How to Secure WordPress Site Without Plugin: 18 Effective Tips

Michal Kaczor Avatar



Last Updated on February 23, 2024

Security concerns not only our natural environment but also the virtual environment. We usually secure our property – we have a security entrance door to the apartment, an alarm in the car, a camera on the property, etc. However, people often underestimate security in the virtual world and think they are not in danger. However, the opposite is true. In today’s world, it is essential to take care of the security of your website. Of course, this also applies to WordPress. Understanding the basics of WordPress security and taking proactive measures to protect your site doesn’t always require additional software—a principle that’s especially important if you’re looking to streamline your site’s performance by minimizing plugin use.

The following article will show you some simple procedures for protecting WordPress without using plugins that could unnecessarily burden this editorial system. They relate not only to the hosting provider’s environment through the configuration of WordPress but also to the settings of user accounts and data transfer processes. Strengthening these areas can give you a significant edge against common vulnerabilities, ensuring your site, visitors, and data remain safe from malicious threats. Regular maintenance, monitoring, and advanced security tips and tricks will protect your WordPress site against potential breaches.

Secure WordPress website (illustrative image)
  • Protecting your WordPress site can be effectively managed through precise configurations and regular maintenance.
  • Strengthening user account security and hosting environments adds robust layers of defense against attacks.
  • Reliable security practices require vigilant monitoring and adapting to the evolving landscape of cyber threats.
Table of Contents
  1. How to Secure WordPress Site Without Plugin: Key Takeaways
  2. 18 Essential Steps for Securing a WordPress Site Without a Plugin
  3. Understanding WordPress Security Basics
  4. Securing the Hosting Environment
  5. Implementing Secure WordPress Configurations
  6. Strengthening User Account Security
  7. Protecting Against Brute Force and DDoS Attacks
  8. Enhancing File and Database Security
  9. Ensuring Secure Data Transmission
  10. Regular Maintenance and Monitoring Activities
  11. Advanced Security Tips and Tricks
  12. Frequently Asked Questions

18 Essential Steps for Securing a WordPress Site Without a Plugin

There are a lot of different plugins in WordPress today. However, not every user wants to use a plugin for everything in WordPress. The more plugins are active in WordPress, the more its performance decreases, increasing the security risk. The following 18 steps, which we will discuss in detail in the article, can be implemented without a plugin. Let’s go.

  1. Evaluate Current Security Measures
  2. Know Common WordPress Vulnerabilities
  3. Choose a Secure Web Host
  4. Manage Hosting cPanel Security
  5. Secure the wp-config.php File
  6. Have Correct File Permissions and Ownership
  7. Enforce Strong Passwords
  8. Implement Two-Factor Authentication
  9. Limit Login Attempts
  10. Install a Web Application Firewall
  11. Disallow File Editing from the Dashboard
  12. Change the Database Table Prefix
  13. Implement SSL Certificates
  14. Secure FTP access
  15. Schedule Regular Backups
  16. Monitor for Malware and Security Issues
  17. Block XML-RPC and .htaccess File Access
  18. Adjust the Login URL

Understanding WordPress Security Basics

Securing your WordPress site is crucial to protecting against hackers’ relentless attempts to exploit security vulnerabilities. Mistakenly overlooking key security measures can lead to severe security breaches, compromising your website’s integrity and users’ trust. The security of (not only) WordPress falls into the field of cyber security, which has been on the rise in recent years. Precisely because there are increasing attempts to break into or steal various items in the online space. Therefore, it is good to remember that website security should be your priority whether you run a website on WordPress or another system.

Cyber security definition (image)

Evaluate Current Security Measures

Before diving into new security tactics, you must assess your current WordPress security posture. You must ensure that your administrative credentials are robust—employ complex usernames and passwords that defy simple guessing or automated brute-force attacks. Use tools like security plugins or auditing services to scan for any existing security vulnerabilities. A regular backup routine is imperative to restore your site if any security breaches occur.

Common WordPress Vulnerabilities

WordPress’s popularity makes it a common target for hackers, leading to a need for constant vigilance against security vulnerabilities. Some of the most prevalent threats include SQL injection, where hackers manipulate your website’s database, and Cross-Site Scripting (XSS), which allows attackers to inject malicious scripts. Other concerns include file inclusion exploits and brute-force attacks, which aim to guess your login details. Keeping WordPress, along with themes and plugins, updated is your first line of defense, closing off known vulnerabilities that hackers could otherwise exploit.

