How to secure your WordPress website? | Step by Step Guide

Do you know how to design a website? Most of you will probably don’t. However, the web designing process is not as complicated as it seems – at least not with WordPress.

With WordPress, even someone with no background in programming can design a decent website. On the surface, these websites will look rather good and will be highly functional. The only problem with these types of websites, i.e., websites designed purely in WordPress, will severely lack performing power and have a few big holes in their security.

You can boost the performance of your website simply by choosing a web hosting company or minimizing your website homepage. However, you will need to take some severe actions when it comes to security.

WordPress security threats and how to solve them?

Although it is not a complete waste when it comes to the security of its website, the default settings do leave big holes in WordPress security checklists. Here we will be talking about ten such security risks and simple ways to solve them.

Let’s get started.

  1. XML-RPC issue

In simple terms, this is the aspect of WordPress that enables the transfer of WordPress to mobile devices. Here, XML will act as the encoding mechanism alongside HTTP, which will serve the role of the transport mechanism. This makes WordPress super easy to work with, especially if you have a mobile app. The default XML-RPC settings of WordPress will always be open.

The only issue with this is that you leave a big security hole if you do not have a WordPress mobile app. Hackers can easily exploit this to launch a DDOS attack on your website.

How to solve XML-RPC Issue?

The exposed XML-RPC system is a considerable risk to the security of your WordPress websites. Here, the good news is that you can quickly solve it with a simple, quick fix. All you need to do is follow these steps:

Step 1: Type your website URL
Step 2: Type XML-RPC.php after the final forward slash
Step 3: Go to your WordPress Admin Dashboard
Step 4: Click on Plugins and go to Add New.
Step 5: In the Search box type “Disable XML-RPC” and install it.


Go to your .htaccess file and paste the following code
<files xmlrpc.php>
order deny,allow
deny from all

Do note that the mentioned code is case-sensitive.

2.Directory listing issue

If you are wondering what a directory listing is, it is simply a webpage that lists all the files and directories on a web server. This means that by merely going to <website> one can see the specific files and content of each folder of your WordPress website.

From here, getting your information or misusing your website is just a matter of a few clicks away.

Similar to previous risks, the solution to the WordPress listing vulnerability is also simple. Add a plugin.

Options -Indexes

Code at the end of your .htaccess file, and this issue will be solved.

3.Internal path disclosure

This may look similar to the directory listing, and to an untrained eye, it is. However, while directory listing only gives you information about the file and folders, an internal path disclosure exposes the entire setup of your server. From there, it is simply a matter of generating fatal errors to harm your website.

How to solve internal path disclosure issue on wordpress?

Although this threat is quite severe, the solution is straightforward. Simply follow these steps, and the WordPress issue regarding the internal path will be easily solved.

Step 1: Enter the URL

Once you do this, you will see fatal errors such as:

Call to undefined function _deprecated_file() in /home/your-web-domain/public_html/wp-includes/rss-functions.php on line 8.

Step 2: Insert the following code into your .htcaccess file

# For full path disclosure
php_flag display_errors off

Note* the code is case-sensitive.

4.Server signature

A server signature is not a threat in itself since it is simply the public identity of your web server. However, this can contain sensitive information such as about the website. The mentioned information can then be used to cause harm.

The solution to this issue is similar to the ones we mentioned so far. All you need to do is access the .htaccess file and insert the following code.

# START Disable server signature #
ServerSignature Off
# END Disable server signature #

5.SQL Injection

This is among those vulnerabilities that can put the website and those involved with the website at risk. The attacker interferes with the queries that the application uses to make the database of the WordPress websites. Once this is done, the attacker can easily access and modify every information related to the WordPress website.

How to avoid SQL injection on WordPress websites?

Since this is a severe risk, the security measures should be drastic, right? Yes, they are. However, the process to implement them is relatively simple. The steps are:
Step 1: Use a security plugin
Step 2: Use a Firewall
Step 3: Remove Unnecessary Database Functionality
Step 4: Keep core WordPress themes and plugins updated
Step 5: Encrypt Confidential Data
Step 6: Avoid pirated themes and plugins
Step 7: Improve Your Software


This is an ingenious form of threat to a WordPress website or any website for that matter. In clickjacking, the malicious entity tricks the user into entering a different domain using by disguising itself as a legit and familiar domain. The malicious entity can easily gain access to sensitive information, spread malware, or trick the user into purchasing online or transferring money into a dubious account through this method.

This seems a pretty serious threat. However, the solution is quite simple. All you need to do is locate your functions.php file and enter the following code:

function wc_prevent_clickjacking() {
add_action( ‘send_headers’, ‘block_frames’, 10 );

Once you enter this code, update the directory, and your website should be safe from clickjacking threats.

7.WordPress version

WordPress Version in itself is not a threat to your website. After all, how can a version be a threat? The security threat comes when an attacker knows the version of WordPress you are using. If you constantly update your WordPress version, then you will face no threats.

However, suppose you are using an updated version. In that case, any malicious entity can use the loopholes and openings in the outdated versions of WordPress and harm your website as well as steal your information.

The simplest solution to this threat is to just constantly keep your WordPress version updated. However, if you cannot do this, you can install plugins that can hide your WordPress version, such as wp hardening.

8.Exposed Login URL

If you have used WordPress as a developer, you must be familiar with its admin URL. The URL goes something along the lines of <your website URL> / wp_admin.

Regardless of your website URL, the admin login URL will always be the same. This issue is that just about anyone can access your login URL. It is all about guessing the right login id and password to access your sensitive data from them.

To solve this issue, you will need to find wp-login.php from your directory and replace and rename it. The steps to do this are:

Step 1: Go to public_html from your file manager
Step 2: Search wp-login.php
Step 3: rename it
Step 4: Open your renamed .php file
Step 5: replace every wp-login.php with your new file name
Step 6: click on the relace all button

Once you are done with this, you should be able to log in using the following file format
<your website URL> <renamed directory>


Robots.txt is an integral aspect of a WordPress website that stores three primary types of information regarding your website. These three types of information are:
Allowed files and folders
Disallowed files and folders
Sitemap URL

Using Robot.txt can prevent search bots from finding out the said information, i.e., disallowed files. This is not an issue. The issue comes when people see the information that you want to hide. Since this is available publicly, if you let your sensitive information be seen in this directory, then it can easily become a target for malicious people.

There is no direct solution to this issue. It all comes down to your planning capabilities. You will need to plan your website in such a way that sensitive information is less frequently displayed in this directory.

10. Lack of two-factor authentication

Two-factor authentication or 2FA is the system that requires two means of verification factors for you to log in. You can easily find this on websites/applications like Google, where you require your Google user ID and your phone to verify yourself. However, although WordPress is one of the most used website builders, it lacks this feature.

This can pose a huge security risk since, without 2FA, it is all about guessing the id and password.

Not having a default 2FA is not really an issue for WordPress since you can easily add plugins to enable this feature.


Although WordPress does have some severe security issues, the solution to the said security issue is rather simple. As you may have seen, most of the solutions require a single line of code or a simple plugin. While there are indeed some troublesome issues, you should be able to solve them easily with adequate planning.