How to make your WordPress page safe and secure without using plugins


Making your WordPress website totally secure should be a priority in your business, but not for that reason that it is filling it with plugins! In this article, we explain step by step how to protect your WordPress without plugins yourself, even if you are not an expert.

Attacks on the security of WordPress pages are daily and are just around the corner, although it is true that the use of security plugins helps protect your web page, they are counterproductive for your web server, overloading it and causing the loading speed of your WordPress decreases.

Making your WordPress website secure should be your priority, but not by filling it with plugins!  We explain how to protect WordPress without plugins.

Surely you know that attacking the security of a WordPress page is not a difficult thing, right? Well, the biggest excuse for those who have a WordPress page, not to use security plugins and protect their data and their users, has to do with the fact that these plugins consume a lot of web server resources and affect the loading speed of the page. What a problem!

Both the security of your WordPress website and speeding up your WordPress are two very important aspects of a website, so what can you do? You don’t have to be against a rock and a hard place! It is possible to improve WordPress security without plugins, really!

There are other ways to shield your WordPress website and keep it safe, without slowing it down or burdening your web server.

If you want to improve security in WordPress with these useful tips you will be able to obtain great results, while you can count on our services for maintenance, updating, and improvement of WordPress pages, within which we take care that your website is a secure site and protected.

We will make your website fall in love with your customers!

We will squeeze your WordPress website until you fall in love: well positioned in Google and other web search engines, safe, fast, and, above all, efficient and profitable for your company, attracting potential clients and achieving real results!

If you have any knowledge of how to keep your WordPress website secure, you know that the basics are to update your WordPress version regularly, keep your plugins and themes up to date, and get rid of anything you don’t use. These basic steps are clearly the starting point to avoiding headaches, but they are not enough! To our great regret, if it were enough there wouldn’t be so many reports of malware, phishing, man-in-the-middle (man-in-the-middle attack), and hacking, but it is the harsh reality we must face.

How to forget about security plugins in WordPress? Do you want to know how? In this article, I teach you step by step so you can do it yourself!

Basic general tips to protect your WordPress without plugins

Before I start talking about basic techniques to protect a WordPress website without plugins,  I want you to consider that the more active users you have on the website, the more code you add and the more themes and plugins you install, the more likely you are to suffer an attack and be vulnerable.

But no, you don’t have to go to the plugins yes or yes, but with a little work you will be shielding your WordPress page and getting rid of the meddlers. But let’s start with the first.

Always keep your WordPress updated

Although many people are stressed about having to update WordPress, this is necessary; each update brings with it changes and improvements for the security of the site. Therefore, ignoring such updates, or waiting too long to do them, is like putting a noose around your neck.

Keeping your WordPress updated is the beginning to improve the security of the web.

What happens is that, although WordPress is the land of a thousand wonders, it has flaws in its security, which gives free rein to hackers and intruders.

To start improving your security without plugins in WordPress, every time you see the ‘ update ‘ notification in your WordPress dashboard, do the update right away. This is the beginning to make your website an impenetrable fortress for malicious people.

By the way, if you think you might lose some data with the update, remember to back up your files first, as I indicated in another article where they explained how to update WordPress.

Plugins and themes should also be updated

The plugins (add-ons) and themes (templates or themes) that are installed in WordPress are a small secret passage through which anyone can filter, and that is why they must be kept updated, to avoid information leakage or the entry of third parties.

Clean your WordPress and get rid of what you don’t use

As I told you at the beginning of the post, another measure to protect WordPress without plugins is precise to get rid of the plugins and themes that you no longer use.

It’s not just about deactivating plugins and themes, it’s about removing them altogether!

Why have something installed that is useless? In addition, they are backdoors to attack the security of your website.

Download plugins and themes only from trusted sites

Downloading plugins and themes from untrusted sites could play tricks on you; do not give yourself this luxury no matter how attractive the theme seems or how useful that plugin may look.

The best thing is that you always go to the official plugins section, as this way you avoid falling into unknown hands or using plugins and themes that are not safe.

Configure and protect your web server directories

Configuring your webserver directories is also essential to protect your WordPress without using plugins.

As a general rule, permissions should be  644 for files and 755 for folders. Avoid 777 permissions.

Also, specially configure the wp-config.php file with 600 permissions.

Change your username to the “wp-admin” panel

By default when installing WordPress the admin username is always ‘admin’, but this makes it easier for hackers.

Keeping your default username (“admin”) will only make the hacker have to guess your password and believe me, they are very sneaky at that!

Therefore, one of the things you should do after installing WordPress is to change your username to a totally random one, combining letters with numbers, so that intruders cannot guess it.

Change your access password frequently

Changing your password frequently helps protect your WordPress website without plugins.

