How to Secure WordPress without a plugin?

Can you secure WordPress  without a plugin?  The answer is yes. Generally, WordPress websites  are secured with the help of a security plugin which usually costs you money as relying on free security plugin is not enough. However, some website owners prefer to use the minimum WordPress plugin to make their website load fast and get rid of extra security expenses. There are different WP security practice which you apply on your WordPress site to make it 100% secure from hackers and viruses.

If you own a site that is based on WP and you don’t want to pay extra for a plugin then here I am sharing the top and best ways of how to secure WordPress without a plugin.

1- Update your WordPress to the latest version

Updating WordPress to the latest version may sound useless sometimes, especially when your website does not have any issue but your website’s security is one of the most important things to keep your WordPress website up to date. You don’t need to do much effort to update your WordPress. Just one click and few seconds wait to make this done. You may enable automatic windows update in WordPress installation, but it not recommended.

Remember to backup your WordPress site before making any changes to your site, Just in case any thing happens during update.

Use minimum plugins and update them frequently

When it’s come to plugins, the minimum is always better. Mostly the hackers try to get access to your website through plugins. This is why you should only use recommended plugins and keeps them up to date to get rid of security issues. Some plugins may require accessing the database of your website. Avoid using such types of plugins.

Prevent uninvited guests with .htaccess:

You won’t like to give access to your WordPress admin section to any person without your permission. Locking your administration part of your website from such users can secure your website. With the help of the .htaccess file can help you to lock the administration to prevent unwanted and uninvited guests. This method will allow you to specify your Wp-admin to a static IP and no one else can access the admin area from any other IP.

You only need to add the following code in .htaccess file:

AuthUserFile /dev/null

AuthGroupFile /dev/null

AuthName “WordPress Admin Access Control”

AuthType Basic


order deny,allow

deny from all

# Enabled IP address 1:

allow from

# Enabled IP address 2:

allow from


Here you need to replace the IP address with your own. You can also enter multiple IP addresses as you want.

Disable WordPress browsing folders

The public display of the folder can make it easier for the hacker to track your WordPress files. Disabling the browsing folders is one of the most recommended tips by security experts. It is also one of the quickest ways of how to secure WordPress without a plugin. To make this happen, you need to add just following single line to the .htaccess file:

If anyone tries to access your WordPress browsing folders and files, he will get a Forbidden error.

Secure WordPress Includes folder (wp-includes):

This is one of the most important folders of a website because all of the themes, plugins and media files are hosted in this folder. Securing wp-includes folder means you are hiding all the opportunities from hackers to access your site’s important files. You need to add the following code to the .htaccess file:

<IfModule mod_rewrite.c>

RewriteEngine On

RewriteBase /

RewriteRule ^wp-admin/includes/ – [F,L]

RewriteRule !^wp-includes/ – [S=3]

RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]

RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]

RewriteRule ^wp-includes/theme-compat/ – [F,L]


Secure wp-config.php file:

Without any second thought, the wp-config.php is one of the most important files because it contains all the security information including database information, username, and passwords. You can secure it without using any plugin. To do that, you need to add the following code to the .htaccess file:

<files wp-config.php>

order allow,deny

deny from all


This code will ensure that no one else can get access to the wp-config.php file.

Disable external apps to access your WordPress:

External installation of the WordPress hides the xmlrpc.php file. xmlrpc.php file allows the third-party services to get access to your WordPress site. Blocking access to this file can secure your WordPress without using the plugin. Only do this if you do not use any of the third-party services. Some plugins can be used to disable external application access to a WP site but here I will suggest you block this with the help of the .htaccess file:

# Block WordPress xmlrpc.php requests

<Files xmlrpc.php>

order deny,allow

deny from all


Just add the above code .htaccess file to block the xmlrpc.php file to provide access to your WP site to third-party service providers.

There are other ways too to if you are looking for How to secure WordPress without a plugin like you can use 2FA, enable limit login attempts to your WP site, enable reCaptcha, and use the complex password. The above which I have mentioned in detail is the best and fastest way to secure WP without the plugin.

If you are looking for a solution with plugin then checkout  the 7 best WordPress security plugins where I have talked about best security plugins.

Leave a Comment