How to Secure a WordPress Website Without External Plugins and Code

Securing your WordPress website without relying on plugins or custom code involves leveraging built-in features, configuring your hosting environment correctly, and adopting good security practices. Here’s how you can do it:

1. Use a Strong Admin Username and Password

• Avoid using default usernames like “admin.”
• Create a password that combines uppercase, lowercase, numbers, and symbols.
• Use a password manager to securely store and manage your passwords.

2. Enable Two-Factor Authentication (2FA)

• Many hosting providers or login managers offer built-in 2FA support.
• Add a secondary authentication step, like a mobile app or email OTP.

3. Update WordPress Core and Themes Regularly

• Always keep WordPress, themes, and plugins updated to patch vulnerabilities.
• Enable automatic updates for minor core updates in your WordPress dashboard.

4. Set Proper File and Directory Permissions

• Limit file permissions to prevent unauthorized changes.
  • Files: 644 permissions
  • Directories: 755 permissions
• Ensure the wp-config.php file is set to 400 or 440 to prevent unauthorized access.

5. Disable Directory Browsing

• Ensure your server blocks directory browsing to prevent hackers from listing your website files.
• In your hosting control panel, configure file permission settings to disable directory access.

6. Use HTTPS

• Install an SSL certificate to encrypt data between your site and users.
• Most hosting providers offer free SSL certificates (e.g., Let’s Encrypt).

7. Restrict Access to the Admin Panel

• Limit access to the /wp-admin and /wp-login.php pages using IP whitelisting.
• Many hosting providers offer firewall rules that can block unwanted access.

8. Limit Login Attempts

• Avoid brute-force attacks by limiting the number of login attempts.
• Configure server-level rules to block repeated failed login attempts.

9. Disable XML-RPC

• XML-RPC is often exploited by attackers for brute-force attacks.
• Disable XML-RPC via your hosting control panel or by renaming the xmlrpc.php file.

10. Monitor User Roles and Permissions

• Assign users the minimum role required for their tasks.
• Regularly audit user accounts and remove inactive or unauthorized accounts.

11. Backup Your Website Regularly

• Schedule backups through your hosting provider or by manually downloading your site files and database.
• Store backups securely on an external drive or cloud service.

12. Use a Secure Hosting Provider

• Choose a hosting provider with a strong focus on security features, such as firewalls, malware scanning, and DDoS protection.

13. Disable File Editing in the WordPress Dashboard

• Prevent users from editing theme and plugin files directly from the WordPress admin area by disabling file editing in the settings:
  • Open the wp-config.php file.
  • Add:
    php

    define('DISALLOW_FILE_EDIT', true);


14. Log Out Idle Users

• Implement idle session timeouts to log out inactive users and prevent unauthorized access.

15. Monitor Activity and Logs

• Use your hosting provider’s log monitoring tools to track login attempts, file changes, and suspicious activity.