Secure Your WordPress Website Without Using Plugins

Learn how to secure your WordPress website without using costly plugins. Discover easy tips for securing wp-includes, wp-config.php, and disabling file editing.

When it comes to securing your WordPress website, there are a plethora of plugins available that can do the job. However, some of these plugins can be costly and may slow down your site’s performance.

In this blog post, we’ll be sharing a few easy things you can do to keep your website safe without using plugins.

1. Securing wp-includes

One way to add an extra layer of protection to your website is by blocking scripts that are not intended to be accessed by users. This can be done by using mod_rewrite in the .htaccess file.

It’s important to note that to ensure the code is not overwritten by WordPress, you should place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file.

Here’s an example of the code you can use:

# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
# BEGIN WordPress

It’s worth noting that this method may not work well on Multisite, as the RewriteRule ^wp-includes/[^/]+.php$ - [F,L] would prevent the ms-files.php file from generating images. Omitting that line will allow the code to work, but it will offer less security.

2. Securing wp-config.php

Another way to increase the security of your website is by moving the wp-config.php file to the directory above your WordPress install. This means for a site installed in the root of your webspace, you can store wp-config.php outside the web-root folder.

However, some experts suggest that moving the file may have minimal security benefits and if not done carefully, may introduce vulnerabilities. To be on the safe side, make sure that only you (and the web server) can read this file (it generally means a 400 or 440 permission).

If you use a server with .htaccess, you can put this in that file (at the very top) to deny access to anyone surfing for it:

<files wp-config.php>
order allow,deny
deny from all

3. Disable File Editing

The WordPress Dashboard by default allows administrators to edit PHP files, such as plugin and theme files. This is often the first tool an attacker will use if they are able to login, since it allows code execution. To prevent this, you can add the following line in your wp-config.php file:

define('DISALLOW_FILE_EDIT', true);

This will disable editing from the Dashboard and may stop some attacks, but it will not prevent an attacker from uploading malicious files.

In conclusion, securing your WordPress website doesn’t have to be complicated or expensive. By following the simple tips outlined in this post, you can keep your website safe without using plugins. Remember to always keep your website and its components up-to-date to stay ahead of potential security threats.

Sharing is caring.
Ramer Ian
Ramer Ian

A full-time WordPress Developer and Graphic Designer creating successful websites that are fast, easy to use, and built with best practices.

Articles: 25

Leave a Reply

Your email address will not be published. Required fields are marked *