The Ultimate Guide to WordPress Security Part 3 of 3

by Cerys O’Brien

This is the third of a three-part series on WordPress security we started Tuesday.


Disable Directory Indexing And Browsing

Just like a phone book directory, Directory Browning allows you to place your website into a listing. The idea was to make finding your website easier. However, following in the phone book directory’s footsteps, the process has become outdated and has even allowed criminals to find vulnerabilities to exploit.

Hackers can use the listing, which is usually unprotected, as a gateway to your sensitive company information. Seeing as search engines do the same job as listings but better, we recommend turning off your indexing to stop hackers from gaining access.

To do this you should be looking for the .htaccess file first. You can find it in your file manager. Add this code to the end of the file name:

Options -Indexes

Then simply save and reupload the file. There are very few reasons to keep your directory running, so if you know how to disable it, we highly recommend doing so.

Disable XML-RPC in WordPress

Ever since the 3.5 version had been updated, WordPress has included XML-RPC as default. It was included to help the open-source web host transmit data while still using the secure HTTPS system. WordPress couldn’t do this on its own due to the open-source nature of the website.

This allowed website owners to put their sites on mobile devices, and access the admin areas remotely. However, there is a drawback to this system. All of the password security we have implemented above would be ignored when switching from PC to mobile.

If a hacker tried to put through 1,000 passwords to find the correct one and hack your website, they would be blocked after 5 or so due to your limited login plugin. With XML-RPC, a hacker can split the attempts through different devices to produce fewer blocks. This makes your password security less secure.

To disable XML-RPC use the below code, and copy it into the .htaccess file:

# Block WordPress xmlrpc.php requests

<Files xmlrpc.php>

order deny,allow

deny from all

allow from


Change WordPress Database Prefix

When thinking about your security, you have to make everything as hard for a hacker as possible. One way that a hacker can confirm what web host you are using or where your table name is, is through the wp_ prefix on your database.

We should warn you that attempting to change your prefix can be difficult. Doing so incorrectly can cause your website to crash. Only attempt the change if you have strong coding skills.

Move Your Wp-Config.Php File If Possible

Some people believe that moving your wp.config.php file to a new location doesn’t give you a lot of security benefits and could introduce new issues if done incorrectly. Because of this, we will only lightly touch on the subject, so knowledgeable readers can be reminded of the process and new coders aren’t encouraged to try something they might not succeed in.

If you move the wp.config.php file to your directory and above your WordPress installation, you will be creating a root outside of the web-root folder.

This will make the folder harder to find and you can block everyone but you from viewing the contents. To do this create a 400 or 440 permission limitation. You can also use this coding to create limited access:

<files wp-config.php>

order allow,deny

deny from all


Hide Your WordPress Version Number

The latest version of WordPress will always have the most up-to-date security systems and protections. Since the 3.7 updates were released, all further updates have occurred automatically. This means that you do not need to re-download the software to get the newest version.

If you are unsure if you have the newest version, install WordPress using their official website and not through any other means.

No matter which version you are using, you shouldn’t allow it to be displayed. This is because any information you freely give out can be used to figure out how to hack you.

To do this, download the plugin Sucuri. Once active go to “Security” and then “Settings”. Switch to the Hardening tab. There you will see an option to “Remove WordPress Version”.

Although most criminals will assume you are using the newest version, they cannot be sure unless you put that information out there. Users with the most information freely available will be the most profitable target in the eyes of a criminal. So hiding this information will put you lower down the list.


Limit Your Vulnerabilities

There will always be vulnerabilities in your website, you cannot consider every possible thought a criminal might use to take down your website. All you can do is limit the vulnerabilities and create safety barriers if the worst does happen.

Here are a few areas you should watch over every couple of months to make sure no new vulnerabilities show up.


We have already talked about security in-depth, but if you notice any issues with your security, you should report them as soon as possible. WordPress as a Security FAQ webpage to help you talk to developers, understand the issue, and see if there are any legal issues to be brought up too.

Web Server Vulnerability

Every piece of software your server is using should be monitored. Vulnerabilities can come out of nowhere, so make sure every connection is stable and you are using the most up-to-date versions of each plugin and software.

Ideally, you should ask your web host what type of security precautions they use and how to best utilize these methods. This could be paring specific software together, avoiding software, or tracking vulnerabilities using the same pattern as the web host. Having these conversations now can prevent a bad situation later.

Network Vulnerabilities

Both the network which WordPress uses and the network that you use should be trusted. You cannot control which network WordPress uses, but you can control your own. Although it might seem fun to run your website in the local cafe, such an open network can allow criminals to slide into your network connection and access your unencrypted information.

You should only be using trusted networks with reliable strength and active encryptions to protect you and your users.

Database Vulnerabilities

This issue is for people who have multiple websites or blogs and are using the same server. To make sure your connection and information are secure, you should keep each database separate. This means having different users for each one. This way if someone manages to hack your system, they only have access to one website and not all of them.



Starting with the basic level of security you need to make sure that your passwords and login page are protected against potential threats. Using our checklist above, you can go through each suggestion and tick off when you have completed it to make your website safe.

If you are a capable coder, you can attempt the advanced security measures too. Granted most of them are simply disabling features, but seeing as those features are defaults in WordPress, you cannot simply click a toggle button to remove them. Be sure before you try.


About the Author:

I am a cybersecurity and IT instructor, cybersecurity analyst, pen-tester, trainer, and speaker. I am an owner of the WyzCo Group Inc. In addition to consulting on security products and services, I also conduct security audits, compliance audits, vulnerability assessments and penetration tests. I also teach Cybersecurity Awareness Training classes. I work as an information technology and cybersecurity instructor for several training and certification organizations. I have worked in corporate, military, government, and workforce development training environments I am a frequent speaker at professional conferences such as the Minnesota Bloggers Conference, Secure360 Security Conference in 2016, 2017, 2018, 2019, the (ISC)2 World Congress 2016, and the ISSA International Conference 2017, and many local community organizations, including Chambers of Commerce, SCORE, and several school districts. I have been blogging on cybersecurity since 2006 at

Add a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.