Wordpress securing your website

First thing to do is install the following backup plugin, "UpdraftPlus" and create a backup of your site.


  • Update all plugins
  • Remove unused plugins
  • Remove unused themes (leave the active one + one other)
  • Update Wordpress

Check the functionality of your site and then do another backup.

Disallow file editing

You can easily do this by adding the following code in your wp-config.php file.    

/** Disallow file edit*/
define( 'DISALLOW_FILE_EDIT', true );

Disable PHP File Execution in Certain WordPress Directories

You can do this by opening a text editor like Notepad and paste this code:

Files *.php>
deny from all

Next, you need to save this file as .htaccess
Next, you need to upload this file to /wp-includes/ and /wp-content/uploads/ folders

Edits to the root .htaccess file

Paste the following after the Wordpress section

# BEGIN security edits by BeanBox Web
# Deny access to .htaccess
<Files .htaccess>
Order allow,deny
Deny from all
# Protect the config file
<Files wp-config.php>
order allow,deny
deny from all
allow from 100.200.300.400
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 100.200.300.400
# END security edits by BeanBox Web

Add the following as the last line in the .htaccess file to disable browsing:

Options ALL -Indexes

Protect the wp-admin directory with a password

Good idea for a non membership site - you will have to enter two passwords to get to the backend (admin) of your site, but a small price to pay for the added security. I have done this in two ways, cpanel and also manually with .htaccess, both work equally as well.

Cpanel method
cpanel>Directory Privacy

Manual method
# This is the htaccess file added to wp-admin directory (change user file path and user name)
AuthName "Admins Only"
AuthUserFile /home/'your directory/.htpasswds/public_html/wp-admin/passwd
AuthGroupFile /dev/null
AuthType basic
require user 'your_user'

You will also need to generate a password and edit the file called passwd (see path above). I use the following site and choose apache MD5


Edit the root .htaccess file whichever method you use.

# Add this as the top line of the root .htaccess to make privacy directory work

ErrorDocument 401 default