How to Set Up WordPress Security Settings Without Plugins? When launching a WordPress-based website, one of the first tasks is to establish security measures. WordPress has become a popular choice among website publishers in recent years. WordPress developers regularly release new versions to enhance security and provide a more stable user experience. In this article, we will discuss security measures without using plugins by modifying the .htaccess file.
WordPress Security Measures
How can you ensure WordPress site security? You can add the following code to the .htaccess file and an appropriate location within the wp-config file. You can access these files either through the cPanel or via the FileZilla file manager. Before starting these steps, it is recommended to make a backup copy of the .htaccess and wp-config files.
a. Security Setting for wp-config.php File
The wp-config.php file stores the MySQL database information for WordPress and is one of the most important WordPress files. By adding the provided code to the .htaccess file, you can prevent the display of this file. Simply add the code below inside the .htaccess file, and it will block access to the wp-config.php file containing the MySQL database information.
<files wp-config.php>
order allow,deny
deny from all
</files>
b. Disable Directory Listing
This is one of the most important WordPress security measures that should not be overlooked. For example, if you enter https://example.com/wp-content/uploads/ in your browser, it will display the contents of the uploads folder where image files are stored. If you see this, it means directory listing is enabled. Enabling directory listing does not provide any benefits for a website. To prevent files and folder directories from being displayed, add the code “Options All -Indexes” to your .htaccess file. Once you have added the code, if you enter https://example.com/wp-content/uploads/ in your browser, you should see an “Access denied! 403 Forbidden” message, indicating that directory access has been disabled.
c. Disable Xmlrpc.php Service
When accessing WordPress logins from mobile platforms, the xmlrpc.php service is used. WordPress uses this service to communicate with its own system. However, this communication can pose a risk of brute force attacks used by malicious individuals. Additionally, it increases the server’s CPU and RAM usage. Disabling the xmlrpc.php service does not have any negative impact on a website. To disable the service, add the code below to the .htaccess file after “# END WordPress”:
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 123.123.123.123
</Files>
d. Restrict wp-admin Access
This is a useful security feature that allows you to restrict access to eklentisiz wp-admin login. As you know, to access WordPress admin panel, we usually go to example.com/wp-admin. This is the default login for WordPress. By adding the code below to the .htaccess file, you can limit the admin panel’s visibility to a specific IP address. For this feature to work reliably, your static IP address must remain unchanged. If the added IP address changes, you won’t be able to access the admin panel. Alternatively, you can use different methods to determine your IP address and update the code accordingly. If you have a static IP address at home or office, add the following code to the .htaccess file:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
order deny,allow
deny from all
allow from xx.xx.xx.xxx
allow from xx.xx.xx.xxx
allow from “xx.xx.xx.xxx” with your static IP address. You can add multiple IP addresses one below the other. Remember, the IP addresses must be static. Otherwise, you need to obtain the IP address and update the code accordingly.
e. Website File and Folder Permissions
When you upload WordPress files, the default file permissions are set to 644, and folder permissions are set to 755. You should check and verify these permissions through FTP (using FileZilla) or cPanel for the directory where your WordPress files are located. Make sure that no files or folders have a permission of 777, as this grants write and read permissions to all potentially malicious codes. To change permissions, right-click on the file or folder, go to “File Permissions,” and make the necessary adjustments.
f. Disable File Editing Feature
By default, when you install a WordPress site, the admin panel provides a file editor option under Plugins or Appearance. This allows you to add code directly to themes or plugins. By disabling this feature, any malicious code accessing the admin panel won’t be able to make changes to your files. To activate this feature, add the code “define( ‘DISALLOW_FILE_EDIT’, true );” right below “define( ‘WP_DEBUG’, false );” in the wp-config.php file. Once this is done, the theme editor under Appearance and the plugin editor under Plugins will be removed from the admin panel. If you need to make changes to your theme, it is recommended to download the file via FTP, make the necessary modifications on your computer, and then upload it back.
By implementing these codes without using plugins, you can enhance the security of your WordPress site. If you have any other recommended eklentisiz (plugin-free) WordPress security measures, please feel free to share them in the comments section.
