The Designer’s Guide: How to Secure WordPress Website?

WordPress has turned into the world’s most well known CMS. Since it is so prevalent, this is considerably all the more motivation to improve WordPress security on the off chance that you are utilizing it for your site. A great many people see how to make their page itself secure, yet in the event that you are not concentrating on the security of your WordPress site by restricting access to vital documents and organizers, then you are still at hazard. To do this you won’t be rolling out any improvements to WordPress itself, but instead modifying how WordPress keeps running on a server and how much get to clients have to its documents.

Step 1: Limiting access to wp-includes folder

WordPress locales are contained a progression of documents and organizers, each with their own remarkable URLs, which implies if somebody somehow managed to sort in the right URL they could get to or change delicate records that run your site. A standout amongst the most well-known focuses for this sort of hacking is the wp-incorporates envelope, so we will add some extra code to the server setup document to amplify security and keep these sorts of dangers. When we are finished with this, anybody endeavoring to get to these records gets diverted retreat.

To begin you will need to open up the .htaccess petition for your site. You can do this through any content tool, doesn’t make a difference which since all we are doing is including a little scrap of code to the record. You will see that the document as of now has code in it, produced by WordPress. In one of the early lines of code, you will discover a line that says # BEGIN WordPress. Straightforwardly over this code, we will include the extra lines of code, which will sustain the site’s guards by limiting access to the wp-incorporates envelope.

# Blocking web access to the wp-includes folder
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule>

A while later, you just need to re-transfer the record to the server and you’re finished. While the progressions here appear to be minor it can largely affect your site’s barriers. Since a number of the propelled elements of WordPress are situated inside the wp-incorporates envelope, they are a noteworthy focus for programmers to follow. With these progressions executed, when clients endeavor to get to this envelope, they will rather be naturally diverted to the front page of your site.

Step 2: Protecting wp-config.php

Our next step to invigorate WordPress security is to confine access to the wp-config.php record. When you initially made your WordPress site, you needed to make a database name, username, secret key, and table prefix, which is contained in the wp-config.php document. The reason you need to ensure this document is on the grounds that it contains the data WordPress needs to converse with the database, and over the long haul, control your site.

To ensure your wp-config.php document, you will simply need to do a couple of basic strides. To begin with, we will need to open up the .htaccess document once more. Next, we will need to duplicate the scrap of code beneath and glue it into our .htaccess document simply as we did with step 1.

# Blocking web access to the wp-config.php file
<files wp-config.php>
order allow,deny
deny from all

Finally, save and re-upload the file.

Step 3: Defending the .htaccess file itself

As should be obvious with steps 1 and 2, the .htaccess record can be characteristic for shielding your WordPress site from noxious outside dangers. That is the reason in this progression we will ensure the .htaccess document itself, keeping programmers from evacuating the securities we’ve as of now set up.

To do this we will again open up the .htaccess document. Next, embed the code beneath into the current code.

# Securing .htaccess file
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all

Step 4: Removing file editor access

For the final, step we will be denying programmers access to a standout amongst the most ruinous devices they could get their hands on the Editor inside the WordPress dashboard. It enables you to alter your subject documents, which is useful yet can be hazardous. In the event that a man, other than yourself would access this, then they could change your code and break your site.

With this venture, we will be expelling the Editor from the WordPress dashboard. As opposed to getting to the document through WordPress, I prescribe that you get to it through a ftp customer, for example, FileZilla, which is better for site respectability.

So to do this venture we will initially need to open up the wp-config.php record. When we have that open, we will go to the finish of the code, here you will discover the content “That is all, quit altering! Glad blogging.”. Just before this content we will add the code beneath to expel record altering from WordPress.

define('DISALLOW_FILE_EDIT', true);

When you have included the code, spare the document and re-transfer it to the server. Presently your WordPress site is sheltered from anybody accessing your site and attempting to control the code.


On the off chance that you take after these means, your site ought to be substantially more secure. By decreasing the measure of get to programmers have to the records critical to running your site, you have expanded your WordPress site’s general security.

Sunny Chawla is a Marketing Manager at AIS Technolabs – a Web-design and Development Company. Helping global businesses with unique and engaging tools for their business. He would love to share thoughts on WordPress website development, web design and mobile app development.
Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInShare on RedditPin on Pinterest