8 Tips For Improved WordPress Security (WP Security Guide Part II)

Do you know “How to secure WordPress site?”

Are you looking for some improved strategies to avoid WordPress security vulnerabilities? 

You are in the exact place to learn some advanced WordPress security techniques!

In my previous article or better say in part 1 of the WordPress Security Guide, I have listed some of the basic WordPress security tips that don’t need any advanced skills or programming expertise.

However, the thing is that with the technology evolving at a constant speed, a WordPress website is getting more vulnerable to malicious attacks from any corner of the world.

Most of the times, these are bots or malicious scripts that are distributed on the network to track down and infect any WordPress blog, they come across.

In addition to that, there are also some hardcore hackers out there, who are capable of some advanced tricks or hacks to get into your WP dashboard.

Unlike bots or malicious scripts, these hackers aim popular blogs, and their primary intention is to take control of a top earning site, sometimes for fun and most of the times for ransom.

Now, the basic security tips can help you securing WordPress from scripts or bots. However, to tackle the attacks of these hackers, you need to be extra smart and follow some advanced security tips for WordPress. 

Without further ado, let’s check out some of the pro security measures that you must implement for hardening WordPress safety!

8 Pro Tips To Avoid WordPress Security Issues 

Remember this famous line, “Desperate times need desperate measures.” And, the same applies here as well.

To prevent any sophisticated hacking attempt, you must follow some advanced WordPress security methods!

1. Change Your Login URL

The Login URL of your WordPress is the ideal gateway to your website. Just as you would need to login to your WP dashboard for executing some changes or updates, a hacker also requires the same admin access to be able to take control of your WP website.

Hence, it’s an ideal move to change the default login URL, “wp-login.php” into something else.

Well, if registrations are open on your WordPress blog, then it is still possible to track down the new login URL. So, it is advisable to remove the link to “Login Page” on your WP website, if user registrations are closed on your blog.

If you have multiple authors on your blog, who make regular contributions, then you can always share the login URL exclusively with them for advanced protection.

In this way, it will be tough for any hacker program to sneak into your WordPress website as they are designed for default WordPress settings and most importantly, it will ensure the safety of your site from malicious scripts or bot attacks.

You may use either Custom Login URL or WPS Hide Login WordPress Plugins to set a custom login URL to your WordPress blog 

If you use iThemes Security (formerly Better WP Security) WordPress plugin, you’ll be able to change the Login URL of your site with it.

2. Hide Your Username

To secure WordPress, the next important thing is to hide your WP username!

If by any chance, you can’t close registrations on your blog, there are possibilities for the hacker programs to determine your login URL.

Hence, it is highly advisable to hide your username as it will make sure that the hackers don’t have access to the right user credentials for the admin access once you have hidden your username.

How to hide Username on WordPress?

As you know, each and every post published on a WordPress blog is assigned to an author. By default, WordPress picks up the username of the author to generate an author URL such as

http://www.blogname.com/?author=1

So, to hide your username on the author URL, you must alter the settings from the database.

Step 1: Login to the cPanel of your web host.

Step 2: Go into PhpMyAdmin and select the WP database assigned to your blog.

Step 3: From the database, open the table, wp_users.

Step 4: On the wp_users table, you will find a list of users on your site. Every user has two specific columns having same values; user_login and user_nicename.

Step 5: Simply change the entry from the column “user_nicename” and enter something different than the “user_login”

Step 6: Hit “Save” button to execute the new update.

That’s it. You have successfully changed the Author URL such that nobody can trace down your username through http://www.blogname.com/?author=1

3. Change File Permissions

Now, if you have some knowledge about file permissions, then you must be aware that every file and folder on your computer or a hosting server can have permissions based on user privileges.

These user rights or file permissions require opening a folder or a file. The permits are divided into three major aspects; Read, Write and Execute.

Most of the directories on your WordPress system have 777 permissions, which allows anyone with a user access can read, write and execute those folders. 

To avoid such WordPress security issue, it is recommended to assign 755 or 750 as suggested by WordPress.org to all these folders.

Also, set the files on your WordPress to 640 or 644 and most importantly, assign the main wp-config.php file to 600.

How to change file permissions for files and folders?

There’s no rocket science involved in changing the file permissions for files and folders on your WordPress website.

However, you need to be extra cautious that you are making the right changes to the right files and folder or else you may tamper the functionality of your WordPress website completely.

Step 1: Simply use your FTP credentials to access the server hosting your WordPress website.

Step 2: Go to “public_html” folder, which is the default folder where all your web files are stored.

Step 3: Now, right-click on the desired file or folder and select “File Permissions.” A window similar to the below image would appear.

Step 4: Assign the number as recommended above under the “Numeric Value” field for the specific files and folders and click “OK.”

That’s it. You have successfully changed the file permissions and thereby added an extra layer of security on your WP website.

4. Disallow Access To WordPress Files or Folders 

You can also secure your WordPress website from sneaky people, who would use the explorer tool to browse through your files and folders unnecessarily. Hence, it is advisable to prevent them from browsing your folders.

