Simple Guideline to WordPress Site Security

Protect wp-includes folder

WordPress sites are composed of a number of files and folders, having there own unique URLs. That said, anyone who types in the correct URL may gain access and further change the files on your web-site. The wp-includes folders, which contains many of the advanced WP functions, appear among the first targets for such hacking. The easiest countermeasure is to update the server configuration file with some additional code to enhance your site security and avoid the risk. Thus, any user attempting to access such important files will be redirected to the home page.

First of all, open up the .htaccess file in any text editor. As we are only going to add a little snippet of code to the file, any text editor will do for the purpose. You will see the code in generated by WordPress. Find the line which reads # BEGIN WordPress, and paste the following additional code on top of this line.

# Blocking web access to the wp-includes folder
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

All what's left to do is to update the .htaccess file on your server. This quick measure will upgrade your site security by limiting access to the mentioned wp-includes folder, and redirecting possible hackers back out.

Limit access to wp-config.php

Next in turn is wp-config.php file, which contains your database name, username, password, and table prefix, created back when you started building your site. As WordPress uses this information to communicate with the database, it turns up the key to control your web-site. This makes wp-config.php file protection essential for your site security.

In order to limit third-party access to the file, open up the .htaccess file again, and amend it with the snippet of code below, and don't forget to re-upload it on your server.

# Blocking web access to the wp-config.php file
<files wp-config.php>
order allow,deny
deny from all

Secure the .htaccess file

The previous steps prove that .htaccess file is crucial to protect your WordPress site from possible hacking. As such, it has to be safeguarded in order to avoid removing the enhancements mentioned above.

Once again, open up the .htaccess file and add the following lines of the code.

# Securing .htaccess file
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all

This minor modification will keep your .htaccess file safe from external threats.

Prevent file editor access

Finally, you should avoid the most significant threat, i.e. allowing third-party users to access the Editor inside your WordPress dashboard. While this tool is meant to let you edit your theme files, hackers may use it to modify your code and break your site. That is why the most obvious wayout is to remove the Editor from the WP dashboard. For the sake of site integrity, we recommend you to access the file through an ftp client such as FileZilla, instead of WordPress.

First of all, open up the wp-config.php file and scroll down to “That’s all, stop editing! Happy blogging.” Paste the code below directly above it on order to remove file editing option from WordPress.

define('DISALLOW_FILE_EDIT', true);

Update the configured file on the server, and sigh with a relief. Your resource is now protected from any attempts to alter your the code. Follow this simple guidance to uprank your WordPress site’s security by limiting outer access and thus preventing hackers to violate the files crucial for running your site.


More blogs

With almost 25% websites running on WordPress, the remains the world’s Top #1 CMS. Its increasing popular makes it yet more reasonable to ensure your site security, if you have chosen WP for your resource. While most webmasters are familiar with basic rules of making the page itself secure, there is still a threat if you are not particularly focusing on your WP site security by restricting access to sensitive files and folders. The following simple steps don't require the modification WordPress itself while supposing to change how WP generally runs on a server, and the access users have to the its files.


As the technology and e-commerce evolves, corporate web-sites gradually yield to mobile apps. Based on its expertise in both web and native apps development, CuboRubo, reveals various aspects worth considering before turning a web-site into a mobile app.