How to Improve WordPress Website Security Without Using Plugins

Posted on February 2nd, 2025

WordPress is a widely used platform, which makes it a common target for hackers. While plugins can help improve security, depending too much on them can lead to risks.

To make your WordPress website more secure without plugins, you need to focus on simple but effective steps. This includes using strong passwords, keeping WordPress and themes up to date, and managing file permissions carefully.

It’s also important to back up your site regularly. Other things like setting up a firewall, adding SSL certificates, and securing your database can help protect your site.

In this article, we’ll go over these simple ways to make your WordPress site safer without needing extra plugins.

How to Secure WordPress Without Using Plugins

You can improve your website’s security without relying on plugins. Many of these steps involve making changes to your site’s code, but don’t worry – we will guide you through each step.

Step 1: Disable PHP Error Reporting

PHP error reporting shows detailed information about your website’s paths and file structure, which can be useful for checking your site’s PHP scripts. However, revealing this information on the backend is a security risk for WordPress.

For instance, if the error message points to a specific plugin, hackers could exploit any weaknesses in that plugin.

There are two ways to turn off PHP error reporting: through the PHP file or your hosting account’s control panel.

Changing the PHP File

Here’s how to change your PHP file:

  1. Access your site’s wp-config.php file using an FTP client like FileZilla or through your hosting provider’s File Manager.
  2. Add the following code snippet to the file, making sure to place it before any other PHP commands.
error_reporting(0);
@ini_set(‘display_errors’, 0);
  1. Click “Save” to apply the change.

Turning off PHP Error Reporting via the Control Panel

If you prefer not to code, you can turn off PHP error reporting through your hosting provider’s control panel. Here’s how to do it with hPanel:

  1. In your hPanel dashboard, go to the “Advanced” section and click on “PHP Configuration.”
  2. Under the “PHP Options” tab, uncheck the “displayErrors” option.
  3. Click “Save.”

Step 2: Migrate to a More Secure Web Host

Even with strong WordPress security, it won’t matter if your hosting environment is vulnerable to cyberattacks. Your hosting provider should offer a secure place for your website’s data and files, so it’s important to choose one with high security standards.

If you feel your current host isn’t secure enough, it might be time to move your WordPress site to a safer platform. Here’s what to keep in mind when looking for a secure web host:

  • Hosting Type: Shared and WordPress hosting are usually more vulnerable to cyberattacks because resources are shared. Look for a host that also offers VPS or dedicated hosting to keep your resources separate.
  • Security: A reliable hosting provider actively monitors its network for unusual activity and regularly updates its servers. They should also provide strong protection against cyberattacks.
  • Features: No matter the hosting type, your provider should offer automatic backups and tools to prevent malware. If something goes wrong, you’ll be able to restore your site.
  • Support: Choose a host with 24/7 customer support and knowledgeable staff. They can help protect your site and resolve any technical or security issues.

Step 3: Turn File Editing Off

WordPress has a built-in file editor that makes it easy to edit PHP files. However, this can be risky if hackers gain access to it.

Because of this, some WordPress users choose to turn off this feature. To disable file editing, add this line of code to the wp-config.php file:

define( 'DISALLOW_FILE_EDIT', true );

If you want to turn the feature back on, just remove the code from wp-config.php using an FTP client or your hosting provider’s File Manager.

Step 4: Restrict Access Using the .htaccess File

The .htaccess file is important for making sure WordPress links work correctly. Without it, you might face many 404 Not Found errors on your site.

In addition, the .htaccess file can block certain IP addresses, limit access to just one IP, and prevent PHP execution in specific folders. Below, we’ll explain how to use .htaccess to improve your WordPress security.

Disabling PHP Execution in Certain Folders

Hackers often upload harmful scripts to the Uploads folder. Normally, this folder should only store media files, so it shouldn’t have any PHP files.

To protect your WordPress site, disable PHP execution in this folder by adding a new .htaccess file in the /wp-content/uploads/ folder with these rules:

<Files *.php>
deny from all
</Files>

Protecting the wp-config.php File

The wp-config.php file, found in the root directory, holds important WordPress settings and MySQL database information. Because of this, it’s a common target for hackers.

You can protect this file and improve your site’s security by adding these .htaccess rules:

<files wp-config.php>
order allow,deny
deny from all
</files>

Step 5: Change the Default WordPress Database Prefix

The WordPress database stores all the important information needed for your site to run. Because of this, hackers often try to attack it using SQL injection. This method involves adding harmful code to the database, allowing attackers to bypass WordPress security and access sensitive data.

SQL injection makes up more than half of all cyberattacks, which is why it’s such a big threat. Hackers often use this method because many users forget to change the default database prefix, “wp_. ”

Here are two ways you can protect your WordPress database from SQL injection attacks:

Changing Table Prefix

  1. From your hPanel dashboard, go to the File Manager and open the wp-config.php file. Alternatively, you can use an FTP client to access the file.
  2. Look for the $table_prefix value in the code.
  3. Change the default WordPress database prefix wp_ to something new. Choose a mix of letters and numbers to create a unique prefix for your website.
  4. Click “Save & Close.”
  5. Next, go back to the hPanel dashboard, find the Databases section, and click on phpMyAdmin.
  6. Open your site’s database by clicking “Enter phpMyAdmin.”
  7. If you have more than one database, check the wp-config.php file for the database name. Look for this section of code:
    • // ** MySQL settings - You can get this info from your web host ** // 
      /** The name of the database for WordPress */ 
      define( 'DB_NAME', 'MySQL Database' );
  8. Scroll to the bottom and click “Check all.”
  9. From the “With selected” drop-down menu, choose the “Replace table prefix” option.
  10. Enter the current prefix and your new one, then click “Continue.”

