How to Secure WordPress Without Plugins

WordPress is one of the most popular content management systems in the world, making it a frequent target for hackers. While plugins offer convenient security enhancements, relying solely on them introduces additional vulnerabilities. This eBook will guide you through securing your WordPress site without using any plugins, focusing instead on best practices, server configurations, and code-level tweaks.

Why Go Plugin-Free WordPress?

Pros:

• Reduced attack surface
• Better performance (fewer HTTP requests, lower memory usage)
• Full control over security configurations

Cons:

• Requires more technical knowledge
• Some tasks are manual

Harden Your Hosting Environment

1. Choose a Secure Hosting Provider
   • Utilize providers that utilize server-side firewalls and malware scanning.
   • Enable automatic daily backups.
2. Use the Latest PHP Version
   • Always use the most recent stable version of WordPress that is supported.
3. Configure File Permissions Properly
   • wp-config.php – 400 or 440
   • Files – 644
   • Directories – 755
4. Disable Directory Listing
   Add this line to .htaccess:

   Options -Indexes
   

5. Limit Access via .htaccess
   • Restrict access to wp-config.php:

     <files wp-config.php>
     order allow,deny
     deny from all
     </files>
     

Secure wp-config.php

• Move it one directory above the root (if the server supports it)
• Add salts manually from https://api.wordpress.org/secret-key/1.1/salt/
• Disable file editing:

  define('DISALLOW_FILE_EDIT', true);
  

Use .htaccess and Server-Level Tweaks

• Protect sensitive files:

  <files .htaccess>
  order allow,deny
  deny from all
  </files>
  

• Block XML-RPC (often targeted by bots):

  <Files xmlrpc.php>
  Order Deny,Allow
  Deny from all
  </Files>
  

• Limit access to wp-admin by IP:

  <Directory /path/to/wp-admin>
  Order Deny,Allow
  Deny from all
  Allow from YOUR.IP.ADD.RESS
  </Directory>
  

Secure Your Database

• Change the database prefix from wp_ to something unique.
• Use a strong DB user password.
• Limit DB user privileges to only what’s necessary.

Secure User Accounts

• Delete or rename the default ‘admin’ user
• Enforce strong passwords
• Use unique usernames
• Limit login attempts with .htaccess rules or fail2ban on server

Regular Maintenance & Monitoring

• Keep WordPress core, themes, and custom code updated
• Scan your site manually or with server-side tools (e.g., ClamAV)
• Regularly back up your database and files

Some Bonus Tips For You:

• Use a CDN with security features (e.g., Cloudflare)
• Set up HTTP security headers:

  Header always set X-Content-Type-Options "nosniff"
  Header always set X-XSS-Protection "1; mode=block"
  Header always set X-Frame-Options "SAMEORIGIN"
  

• Consider enabling 2FA through SSH or email OTP (outside of WordPress login)

Conclusion:

Security is an ongoing process, not a one-time task. By understanding the internals of WordPress and applying these non-plugin techniques, you can achieve a high level of security while maintaining performance and control.

Author: Debasis Pradhan
Freelance WordPress Security Specialist