Of course, try to create passwords that really work and have a certain level of difficulty. For example, passwords, where letters and numbers (alphanumeric) are combined, are usually the most effective and secure.


If your WordPress website has already been hacked several times and you don’t know how to create efficient passwords, use a password generator to help you with this, such as Norton Password Generator.

Encourage your users to use strong names and passwords

Not only do you have to protect your WordPress dashboard login username and password, but it is important that you make your users create completely secure usernames and passwords.

At the end of the day, not only do you want to protect yourself, but your users are the main reason why your website should be secure, right? Then persuade them to help secure the WordPress website and protect their own data as well.

Set up a two-step authentication system

security system based on two-factor authentication is a great step to increase security and protect your WordPress without using plugins.

Double authentication consists of asking you for a second password to try to access, or you are sent a code that is sent by SMS or by email.

In this way, even if an intruder finds out your main password, they will not be able to access it because they will not receive or know that second password that the WordPress system is requesting.

There are very simple and lightweight plugins, that will not load your web server or slow down your WordPress, implement two-step authentication, very easy to install and use as Google Authenticator, for example.

Set limits for WordPress login

How does a hacker guess your password? I assure you that it is not by magic, nor that they had superpowers! But they do have a lot of patience and will try to log in to your website as many times as necessary until they find your password.

To prevent a hacker from trying your password over and over again, limit login attempts on your WordPress page.

This consists of you restricting the number of times that you can try to log in from the same IP address and at a certain time.

A good plugin, very simple and that will not overload your WordPress at all, is Login LockDown.

Limit access to WordPress users

One of the main advantages of WordPress is that you can create all the users you need so that they can collaborate and carry out countless tasks on your website. Well, although this is wonderful from the point of view of content creation since it facilitates the process and optimizes it, it is very negative for security.

My basic advice is that you do not give access to too many people, but only those who really need it. In addition, once a user finishes his work on your web page, if he is not going to need it anymore, delete that user and close that “back door”.

The truth is that the more people access your website as users, the more likely your website will be compromised.

Schedule and automate backup creation

Scheduled backups are very useful to make WordPress more secure, in the face of what may happen, and there are very simple plugins with which you can schedule the creation of backups.

With the backup copies you guarantee that, if your website has been compromised, you will be able to restore the previous version of WordPress, and nothing happens!

By having a backup, all your data and that of your clients will be safe and well protected.

UpdraftPlus WordPress Backup could be a perfect plugin for scheduled backups, plus it’s very lightweight and won’t overload your server or slow down your website load.

Occasionally use a security scanner

Installing a security scanner in WordPress will help you scan your themes, files and plugins, thus analyzing if there are any viruses or malware in WordPress.

Although the plugins of this type of security scanner are “heavier” than the other plugins that I am recommending in this article, which could slow down your web page, I suggest you activate it and use it periodically, for example, fortnightly.

That is, you install it, activate it, perform a complete web scan, perform the best actions that the scanner proposes, and then when you have finished, deactivate it and delete it.

Wordfence Security is a plugin with a powerful scanner system that will help you maintain your WordPress; clean and protected. It is a heavy plugin, it is true, that is why I advise you to follow the steps indicated above.

Install an SSL certificate on your server and access via HTTPS

Enabling an SSL certificate to your WordPress will prevent the information that is shared between the browser and the web server from being altered or intervened by third parties.

By having an SSL certificate, your website will be a more secure website that is accessed by a secure connection (HTTPS).

You can find more information from another article where I explained why Google and Firefox label your website as ‘not secure’, for not having access via HTTPS.

Enables a Firewall system

Installing a Firewall, on your computer and on the webserver, is key to preventing unauthorized access and keeping your data web page protected.

There are several types of firewalls (Firewall) for your computer, so if your operating system does not come with a competitive Firewall by default, install one that also offers security against hackers and hackers. A very interesting and free one is Zone Alarm Free Firewall.

To have a Firewall system on your WordPress page, you will inevitably have to resort to a “heavy” plugin. No choice. Of all the WordPress Firewall plugins, the one I like the most because it respects the web server resources a lot and hardly slows down the web load is All In One WP Security & Firewall.

Basic WordPress security via wp-config.php and header.php

Protect WordPress without plugins via wp-config.php and header.php

Relocate wp-config.php file

The wp-config.php file, which is located in the root directory of your web server, is perhaps the most important file of your entire WordPress web page since everything related to access to your database is stored in it; contains your user information, password, and the names of your database.

That is why it is highly recommended to move it to a folder, once you install or configure WordPress, to prevent it from being located by intruders, which is key to protecting your WordPress without using plugins.

Don’t show bug reports

Error messages can be useful for intruders as they mark a route to attack your web page and even obtain information from your web server, so don’t show them!


