about it.

So, double-checking is a good idea!

Here is what you do:

  1. Access your configuration file, wp-config.php
  2. Scroll down to find the three lines of code that says:
    define( ‘WP_DEBUG’, true );
    define( ‘WP_DEBUG_LOG’, true );
    define( ‘WP_DEBUG_DISPLAY’, true );
  3. Change the true to false. Your new code should look like this:
    define( ‘WP_DEBUG’, false );
    define( ‘WP_DEBUG_LOG’, false );
    define( ‘WP_DEBUG_DISPLAY’, false );

Save it and upload it to the server and you are done!

If your code is already set to false, that means everything is good and you don’t need to do anything!

Secure Wordpress From Hackers

Conclusion:  Secure Your WordPress Website Without Plugins

Cybercriminals can exploit vulnerabilities in WordPress sites through various means. Following the simple tips mentioned above can increase your site’s security and deter potential attackers. It is essential to be mindful of WordPress security basics to protect your business from cyber threats.

Many businesses have suffered because they lack awareness of WordPress security measures, allowing fraudsters to infiltrate their sites.

This post highlights the importance of implementing security measures to safeguard your WordPress site.

Skip to content