5 Tips to Harden Your WordPress Website (no security plugin)

According to the latest statistics, more than 835 million websites today are powered by WordPress. Each year, WordPress is downloaded over 2 million times, indicating that its popularity is continuously increasing.

Due to its widespread use, WordPress has also become a favorite target for hackers with malicious intentions. Therefore, if your website is built on WordPress, you need to secure it before an intruder finds a way to access your data.

Is WordPress Secure?

WordPress has a reputation for being vulnerable to security attacks, but this isn’t entirely true.

One of the reasons WordPress enjoys immense popularity is its ability to be highly customized through configurations, plugins, themes, and more. While WordPress’s core system is secure by default, the way users modify and extend it can significantly affect its security. The risks mainly come from insecure custom coding, plugins and poor authentication practices.

With proper precautions, WordPress can be made secure for most use cases.

What is Security Hardening for WordPress?

Security Hardening is like giving your WordPress site a digital shield and some smart tactics to protect itself from any unwanted intruders or hackers.

Imagine your WordPress site is a house. Just like you’d put locks on the doors, maybe some security cameras around, and teach your family members not to open the door to strangers, WordPress Hardening does something similar for your website.

It involves a bunch of steps to tighten up security, like making sure all your digital doors (like login pages) are super secure with strong passwords, keeping all your website’s parts (themes and plugins) updated so there are no weak spots, and setting up measures to watch out for and block any suspicious activities. So, it’s all about making your website’s defenses as strong as possible to keep the bad guys out.

Let’s dive into some straightforward yet crucial strategies to fortify your WordPress site’s defenses without relying on any plugins.

1. Use SSL (Secure Sockets Layer):

The first and foremost step you can take to make your site connections secure for your visitors is to use an SSL certificate.

SSL (Secure Sockets Layer) is a protocol that encrypts data transfer between a user’s browser and a website for security.

Sensitive user information like payments or logins can be intercepted without SSL. So it’s essential for sites collecting this data to use SSL certificates. These certificates are validated by authorities and denoted by “HTTPS” and a padlock icon in the browser. This verifies the site’s identity and encrypts data.

SSL is recommended for any website, but critically important for ecommerce, membership sites, or anywhere users log in. Most payment providers also require SSL. Beyond security, SSL boosts your brand’s credibility and trust. Google recommends SSL-enabled sites, which may benefit search rankings. If a site doesn’t use SSL, browsers like Chrome will mark it as “not secure” – a negative signal to users.

Previously, SSL certificates involved fees of $50-$200 annually. This deterred some small sites. But free authorities like Let’s Encrypt have made SSL universally accessible and vital for all websites today.

Siteground, Dreamhost and Hostinger are some of the popular WordPress hosting providers which include free SSL certificates on all shared hosting plans, removing the installation hassle.

2. Change Your “admin” Username:

WordPress sites using “admin” or common variants like “test” or “Administrator” as the username are highly vulnerable to cyber attacks. When installing WordPress, it suggests “admin” as the default admin username. This makes it the most widespread across WordPress sites.

Hackers typically target “admin” in brute force attacks that rapidly guess password combinations. Once a hacker has the username, cracking a weak password is trivial. This grants them access to compromise your site.

To harden security, any admin account using “admin” or an easy to guess username based on your firstname or domain name should be deleted.

Create a new administrator account with a strong, unpredictable username.

This simple step significantly reduces the risk of hackers exploiting this common vulnerability. Unique usernames make brute force attacks far more difficult, adding critical protection.

3. Use Strong Passwords:

Using simple, weak passwords is an extremely common yet hazardous security mistake made by many website owners. Research shows over 80% of data breaches are due to compromised passwords, costing millions annually. Easily guessed passwords like “admin123” or “password123” take seconds for attackers to brute force and gain access.

Here is a useful tool for testing the strength of your password and assessing its vulnerability to online attacks.

Strong passwords are crucial first-line website defense. Ensure that your passwords are 10+ characters, with a combination of numbers, symbols, and uppercase letters. The more diverse and complex the password is, the longer it would take an attacker to guess your password and gain access into your account.

You should also avoid reusing passwords across sites. If a password is compromised once then it can jeopardizes all other accounts. To avoid such situation, you can use a password manager like 1password.com or lastpass.com to securely create and store unique complex passwords for all your sites and services.

With strong, distinct passwords and a password manager, you can significantly reduce the risk of your accounts being breached.

4. Hide wp-admin Login URL:

Hackers can pretty easily figure out if your website is run on WordPress just by looking at the page source. Once they know it’s WordPress, finding the login page is a piece of cake because the usual login page address is your website’s name followed by /wp-login.php.

If you type in /wp-admin instead, it just sends you over to the same login page.

We’ve already talked about the importance of having strong usernames and passwords to keep your site safe. But what if you could also hide the very door that hackers use to try getting into your site? This could really throw off most hackers, and many might just give up on their first attempts.

5. Disable XML-RPC in WordPress:

XML-RPC is a core WordPress feature that allows other programs to connect to your website. It has been enabled by default since WordPress 3.5 to support backward compatibility for old sites.

Developers use XML-RPC to build mobile apps and services that can publish and manage WordPress sites remotely. For example, mobile apps require XML-RPC to allow you to update your site from your phone. Services like Zapier also rely on it to integrate with WordPress.

Unfortunately, XML-RPC acts like a backdoor entry that can be misused by hackers to send brute force login credentials to gain access to your site. It can also be exploited for DDoS attacks by overloading your site with fake comments (pingbacks).

You can manually disable XML-RPC in WordPress by using the following filter hook:

add_filter( 'xmlrpc_enabled', '__return_false' );

You can add this code to your theme’s functions.php file or by using a code snippet plugin (recommended), like WPCode or CodeSnippets.

After adding the hook, you can verify that XML-RPC is disabled by simply visiting the URL http://yourdomain.com/xmlrpc.php in your browser. Make sure you replace ‘yourdomain.com’ with your own website’s domain name.

If XML-RPC is disabled, you should see the following error message:

Forbidden: You don’t have permission to access this resource.

Final Thoughts

To summarize, this article covered some basic WordPress hardening techniques that are easy to implement for most users. Simply by enforcing strong passwords, using SSL, and staying up-to-date, you can significantly improve your site’s security posture.

For more advanced protection, there are additional steps you can take like two-factor authentication, activity logging, limiting login attempts, and using a web application firewall. Many managed WordPress hosts like WPEngine, Flywheel and Cloudways also provide built-in security features.

Ultimately, hardening WordPress is an ongoing process. As threats evolve, it’s important to continually evaluate and strengthen your defenses. While the methods here focus on essential first steps, you can continue building robust security layers over time.

If you are looking for advanced security then there is no substitute for a security plugin. You can explore this list of the best security plugins, which incorporate many of the above suggestions as their core features.