Today I’m going to discuss advanced WordPress security best practices to help bolster your blog’s defences from more sophisticated attempts to exploit it.
This is part of a two-part series on WordPress security. The first part explains how to secure WordPress for beginners. It focuses on security steps that are relatively easy to implement.
However, I recommend even seasoned WordPress users read this too, just to make sure they’ve squared these steps away. You’d be surprised by the number of WordPress blogs I’ve seen that haven’t implemented even basic WordPress security.
Why Follow Best Practises for WordPress Security?
I won’t lecture you here… I’ve already discussed the reasons why you need to address the security of your WordPress blog.
I’ll only say this. WordPress use represents around 90% of all blogging tools used on the Web so it’s natural to assume it provides a huge target for hackers. If you don’t take steps to protect your blog, you’re taking a big risk.
None of us are ever 100% bullet-proof from hackers. But if you don’t implement any security steps your blog is target. Imagine the devastation of losing your WordPress blog because you hadn’t addressed any potential security vulnerabilities.
It doesn’t bear thinking about.
Advanced Security Best Practices for WordPress
1. Disable directory listing with .htaccess
This is a really common WordPress security issue and I’ve seen it on dozens of blogs… even some pretty-well established ones.
The problem relates to leaving your server directories visible to anyone visiting your blog. Have you ever arrived somehow at a page that looks like this:

This isn’t a problem specific to WordPress, because most hosting packages automatically reveal the contents of any directory on a server that does not contain an index.html or index.php file. Unfortunately for WordPress users, this means that the contents of many of your directories can be seen by anyone.
This is an example URL for WordPress blogs that might have this problem:
example.com/wp-content/uploads/
In this scenario you don’t need a password to access any WordPress directories or any of the files within them. It’s a security problem because:
- You might have files in these directories that hackers could exploit.
- Any valuable files you use as lead magnets, or that you sell somewhere, can be seen and downloaded by anyone.
Plugging this security hole is relatively straightforward, but you’ll have to access your server and edit the .htaccess file.
I’ve have a detailed tutorial on how to disable directory listing in WordPress, that’ll fix this vulnerability for good.
2. Disallow WordPress Admin File Editing
You’ve likely noticed you can edit your WordPress theme and plugin files through your WordPress Admin panel:

You can literally edit files residing on your server from WordPress. As such it poses a real vulnerability should anyone ever access your WordPress Admin account illicitly. A hacker would be able to inject code to your theme and / or plugins that you’d never know about.
WordPress security best practice is to disable the the function that allows you to edit these files from WordPress. It’s actually quite a simple fix.
All that’s required is to update the .wp-config file in your server’s home directory with the following line of code:
// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );
N.B. Always copy your .wp-config file before you make any changes to it in case something fouls up and you need to restore it.
3. Hide Your wp-config.php and .htaccess Files
Your .htaccess and .wp-config files are important to protect. Hiding them from nosy parkers and eliminating the potential threat as a result is wise. The good news is this is a simple WordPress security fix to implement.
All you need to do it edit both files by adding the following code to each file:
.wp-config
order allow,deny
deny from all
.htaccess
order allow,deny
deny from all
N.B. Always make copies of your files before you make any changes to them. Corrupting them might take your blog down and you’d need to be able to reinstate your backup copies.
4. Rename your WordPress Login URLs
The default installation of WordPress sets up login pages as:
- example.com/wp-admin
- example.com/wp-login.php
This is common knowledge in the hacking community. You can make it more difficult for hackers to locate your WordPress login pages by moving them somewhere else.
You do this by updating the .wp-login.php file on your server, but you might get into problems if your plugins reference this. It’s also possible that future WordPress updates will affect your wp-login.php file by modifying it. If that were to happen, your changes would be lost.
For that reason, I’d probably recommend a plugin to handle this for you. I use WPS Hide Login. It’s a free plugin and it’s worked for me, but there are others over at the WordPress plugins library.
5. Hide Your WordPress Version
Some of the security tips I’ve discussed make it difficult for hackers to ascertain details to help them break into your blog. We know they understand how WordPress code works, but different versions of WordPress have different code.
Right now, you probably have a bunch of clues hackers can use to decide how to attack you. Your WordPress version is one of them.
WordPress versions are visible in lots of places:
- Your Admin dashboard.
- Every page and post of your blog’s source code.
- Your RSS feeds.
You can conceal your WordPress version and make it harder for someone to determine the approach required to hack your blog.
Look at this example of HTML source code for where your WordPress version number appears:

Anyone can see this unless you hide it away.
You can use a security plugin to conceal your WordPress version. As an alternative, you can add code to the functions.php file in your theme’s home directory. The code you’d need to add would look something like this like this:
function sg_hide_version() {
return '';
}
add_filter('the_generator', 'sg_hide_version');
N.B. Notice I’ve used a function name related to my blog.
There is one bad thing about this method. Unless you’re using a WordPress child theme, this isn’t a recommended approach. If you don’t use a child theme, any change made to your functions.php file will be overwritten when you update you theme.
N.B. As always, make a copy of your functions.php file before you make any changes to it. Corruption in this file might break your blog and you’d need to be able to reinstate a backup copy.
6. Make Backups
Taking regular backups of all your content and databases is a recommended WordPress security best practice. It won’t prevent attacks, but it will help you to restore your blog without losing any of your hard work in the event something really nasty happens.
Backup your all your WordPress content by selecting Tools > Export from your WordPress Admin area. Then select all content to export.

Backup your database tables in your server admin panel.
7. Install a Robust WordPress Security Plugin
For simplicity, you might install security plugins that adhere to all areas of WordPress security best practices, so I’ve left this method until last.
A well-respected WordPress security plugin will likely add a whole bunch of valuable conditions on top of the ones I’ve mentioned. In the process they’ll make your blog practically impenetrable. These might include:
- Modifying your WordPress database table names.
- Strengthening databases passwords.
- Two-factor authentication for any login to prevent DDoS attacks.
- Limiting the number of failed login attempts before locking out.
- Adding security questions to areas requiring login.
- Preventing hotlinking to your media files (to prevent bandwidth theft).
- Protecting the wp-admin directory on your server.
- Disabling PHP file execution.
- Functions to force logout idle WordPress users.
- Backup scheduling.
I always try to implement my own protection manually for WordPress security best practices. However sometimes it’s just far easier to use a plugin. A reliable security plugin will do all the heavy lifting of protecting your WordPress blog, without you having to fiddle with code.
If this is your preferred route, here are some honorable mentions:
Summary
- Since WordPress is the most widely used blogging software in use, it is a huge target for hackers.
- If you take no measures to protect your blog, you are vulnerable.
- You can plug a good many security holes with manual updates to special files on your server. However, it might be safer and easier to use dedicated security plugins.
That’s all for now folks!

Do you have anything to add to the subject of WordPress security best practices? Ask a question or leave a comment below.
Paul, I’ve learned so much from this article! I’m embarrassed to say I didn’t focus on the security side of my blog enough. Of course for clients I always focus on security and for myself I just keep putting it off. This article has incredible value, thanks for saving me the time of researching this myself! This is definitely bookmarked. Cheers, James
Thanks James! There are actually many straightforward things we can all do to keep our blogs protected. Even just changing passwords regularly is doing something!