There are a few reasons why WordPress is the most popular website building tool out there. For starters, it’s easy to use and it integrates really well with outreach and email marketing tools.

In some ways, though, WordPress is a victim of its own success. Its off-the-shelf websites are easy to set up and configure, but that also means that there are millions of websites out there that are structured in exactly the same way.

This makes it easy for hackers to get into your site because they already know where everything is, and what everything is called.

Thankfully, there are some easy ways to significantly improve the security of your WordPress site, and today we’ll go through a few of them.

The basics

Before we get to the technical stuff, though, you should do some basic things. You also shouldn’t rely on this guide alone to protect your site: Check out our guide to cybersecurity for small business owners, and our guide to security for eCommerce retailers to make sure that the other systems you use are also secure.

The basic steps to securing a WordPress website are these:

Advanced WordPress security

After going through these basic steps, you’ll definitely be more secure. But don’t stop there. Here are some more advanced techniques to avoid becoming the victim of cybercrime.

1. Hide your WordPress version number

By default, your WordPress site will display its version number in a few key places. That’s a problem because there are resources out there that will tell hackers what the vulnerabilities are for each version: just check if you don’t believe me. 

The version number appears in three places: in the <meta> tag in the header of your pages, on stylesheets and scripts, and in RSS feeds. 

To disable this, add this code to the functions.php file:

* Hide WP version strings from scripts and styles
 * @return {string} $src
 * @filter script_loader_src
 * @filter style_loader_src
function social9_remove_wp_version_strings( $src ) {
     global $wp_version;
     parse_str(parse_url($src, PHP_URL_QUERY), $query);
     if ( !empty($query['ver']) && $query['ver'] === $wp_version ) {
          $src = remove_query_arg('ver', $src);
     return $src;
add_filter( 'script_loader_src', 'social9_remove_wp_version_strings' );
add_filter( 'style_loader_src', 'social9_remove_wp_version_strings' );
/* Hide WP version strings from generator meta tag */
function s9bg_remove_version() {
return '';
add_filter('the_generator', 's9bg_remove_version');

2. Limit XML-RPC functions

XML-RPC is an API for WordPress that gives developers the ability to directly interact with your WordPress site. Unfortunately, this service is also the source of plenty of vulnerabilities, which you can read about here.

It is possible to completely disable XML-RPC functionality. You can do this by adding ‘deny from all’ to your .htaccess file. But in reality, this will severely limit the functionality of your site.

The best solution for most people is to get the Disable XML-RPC plugin, which will allow you to configure the service so that only certain connections are allowed.

3. Change the default security keys

If you take a look at your wp-config.php file, you’ll see a list of security keys (under AUTH_KEY, etc.). These are a set of random variables that your site uses to encrypt information, and they make password cracking much more difficult.

It’s a good idea, though, to change out your default security keys for newly generated ones. You can generate a random set of keys online. Then you should go to wp-config.php file, search for “AUTH_KEY” and replace the values with newly generated key set.

This is particularly important if you have recently been the victim of a hack, because it’s likely that your attacker already knows the default key values you had before.

4. Turn off file editing

If someone gets access to your admin credentials, which is the most common form of hack for WordPress sites, they will be able to edit any file that is part of your WordPress install. That includes plugins, themes, and all of your content.

You can protect content that you don’t need to edit anymore with just a single line of code. 

Add the following code to the end of the wp-config.php file:

define('DISALLOW_FILE_EDIT', true);

You can delete this code out when you need to edit your site, and put it back in when you are done.

5. Block malicious URLs

A common way of hacking WordPress sites is to send a request from a suspicious URL. Certain types of queries, like CONCAT, base64, and eval(“) can return sensitive data to an attacker.

Blocking these requests requires, in practice, a plugin. You can get the BBQ: Block Bad Queries plugin, for instance, which checks all incoming traffic and quietly blocks bad requests.

6. Block access to key files

Your wp-config and .htaccess files are the most critical files on your WordPress site. If anyone gets access to your site, they can turn off all your security measures and compromise your whole site. 

You can turn off editing access to these files, though. Add this code to your .htaccess file to block unauthorized access to wp-config.php file:

<Files wp-config.php>
order allow,deny
deny from all

And then you can add this code to turn off access for the  .htaccess file:

<Files .htaccess>
order allow,deny
deny from all

A final word

These tips will significantly improve security on your WordPress website, and should help you to avoid becoming a victim of cybercrime.

Don’t stop there, though. Your WordPress site is only one of the systems that you need to protect, so make sure that everything is secured equally. And there’s no need to reinvent the wheel. A good way to get started is to check out what smart companies are doing when it comes to security, and follow their lead.