Face Your Fear

In the life everyone is doing struggle and no one known where you have to face your fear. So, it’s no mean that you stop doing struggle in your life or finish the life.

10 Ways to Secure WordPress Websites


Unfortunately website are liable to suffer from security risks and so any networks to which web servers are connected. Setting aside risks created by hackers or misuse of network resources, your web server and the site it hosts present your most serious sources of security risk. Website security plays an important role for anyone who has website presence. We have many following methods to secure the WordPress sites.

Modify login errors

When you type wrong username or password, it will give very detailed error message telling you exactly whether your username is wrong or password. This is a great hint for hackers but fortunately we can disable the login errors by following code:

function your custom error(){
return 'Anything you will write here will become new error messages';
add_filter( 'login_errors', 'your custom error' )

Never use admin as an username

First don’t use admin as an username, if you have then make it as subscriber. Subscriber has less privileges i.e can’t delete or add post and pages.

Enable 2-factor authentication

This is highly recommended. If someone gets hold of your WordPress login details, they will still need your mobile phone to get into your WordPress dashboard.

Unlike Dropbox or Google, 2-step authentication isn’t part of WordPress but you can always use the Authy plugin to enable 2-factor authentication.

Stop WordPress from guessing URLs

WordPress has habit of guessing URLs. If an user request macwill.in/con URL but if that page doesn’t exist, WordPress may redirect that user to macwill.in/contact because the URLs have some common words.

By following code you can stop wordpress to stop guessing URLs.

add_filter('redirect_canonical', 'stop_wordpress_guess_url');
function stop_wordpress_guess_url($url) {
if (is_404()) {
return false;
} return $url;


Disable file editing when you logged in

WordPress has the strange functionality, that user who logged in can edit files. This becomes easy for hacker that, he can write malicious code in it and destroy your whole website. By following code you can stop editor from back end.


Not allow users to install plugins, themes or doing updates

Not allow a user to edit plugin/theme files will only provide one level of security. However, this does not prevent the hacker from adding a new plugin or theme. Once the Admin Panel is compromised, the hacker can also install a rogue theme or a rogue plugin. If you do not install plugins on a regular basis, we suggest, that you disable this option altogether. This can be done by using the option:


Limit the login attempts

Sometimes user tries to login in your account by commonly username and password, or uses script to break your password. Then you must limit your login attempts. Limit login attempts is a plugin in that if user tries wrong login details for more than specific time, then login process must be locked out for specific time and you will get email with client IP, then you can BAN that IP address.

Disallow wp-config file

In WordPress wp-config is sensitive file. It is a best practice that disallow wp-config from back end.

 <files wp-config.php>
   order allow,deny
   deny from all

Securing with htaccess file

Apache uses ht access to prevent unauthorized access to certain parts of the site. Since wp-config.php should never be accessed directly by anybody, and since it contains the critical database details, we should block it from ht access file too. This can be done by adding the following lines to your htaccess file:

order allow,deny
Deny from can use multiple IP) or
deny from all (Block all IP)

Change database prefix ($table_prefix)

The WordPress database consists of many tables to store posts, links, comments, users etc. Now these tables by default have standard names like wp_users, wp_options, wp_posts etc. Now a hacker knows that your user details are stored in the table wp_users, and will try and exploit this. We can however prevent the hacker from guessing the name of the table. To do this, while installing WordPress, we need to change the setting for $table_prefix. In your wp-config file there will be a line:
$table_prefix  = ‘wp_';
You need to change it to something random like
$table_prefix  = ‘macwill_';
This will cause the tables in the database to become macwill_users, macwill_posts etc, in turn making it harder for the hacker to guess.

- Web Developer @Macwill

Also on Macwill blog