Disabling error messages is very easy, you just have to add this code to your wp-config.php file (preferably at the beginning):

@ini_set(‘display_errors’, 0);

Create new secret keys

Installing WordPress creates four default ‘secret’ keys in your wp-config.php file.

These keys may not be as secret and, being WordPress default keys, are easier for hackers to guess. In fact, you would be surprised at the amount of time these bad guys spend trying to guess these passwords and perfecting their criminal art on the internet.

You should create new passwords and copy them into the wp-config.php file, with some password generator tools like the ones I recommended above.

Do not leave references of your WordPress theme

The less third parties know about the WordPress theme you are using, the better.

If a hacker knows what theme you are using, the easier it will be for him to detect what security problems your website may have and devise a way to attack you.

How to remove references from your WordPress theme? In the header.php file, remove the following code snippet:

<meta name=”generator” content=”WordPress” />

Advanced WordPress protection via functions.php

What is the functions.php file?

Functions.php is the WordPress theme functions file; a template that is used to establish actions, functions, register styles, define filters and add classes that will be used in other templates, etc.

With this file, you can add a bit more security to WordPress just by including some simple code snippets.

By including some code to functions.php, we cover some security issues that WordPress has by default.

What fragments can be included? A snippet to hide detailed information in WordPress, load scripts safely, and modify error messages when logging in with an invalid user or password.

Hide the version of WordPress you use

The WordPress version you are using is displayed by default in the HTML header of your web page.

Although it may seem harmless to display this information, it is known that many hackers take advantage of this information to discover security gaps and end up accessing the programming of your website. This happens because knowing what the security vulnerabilities are in each version makes it easy for them to take advantage of them.

Removing this data is very easy by adding the following code to your functions.php file:

remove_action(‘wp_head’, ‘wp_generator’);

By the way, make sure you also remove the readme.html file.

Block login error reports

I had already explained to you that error reports when you log in may not be your best ally, since they give the hacker a lot of information.

To take care of this problem you’ll need to add a code snippet that returns the error, no matter what is wrong. That is, if it is the username or if it is the password that does not match.

You can add this code in functions.php :

function one_default_error_message() {
return ‘Your data is not correct.’;
add_filter( ‘login_errors’, ‘one_default_error_message’ );

Safely load scripts

Loading scripts safely prevents any type of malicious code from being loaded on your web page when a user is browsing it.

To do this, you have to use an SSL, or security protocol, on your HTTPS page. If your WordPress uses JQuery, which is most likely, by adding the following code you can keep your scripts safe:

if (!is_admin()) {
wp_register_script(‘jquery’,(“”), false);

Hide the username of the authors

As we all know that it is easy to guess the username of an author in WordPress, then you have to hide it.

To give the hacker a fight and not reveal your username, copy this snippet into your functions.php file :

add_action(‘template_redirect’, ‘bwp_template_redirect’);
function bwp_template_redirect(){
if (is_author()) {
wp_redirect( home_url() ); exit;

WordPress security measures from the .htaccess file

WordPress security measures from the .htaccess file

What is .htaccess?

.htaccess is a configuration file used with Apache Web Server software (an open-source HTTP server) to enable or disable features of the software, such as 404 error redirects and URL rewriting, and to add extra features.

How to modify the .htaccess file?

.htaccess files have instructions on how to deal with them given various scenarios, so there are several ways to modify them; these are the most common:

  • Use a text editor and SSH (protocol for remote access to a server through a secure path)
  • Use an FTP editing mode, editing the file and then uploading it to the FTP
  • Use the cPanel file manager

Protect the .htaccess file

Since the .htaccess file fulfills so many functions and performs various actions on and from the server, it is necessary to protect it; To do this, add the following code snippet to the top of this file:

<files ~ “^.*\.([Hh][Tt][Aa])”>
order allow,deny
deny from all
satisfy all

Also, protect your wp-config.php file

Above I explained to you what the wp-config.php file is, so now you know what its importance is, so it’s time to protect it from intruders. Add the following code to this file:

<files wp-config.php>
order allow,deny
deny from all

Protect the wp-admin directory

The wp-admin directory is another target for hackers, so it should also be protected.

If you only use the same computer to enter the web with your user, restrict the login (or login screen) only to your computer and IP address.

On the other hand, if apart from you you also have authors who obviously need to log in, then you must also add their IP addresses so that they can access the /wp-admin/ folder and your wp-login.php file.

To make restrictions by IP addresses, add the following code fragment wherein, you must include the IP address from which you or your collaborators connect:

<Files wp-login.php>
order deny,allow
deny from all
allow from

Don’t forget to protect the wp-includes directory

The wp-includes directory is the one that contains all the information necessary for your WordPress to work. It is like the soul of your website, so it is the main target of spam attacks, malware, and any identity theft or phishing.