Securing the Hosting Environment

When setting up a WordPress site, the security of your hosting environment is foundational. Selecting a quality host and ensuring the control panel is locked down can significantly reduce your attack vulnerability.

Choosing a Secure Web Host

While numerous web hosting options are available, Hostinger has distinguished itself as a secure and quality option for hosting WordPress sites. When looking for a secure web host, you should ensure they offer features like SSL certification, regular security updates, and 24/7 support. Hostinger provides these essentials and advanced security measures, such as BitNinja’s all-in-one protection, safeguarding your website from cyber threats.

Managing Hosting Control Panel Security

The hosting control panel is a critical access point to your WordPress site. It’s essential to use strong, unique passwords and, where possible, enable two-factor authentication (2FA) for an added layer of security. With Hostinger, you can manage these settings directly from the control panel, ensuring access to your site’s backend requires more than a password. It’s also a good practice to regularly update these security settings and monitor login attempts to detect any suspicious activity early on.

Implementing Secure WordPress Configurations

In securing your WordPress site, focusing on the wp-config.php file and ensuring correct file permissions and ownership are fundamental steps. These measures are crucial in safeguarding your website’s core and keeping potential intruders at bay.

Securing the wp-config.php File

The wp-config.php file is the heart of your WordPress site’s security, housing sensitive information like database credentials and secret keys. To protect it, move the file to a non-web-accessible area if your hosting environment allows it. Moreover, setting the file permissions chmod 600 ensures that only you and the web server can read and write to the file, thus preventing unauthorized access.

Correct File Permissions and Ownership

File permissions dictate different user actions on various files in your WordPress installation. Your files should be set to chmod 644 and directories to chmod 755, with the wp-config.php file is an exception, as noted earlier. This guarantees that regular website visitors cannot modify or execute your files. Ensure correct ownership of the files, typically your web server user, to avoid giving broad permissions to multiple users, which can lead to security vulnerabilities.

Strengthening User Account Security

Ensuring the safety of user accounts on your WordPress site is paramount. Robust passwords and two-factor authentication are your first defense against unauthorized access.

Enforce Strong Passwords

To fortify your user account security, mandating strong passwords is essential. A strong password should be a complex mixture of letters, numbers, and special characters, making it difficult for attackers to guess. WordPress provides a strength meter, which can be helpful to encourage users to create better passwords.

  • Criteria for Strong Passwords:
    • Minimum of 12 characters
    • Includes uppercase and lowercase letters
    • Contains numbers and symbols
    • No common phrases or easily guessable strings


  • Regularly prompt users to update their passwords.
  • Do not allow common passwords like “123456” or “password.”

Implement Two-Factor Authentication

Adding two-factor authentication (2FA) to your site adds a layer of security. When this feature is enabled, users must provide two different types of information before accessing their account.

  • 2FA Methods:
    • Something they know: a password or PIN
    • Something they have: a smartphone or authentication app
    • Something they are: fingerprint or facial recognition

By implementing 2FA, an attacker still needs the second factor to breach the account even if a password is compromised.


  • Use an app like Google Authenticator or Authy for time-based one-time passwords (TOTP).
  • Encourage users to protect all accounts with 2FA, not just their WordPress account.

Protecting Against Brute Force and DDoS Attacks

Safeguarding your WordPress site demands a strategic approach against common threats like brute force and DDoS attacks. Understanding and applying robust security measures can prevent unauthorized access and service interruptions.

Limit Login Attempts

You should restrict the number of login attempts from a single IP address to protect against brute-force attacks. This measure thwarts attackers attempting to guess your password through continuous trial and error. Consider these steps:

  • Identify the typical number of failed logins a legitimate user might have.
  • Set an attempt limit that locks the user out after repeated failures.
  • Increase the lockout time after each failed series of attempts.

This step does not eliminate the threat of an attack but can significantly reduce the risk.

Install a Web Application Firewall

A Web Application Firewall (WAF) is crucial for safeguarding your website against various online threats, including DDoS attacks. A WAF can:

  • Act as a gatekeeper, analyzing incoming traffic to your site and blocking malicious requests.
  • Look at the number of requests sent from a single source over time to differentiate regular traffic from DDoS attacks.

You must consider free options such as Cloudflare, which offers a basic level of protection. However, consider premium services offering enhanced features and support for more advanced security cover. Implementing a WAF is a proactive step to ensure continuous website availability and security.

Enhancing File and Database Security

To secure your WordPress site, it’s imperative to focus on measures safeguarding your files and database, as they are central to its integrity and functionality.

