WordPress Security 101: Tips & Tricks

Share Now

1. Disable XML-RPC in WordPress

XML-RPC allows you to post on your WordPress blog using popular weblog clients like Windows Live Writer. It is also needed if you are using the WordPress mobile app. It is also needed if you want to make connections to services like IFTTT.

Disable WordPress XML-RPC with .htaccess

# Block WordPress xmlrpc.php requests
order deny,allow
deny from all
allow from


2. Disable PHP Execution in Certain WordPress Directories

Create a blank file in a text editor. Call it .htaccess and paste the following code in there:

<Files *.php>
deny from all

Now upload this file in these folders
1. /wp-content/uploads/
2. /wp-includes/

Code Explanation: This code checks for any PHP file and denies access to it.

3. Disable File Editing

You can easily do this by adding the following code in your wp-config.php file.

// Disallow file edit
define( 'DISALLOW_FILE_EDIT', true );

4. Limit Login Attempts

Use This Plugin: Login LockDown
Better Option: Use a WP security plugin. iThemes Security (formerly Better WP Security)

5. Disable Directory Indexing and Browsing

locate the .htaccess file in your website’s root directory. After that, you need to add the following line at the end of the .htaccess file:

Options -Indexes

6. install Security Plugins

1. iThemes Security (formerly Better WP Security)
2. Wordfence Security – Firewall & Malware Scan

Picture of Nahid Mahamud

Nahid Mahamud

Web Developer | Graphic Designer | WordPress & Woo-commerce Expert