You can protect it with the following code snippet in your .htaccess :

<ifmodule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\. php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]
</ifmodule >

Protect your error_log file

The error_log file must also be protected, since information about the errors that appear when processing requests are stored in it. Remember, bug reports can be like Hanzel and Gretel’s crumbs that guide intruders to ‘return home, or rather, to enter it!


Adding the following snippet to the code will remove those crumbs:

<files error_log>
order allow,deny
deny from all

Protect your PHP files

I’m still on the protect-and-safeguard thing, and now it’s the PHP files’ turn, so you need to make sure no one can access them directly.

To protect your PHP files, add the following snippet to your .htaccess:

RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
RewriteRule wp-content/plugins/( .*\.php)$ – [R=404,L]
RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/themes /directory/to/exclude/
RewriteRule wp-content/themes/(.*\.php)$ – [R=404,L]

Protect your WordPress from SQL injection

SQL is a query language with which you can access the information you store in your database.

Today, SQL injection is one of the most common ways for hackers to steal your customer data, guess your passwords and even obtain financial information, you or users, so you have to make an effort to protect your Web page.

How to combat these attacks? Well, adding this code snippet to .htaccess will keep you safe:

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (< |%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z ]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

Prevent them from exploring your directories

Your directories are just that, yours! They don’t have free entry for anyone to snoop on, so prevent people from browsing them by adding this code to your .htaccess :

# Disable directory browsing
Options All –Indexes

Don’t let them scan your author list

WordPress, as you know, allows you to create many users, as many as you need! Well, as users or authors and authors are created, so that they are in charge of putting content on your page, a list is created, and the more authors, the more vulnerable your website could be.

For this reason, it protects these lists of authors from any scanning that may be done, as it is a well-known practice for hackers to bet on this technique to break your security at all costs.

How to block these scans? With the following code in your .htaccess :

RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* – [F]

Protect your WordPress XMLRPC file

XMLRPC is a data transmission and structuring protocol, used by XML and HTTP. In WordPress, it serves as an interface that allows you to connect WordPress with external sites, among which there are many with dubious reputations.

Attacks on XMLRPC.php are just around the corner and are becoming more and more common, as it connects to external services, leaving a lot of leeway for intruders.

Many times, this interface is not used, so it is best to block it; with the following code you can do it:

<files xmlrpc.php>
order deny,allow
deny from all

Protect yourself from hotlinking

Another enemy of the security of your website is hotlinking; a parasitic practice that tries to steal your web resources, such as images, hosted on your web server so that third parties can display them on their own pages.

This practice not only affects the operation of your web server but also violates the security of your WordPress website. If you want to protect your WordPress without plugins you must make sure to “close that door”.

The best thing is to protect yourself from it, adding this code to not let these resources be stolen, where you must replace “” with your web domain:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)? [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?: //(www\.)? [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]

When should we use a WordPress security plugin?

Before we finish, I don’t want you to be closed to this option!

Try everything I have recommended here, without using WordPress security plugins, and I am sure you will have a more secure WordPress.

However, if you want to further strengthen the security of your website, then I do recommend choosing a WordPress security plugin. Of course, first, review its characteristics well and make sure that it is really useful, and that it goes far beyond the .htaccess file because this file can already be protected and optimized yourself without the plugin!

Some good plugin options for WordPress security are WordFence Security, JetPack, BulletProof Security, and iThemes Security. Make a list with the advantages of each one and its cons, compare them to find out which one best suits your type of website, and choose the best one.

You can also contact us so that we can do all this study of your web page and help you protect your web page and, given the case and need, choose the plugin that best suits your web page.

We help you keep your WordPress always at 110%!

We take care of everything related to your WordPress website so that it offers real results to your company, without causing you inconvenience or wasting time, so you can focus completely on your business.

What do we propose?

Conclusion: Protecting WordPress goes beyond a security plugin!

I think the biggest takeaway I hope you take away from this post is that you don’t need a super security plugin to protect WordPress. Go beyond that! Well, it’s not always as easy as installing a plugin and turning around, you have to put love and spend time on it!

It may seem tedious to have to make ‘arrangements’ in the files that I have been commenting on above and add the different codes in your WordPress, but it is the most feasible and you will have optimal results.

Your website can be a perfect target for malware attacks, man-in-the-middle, and phishing right now, while you are reading me, so you better get down to work and make sure your page has a very solid defense to combat the intruders. Do you try it and tell me?

If you have found this post helpful to protect your WordPress without plugins, I invite you to share it on social networks, so that others can improve their WordPress security.

Below you will find a small form, which I invite you to fill out so that you can send us your questions and comments. We will gladly help you!

Leave A Reply

Your email address will not be published.

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: