WordPress by far is the most popular and easy way to make a website. This market dominance puts WordPress in the spotlight of attackers.

Are WordPress Websites less Secure?

To answer this question, we need to look into the actual cause of hacking.

Data shows, most WordPress websites get hacked due to certain loopholes that can be fixed easily. Some of them are using insecure passwords, using outdated code.

If we follow the security guidelines, we can prevent hackers from breaching our websites.

Dos and Don’ts

Choose a Secure Hosting Service

The Server where a website is hosted is the first & most important point to consider. It is always better to invest in secure hosting with up-to-date software and all the required security features than compromising with attackers later.

Companies like Kinsta, WP-Engine & Dreamhost offer all the things required to make your website secure & prevent attacks.

Check if File Permissions are Correct

  • All files should have permission 644 or 640, except wp-config.php having permissions set to 440 or 400.
  • All folder permissions must be 755 or 750.
  • No folders, at any cost should have permissions 777.

Disable Directory Listing

Directory listing is active by default, in most cases. Directory contents should not be visible publicly for security reasons. To do that, Just paste the code below in the htaccess file –

Options -Indexes

Use Two Factor Authentication

One of the most common factors for a website being attacked is compromised login credentials. Use strong credentials that are not common.

For example, most WordPress websites have the same username “admin”, we should avoid this.

And after all, we shall use SMS or email-based two-factor authentication for logging into the dashboard.

Hide WordPress Version in Page source

By default, the WordPress version appears in the source of your website. The lesser your website configuration is visible, the more secure it becomes. So we should hide the WordPress version from the source by adding the following code in functions.php-

/* Function to hide WordPress version in Page Source */
function wp_hide_version() {
return '';
add_filter('the_generator', 'wp_hide_version');

Disable file editor in dashboard

The file editor is basically for advanced users if code editing is required. Most of the time, you don’t need it at all. So it’s better to disable the file editor in the WordPress dashboard. Just add the below code to the wp-config.php file –

define('DISALLOW_FILE_EDIT', true);

Disable File Execution in Uploads Folder

If someone, by hook or crook is able to upload some harmful file to our website, we should block the file to execute just by pasting the code below to the htaccess file-

# Block executables
<FilesMatch "\.(php|phtml|php3|php4|php5|pl|py|jsp|asp|html|htm|shtml|sh|cgi|suspected)$">
    deny from all


As we know, no website is 100% secure, but we can ensure safety to a better extent just by following certain guidelines as mentioned above.

Securing a website is not a one-time task, It’s a process that needs to be done frequently.

Reference links

You May Also Like