Updating Prefix Values in the Tables

Depending on how many WordPress plugins you have on your site, you might need to update some values in the database by hand. You can do this by running separate SQL queries on tables that likely contain the “wp_” prefix, such as the options and usermeta tables.

Use the following code to find all values with that prefix:

SELECT * FROM `wp_1secure1_tablename` WHERE `field_name` LIKE '%wp_%'

In this code, wp_1secure1_tablename is the name of the table you want to search, and field_name is the name of the field/column where values with the “wp_” prefix are most likely to appear.

Here’s how you can manually change the prefix value:

  1. From the phpMyAdmin dashboard, go to the table that has the prefix you want to change. For example, open wp_1secure1_usermeta.
  2. Next, click on the SQL tab in the top menu.
  3. In the SQL query editor, enter the code above to filter values with the wp_ prefix, and click Go. Be sure to update the code with your actual table and field names.
  4. The results will show up. Click the Edit button next to the field you want to change.
  5. Update the prefix value and click Go. Repeat steps 4 and 5 for all the filtered values.
  6. Repeat this process from step 1 for the other tables in the database to change all values with the wp_ prefix.

Step 6: Disable XML-RPC

XML-RPC is a WordPress feature that lets you access and publish content from mobile devices, enable trackbacks and pingbacks, and use the Jetpack plugin on your site.

However, XML-RPC has some security issues that hackers can take advantage of. It allows multiple login attempts without being blocked by security tools, making your site vulnerable to brute force attacks.

Hackers can also use XML-RPC’s pingback feature to launch DDoS attacks. This lets them send pingbacks to thousands of sites at once, potentially causing those sites to crash.

To check if XML-RPC is enabled, run your site through an XML-RPC validation service. If you get a success message, it means XML-RPC is active.

You can turn off XML-RPC either by using a plugin or doing it manually.

Disabling XML-RPC Manually

You can also stop all XML-RPC requests manually. To do this, find the .htaccess file in your root directory and add the following code:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 000.00.000.000
</Files>

If you want to allow XML-RPC from a specific IP, replace “000.00.000.000” with the IP address you want to allow, or simply remove the line to block all access.

Step 7: Hide the WordPress Version

Hackers can easily target your site if they know which version of WordPress you’re using. They may exploit known weaknesses in older versions to attack your site.

Fortunately, you can hide this information from your site using the WordPress Theme Editor. Here’s how:

  1. From your WordPress dashboard, go to Appearance → Theme Editor.
  2. Select your current theme and open the functions.php file.
  3. To remove the version number from the header and RSS feeds, add the following code to the functions.php file:
function dartcreations_remove_version() {
    return '';
}
add_filter('the_generator', 'dartcreations_remove_version');
  1. To remove the WordPress version number from the meta tag, add this line:
remove_action('wp_head', 'wp_generator');
  1. Click Update File to save your changes.

Step 8: Block Hotlinking

Hotlinking happens when someone uses your website’s content, like an image, on their own site. Every time someone views a page with a hotlink to your content, it takes up your server’s resources, which can slow down your website.

To check if your content is being hotlinked, type this into Google Images, replacing “yourwebsite.com” with your own domain:

inurl:yourwebsite.com -site:yourwebsite.com

To stop hotlinking, you can use an FTP client, a WordPress security plugin, a CDN, or change settings in your control panel.

Step 9: Manage File Permissions

Protect your admin account from hackers by controlling who can read, write, or execute your WordPress files and folders.

You can manage file and folder permissions through your web host’s File Manager, an FTP client, or the command line.

By default, permissions are set for different files and folders, but you should double-check them. For the wp-admin folder and wp-config file, make sure only the Owner has permission to write to them.

Why Do You Need to Secure a WordPress Website?

If your WordPress site is hacked, you could lose valuable data, assets, and your reputation. These security problems can also put your customers’ personal and billing information at risk.

The cost of cybercrime could reach up to $10.5 trillion annually by 2025, and you certainly don’t want to be a part of that.

According to the WPScan Vulnerability Database, here are some of the most common security issues with WordPress:

  • Cross-site request forgery (CSRF): This forces users to perform unwanted actions on a trusted website.
  • Distributed denial-of-service (DDoS) attack: This overloads a site with traffic, making it unavailable.
  • Authentication bypass: Hackers gain access to your site without proper verification.
  • SQL injection (SQLi): This makes the system run harmful SQL queries, altering the database.
  • Cross-site scripting (XSS): This injects harmful code that can turn your site into a source of malware.
  • Local file inclusion (LFI): This forces the site to process harmful files on the server.

We suggest checking out our other article to learn how to spot and fix a hacked WordPress site, which can help you reduce data and financial losses.

Conclusion

To sum up, it’s definitely possible to improve your WordPress site’s security without using plugins, and it’s important to do so to lower potential risks.

To make your WordPress site more secure, start by keeping WordPress and themes updated, using strong passwords, and ensuring your database is safe. It’s also important to disable XML-RPC and protect key files like wp-config.php.

Make sure to handle your file permissions properly, back up your site often, and select a trustworthy hosting provider. These straightforward actions can protect your site from possible dangers. By taking these steps, you’ll strengthen your site against hackers and keep it safe and reliable.

Leave a Reply