Disallow File Editing from the Dashboard

WordPress allows you to edit your theme and plugin files directly from the admin dashboard by default. Although convenient, this feature can be a security risk. If unauthorized users gain access to your WordPress dashboard, they could inject malicious code into your site. To prevent this, add the following line to your wp-config.php file:

define('DISALLOW_FILE_EDIT', true);

This will disable the ability to edit files from the dashboard, thus fortifying your site’s defenses against unwanted intrusions.

Changing the Database Table Prefix

WordPress uses a default table prefix (wp_) for all tables in your database. Since this is common knowledge, it can be an easy target for attackers attempting to manipulate your database through SQL injection attacks. Change the table prefix to something unique to deter such threats.

Here’s how you do it:

  1. Back up your database before making any changes.
  2. Open your wp-config.php file and locate the $table_prefix line.
  3. Change the default wp_ prefix to a new value that is obscure and hard to guess.

    $table_prefix  = 'mynewprefix_'; 
  4. Renaming existing database tables needs to be done carefully, ideally by executing SQL queries or using a specialized plugin specifically for this task, and only if you’re comfortable and knowledgeable doing so without a plugin.

These modifications significantly impact your site’s security posture and ensure your data remains locked.

Ensuring Secure Data Transmission

When you manage a WordPress site, it’s crucial to secure data transmission. Ensuring that your data is transmitted safely helps protect both your site and your users’ information from interception or misuse.

Implement SSL Certificates

SSL (Secure Socket Layer) is the standard security technology for creating an encrypted link between a web server and a browser. This secure link ensures that all data transmitted remains private and integral. You must obtain and install an SSL certificate for your website to benefit from this secure protocol. Once activated, SSL changes the HTTP protocol to HTTPS, where the ‘S’ stands for ‘secure,’ and your site visitors will notice a padlock icon next to your URL, indicating that it’s safe to use.

Secure FTP Access

FTP (File Transfer Protocol) can be vulnerable if not properly secured for transferring files to and from your WordPress site. You should always use SFTP (Secure File Transfer Protocol) or FTPS (FTP over SSL), which add a layer of encryption to your file transfers. This means your login credentials and the transferred files are encrypted, significantly reducing the risk of them being intercepted. To enable SFTP or FTPS, you must configure your server appropriately and use an FTP client that supports these secure protocols.

Regular Maintenance and Monitoring Activities

To ensure the integrity and safety of your WordPress site, regular maintenance and the consistent monitoring of potential threats are imperative. These preemptive actions can save you from future headaches and keep your website running smoothly.

Schedule Regular Backups

You should prioritize scheduling regular backups of your entire WordPress site, including your database and all website files. Set up a weekly or bi-weekly schedule—depending on the frequency of your content updates—to ensure that you always have a recent version of your site to revert to in the case of a crash or data loss.

  • Back up your database separately and often, as it contains vital content and user information.
  • Securely store your backups in multiple locations, such as cloud storage services or external drives.

Monitor for Malware and Security Issues

Malware and security issues can compromise your site’s health and user trust. Perform regular scans for malware and keep abreast of any security vulnerabilities.

  • Utilize website security monitoring tools to detect suspicious activity or unauthorized changes to your site’s files.
  • In the case of identifying a security issue, address it promptly to prevent any exploitation.

Regularly monitoring your site ensures you stay one step ahead of potential threats. These activities are fundamental to the longevity and reliability of your WordPress site.

Advanced Security Tips and Tricks

In this section, you’ll learn how to strengthen your WordPress site’s defenses by tweaking advanced settings. Focusing on specific areas, such as XML-RPC functionality and access to the .htaccess file, can greatly enhance your website security. Adjusting your login URL is an effective measure against brute-force attacks.

Block XML-RPC and .htaccess File Access

XML-RPC is a feature that enables remote connections to your site. While useful for specific functions, it can be exploited in attacks. To block XML-RPC, add the following code to your .htaccess file:

<Files xmlrpc.php>
order deny,allow
deny from all

This ensures no unauthorized access to XML-RPC functions. Additionally, securing the .htaccess file itself is crucial. Limit file access by inserting:

<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all

This prevents external access to any .htaccess file and other sensitive directories.

Adjusting the Login URL

Changing your login URL can deter automated bots and hackers from finding your login page. Instead of, you might opt for something like To do this without a plugin, add the following code to your .htaccess file:

RewriteRule ^my_new_login$ wp-login.php

Remember to replace my_new_login with the actual URL slug you wish to use. This simple change can thwart a significant number of unauthorized login attempts.

Frequently Asked Questions