How to Avoid Security Breach in WordPress Website


For a lion share of website owners, security is least of their priorities. There is always a design tweak or a fancy internal tweak that seems more legit and important than fortifying the website against security attacks.

Here is a scary stat from WPWhiteSecurity: more than 70% of WordPress websites with Alexa Top 1 Million are hack-prone.

Even WordPress plugins and extensions displayed serious security loopholes that can be exploited by hackers to gain entry into the website.

Not to miss mentioning that this figure is also compounding on a regular basis thus creating an Internet time bomb that can explode anytime.

Do you own a WordPress website? If yes, then grab a note and make a brief about how you can secure your WordPress website and save it from falling prey to hackers.

Secure the wp-config.php

The wp-config.php file is the configuration file that contains all the key controls of your website. Gaining control to it or changing the settings in the wrong way can wreak havoc for your website.

By securing your wp-config.php file, you can reduce the risk of hacking. Here is how you can do it:

  1. Connect to your website using an FTP client
  2. Download the .htaccess file from your website’s root directory
  3. Open the .htaccess file and replace the below code:
1 # protect wpconfig.php


2 <files wp-config.php>


3 order allow,deny


4 deny from all


5 </files>

You can also move your wp-config file to an unknown location to further strengthen the website security.

SSL, SFTP & Secured Socket Shell Access

SSL which stands for Secured Sockets Layer is a form of encryption which ensures that the data exchanged by your website to a user’s web browser is protected.

SFTP or Secure File Transfer Protocol is used to safely transfer data between computers in a network. This is typically important if you have an internal website or network that runs on WordPress.

SSH (Secured Socket Shell) helps website administrators to access a remote computer in their network safely without the risk of network interception.

All these three security provisions ensure that, you as a WordPress website administrator can ensure the safety of data that is exchanged across the network for various reasons.

As far as SSL is concerned, WordPress has already mandated that all WordPress website must move to HTTPS to ensure a safe web experience for users. So if you own a WordPress website, it is now a necessary to have at least one SSL certificate. Either it is DV SSL Certificate to secure data transfer in a single domain or EV SSL Certificate to secure your website data plus validate your business entity, enable green padlock bar in the browser and display your verified business name on it.

If all your web pages do not require HTTPS, you can always secure access to your dashboard using an SSL certificate by adding the below-mentioned code to wp-config.php:

define(‘FORCE_SSL_LOGIN’, true);

Limit Access Permissions

WordPress by default offers several access permission controls which a website owners can customize to restrict access to critical website pages and areas like the admin dashboard.

You can restrict non-admin members from accessing your admin dashboard by adding the code below to functions.php file:

add_action( ‘init’, ‘blockusers_init’ );
function blockusers_init() {
if ( is_admin() && ! current_user_can( ‘administrator’ ) &&
! ( defined( ‘DOING_AJAX’ ) && DOING_AJAX ) ) {
wp_redirect( home_url() );

On the other hand, you can always get a handy WordPress extension like Adminimize or Remove Dashboard Access to control access permissions to the admin panel.

Insulate admin dashboard from search bot crawling

Search engines crawl and index a web page based on the information that the site is offering them. You can decide what portion of the website that the search bot can crawl and what should be omitted from crawling and indexing.

Ensure that your admin dashboard is always omitted from the search bot crawling. You can do that creating a Robots.txt file and insert the following code:

User-agent: *

Disallow: /cgi-bin

Disallow: /wp-admin

Disallow: /wp-includes

Disallow: /wp-content/plugins/

Disallow: /wp-content/cache/

Disallow: /wp-content/themes/

Disallow: */trackback/

Disallow: */feed/

Disallow: /*/feed/rss/$

Disallow: /category/*

Update WordPress plugins and themes

WordPress offers tons of plugins and themes that extend its utility by notches. However, they do not get updated real-time every time WordPress updates the platform.

You have to do it manually or set auto-update in the background so that your plugins and themes stay updated at all times.

But, why the updates? Old versions of plugins and themes might have serious security lapses which updates will fix. Moreover, they also comes with performance improvisations which will help your website perform a lot better with changing times.

Setup login controls

Brute force attacks and similar break-ins happen at login fields. Secondly, admins use weak usernames and passwords that hackers can easily guess and gain unauthorized entry into the admin dashboard thus taking control of the website.

Login controls to the website as well as the admin dashboard can set up using the following security measures:

Minimal strength passwords

Passwords must contain a minimum number of uppercase, lowercase and special characters that ensure minimum strength for the password. The password check must ensure that commonly used passwords or easily guessable passwords are not allowed for use by the admins.

Limited login attempts

Brute force attacks are carried out by exploiting the endless login attempts that some WordPress website offer. Security plugins like Limit Login Attempt to ensure that users are blocked out from attempting any more logins when they fail to login successfully for a stipulated number of times.

Dormant account controls

Dormant accounts that have not been used for a very long time still have the potential of being hacked and reused by hackers. It is better to set a minimum expiry period for continuous usages like three months or six months beyond which if the account is not accessed, it can be deactivated for ensuring security.

Summing it up

When it comes to website security, it is always better to be proactive than reactive. Remember the old age adage? “A stitch in time saves nine.” The same is true with WordPress websites.

These are some stitches you can make in the present to keep your WordPress safe and secure at all times.


Please enter your comment!
Please enter your name here