Keeping your WordPress site safe is essential, especially with cyberattacks and data breaches becoming more common. While many users rely on security plugins to protect their websites, it is entirely possible—and often more efficient—to secure your WordPress site manually. This approach reduces the number of installed plugins, making your site faster and less vulnerable to plugin-related security flaws.
Manual security methods give you better control over your website’s safety. They allow you to tighten your defenses at the server, file, and user levels without relying on third-party tools that might go outdated or unsupported. Whether you are a site owner or a developer, learning how to harden your WordPress site manually is a powerful step toward complete control over your website’s security.
7 Steps To Secure Your WordPress Website From Attack
1. Keep WordPress Core, Themes, and Files Updated:
One of the easiest and most important ways to secure your site is by keeping everything updated. Hackers often exploit vulnerabilities in outdated WordPress versions, themes, and plugins. Regular updates patch these security holes and reduce your site’s risk exposure.
Even without plugins, you can manually log into your WordPress dashboard and check for updates under Dashboard > Updates. For developers, enabling automatic updates through the wp-config.php file is also possible, ensuring your site stays protected with the latest releases.
2. Use Strong Passwords and Change Default Usernames:
Many successful hacks start with weak login credentials. Always use strong, unique passwords for all accounts—admin, FTP, hosting, and database. Avoid common words and include a mix of uppercase letters, lowercase letters, numbers, and symbols.
Additionally, never use “admin” as your username. This is the first guess for hackers trying to brute-force your site. You can create a new admin account with a different username and then delete the original “admin” account to avoid unnecessary risk.
3. Protect Your wp-config.php and .htaccess Files:
Your wp-config.php file contains sensitive data like database login credentials. Securing this file can block unauthorized access. You can move this file one directory above your root directory—WordPress can still access it, but hackers can’t through the web browser.
The .htaccess file allows for additional protective rules. You can add lines of code to deny access to specific files or restrict access based on IP address. These server-level controls are powerful and don’t rely on external plugins.
4. Disable File Editing in the WordPress Dashboard:
WordPress allows you to edit theme and plugin files directly from the dashboard as part of its default settings. While convenient, it is also a major security risk if someone gains access to your admin panel.
To disable file editing, add the following line to your wp-config.php file:
define( ‘DISALLOW_FILE_EDIT’, true );
This small tweak adds a strong layer of defense, preventing anyone from injecting malicious code via the editor.
5. Limit Login Attempts and Hide wp-login.php:
WordPress doesn’t limit login attempts by default, making it easy for attackers to try password combinations repeatedly. To manually address this, you can configure your web server (Apache or NGINX) to rate-limit login attempts or block IPs after a certain number of failed attempts.
You can also rename or hide your login page URL from wp-login.php to something custom by editing your .htaccess or functions.php file. This reduces the chance of automated bots targeting your login page.
6. Enforce HTTPS and SSL Encryption:
SSL certificates encrypt data sent between your site and its visitors, making it harder for hackers to intercept sensitive information. Most hosting providers now offer free SSL certificates through Let’s Encrypt.
Once installed, you should enforce HTTPS across your entire site by updating your .htaccess file to redirect all traffic from HTTP to HTTPS. It is also a good idea to update your WordPress and site address URLs in Settings > General to reflect the secure version.
7. Regular Backups and File Permissions:
Even with strong security, no website is immune to attacks. Regular backups ensure that you can restore your site quickly in case of compromise. Although there are plugin options for backups, you can also do it manually via cPanel, FTP, or using a cron job to automate the process.
Set correct file and directory permissions to prevent unauthorized modifications. A secure setup typically uses 755 for folders and 644 for files. You can update permissions using FTP clients like FileZilla or via the command line.
Conclusion
Securing your WordPress site without plugins might seem intimidating at first, but it offers tighter control and reduces your reliance on third-party tools. By manually enforcing these best practices—such as hiding login pages, restricting file access, and using secure credentials—you eliminate common entry points for hackers.
While plugins can add convenience, they are not always necessary, especially if you understand your hosting environment and know how to make strategic changes yourself. Manual security strengthens your website’s core and keeps it fast, lightweight, and less vulnerable to plugin-based threats.
If you want a clean, fast, and secure WordPress experience, take the time to apply these changes. Your future self—and your visitors—will thank you for it. Ready to lock down your site like a pro? Then apply this guide!