Simply add the following line to your .htaccess file to restrict everyone from browsing your important folders:

Options -Indexes

Now, you have successfully disabled the directory browsing of your WordPress site.

For this to work on your themes and plugins folder, you need to ensure that both these folders contain a blank index.php file within the directory.

5. Disallow WordPress Folders Index Using Robots.txt

Robots.txt is a default file on your server that works as a guide for all kinds of crawling bots. These bots would be restricted once they are disallowed from crawling any files and folders mentioned on the Robots.txt.

Mainly used for SEO purpose, to let Google and other search engines crawl relevant pages on the website while ignoring other unnecessary files or folders irrelevant to search engine rankings.

However, a robots.txt can also make sure that crawling scripts or bots, other than search engines, are entirely restricted from crawling into sensitive items such as themes or plugins folders on your WordPress website.

User-agent: *
Disallow: /wp-admin/
Disallow: /wp-includes/
Disallow: /wp-content/plugins/
Disallow: /wp-content/themes/


These settings will ensure that none of the bots can enter through “wp-admin”, “wp-includes” or “wp-content/plugins” and “wp-content/themes” folders and access important data about your website.

6. Remove Password Reset Option In WordPress Login

Eliminating the password reset option is one of the best advanced security tips for WordPress and let me tell you why and how!

What would have happened if your email (Associated with WordPress) gets hacked? The Cyberpunk may try to reset your WordPress password after knowing your username or email. 

To prevent this illegal happening and harden WordPress reliability, you may remove the password reset option in WordPress login. 

Step 1: Go to cPanel > File Manager

Step 2: Under Public_html folder, find wp-content > themes > your theme

Step 3: Click on your theme directory, you will be able to see the several files on your right side in table format.

Step 4: Navigate to functions.php file, right click the file to get the “Edit” option.

Step 5: Now, add the below codes to take out the “Password Reset Option” in WordPress login

function disable_password_reset() { return false; }
add_filter ( 'allow_password_reset', 'disable_password_reset' );


Now, if someone tries to reset your WP admin password, they will be getting the below message

If you forgot your password, don’t worry!

Just log in to cPanel and remove the codes that you have added in the functions.php file and get the new password. 

7. Disable Email As Username

WordPress 4.5 has arrived last month with a new feature “Login Using Email“. You can log in using to your WordPress site through the email address linked to the user account.

Hence, despite the fact that you have changed your username, if someone tracks down your email address, they can still use the same for logging in.

Therefore, it is advisable to disable the email option as username and strengthen the security of your WordPress blog.

Last year, I have read a WP tutorial post where they have added the email login option in the WordPress login by adding the following codes in functions.php 

remove_filter(‘authenticate’, ‘wp_authenticate_username_password’, 20);

I have modified the same codes like below

remove_filter('authenticate', 'wp_authenticate_email_password', 20);

And it is working!

Yes, if anyone finds out the email associated with your WordPress account and try to login with it, then they will get the invalid username error 😀

8. Move/Hide wp-config.php File

Do you know that the cracker can easily locate the wp-config.php file that contains the essential settings like Username, Password, MSQL database and so on? If anything goes wrong with the PHP, then they can view the wp-config.php file directly on the browser. 

So, securing WordPress is more important and it’s better to move this file to another folder just above the installation of WordPress. Before moving the wp-config.php file, make sure that you have installed WordPress in the public_html directory of your site. Don’t try if it is in a subfolder. 

For Example: If you have WP installation files in home/yourblog/public_html/, you may move the wp-config.php file to home/yourblog. If this file is not in the root folder, WordPress will look for this file in other directories. So, you don’t need to bother. 

However, you can also stop accessing the wp-config.php file by the adding the following codes at the top of the .htaccess file and avoid the common WordPress security issues. 

<files wp-config.php>
order allow,deny
deny from all
</files>

Final Words On Hardening WordPress Security

Well, as you go deeper into WordPress, there are new vulnerabilities as well as solutions to contain these vulnerabilities to ensure WordPress security. However, the fact is that most of the times, the solutions are determined only after the vulnerabilities are exploited by several evil forces on the web.

Despite that, the most beautiful feature of WordPress is that the whole community is thriving hard to provide the excellent features and resources for the WP users to safeguard their website from any attacks or security threats.

Hence, it is always recommended by the experts to keep up with the new WordPress updates to keep your website or blog safe and secure all the time. There are no guarantees that your WordPress site is 100% safe from any malware attacks.

There are chances that some way or the other, your site is hacked or compromised. Schedule regular backups of your WordPress website daily to prevent any loss of data even if you lose access to your website owing to some malware attack.

I hope that you have learned some advanced WordPress security tips through this post. What is your opinion about the malware & hackers attacks and the methods that we need to implement for hardening WordPress security? 

Do you follow the basic WordPress security strategies to preserve your precious data? Did I miss to mention any other improved method in securing WordPress? Share your valuable viewpoints in the comment section.