Wordpress Security


Hello friend,

What are your recommendations about keeping Wordpress and C-panel secure fully?

Greetings from Turkey :slight_smile:

Speed Up WordPress (Top 5 High Priority Tips)
  1. Use unique password everywhere. As possible as go for two factor authentication.

  2. Always keep backup so even if you get hacked, you will have chance of restoring.

  3. Don’t keep common username like admin, root, etc for the administrator

  4. Review your WordPress current users. Delete suspected users.

  5. Change wp-login.php path, additionally block wp-login.php common path via Firewall. Leave no chance to reach original login path.

  6. If you do not use WordPress App/JetPack, block xmlrpc.php, it’s also a way to remotely authenicate with username and password.

  7. Big no for using nulled theme or plugins. They lack timely updates and support. Of course, they comes with lucrative free tag, but hidden cost of getting site compromised

  8. If you are concerned about DDoS attack, keep WordPress behind a Web Firewall - Sucuri.

  9. Prevent leaking of real username of WordPress.

Someone is trying really hard to sneak into my admin dashboard
WordFence Security Plugin - Review
Common Mistakes of WordPress users

Thank you brother :slight_smile:

I will implement all of your recommendations.

I think, all of them are enough to keep my blog secure right? :slight_smile:


Following above techniques would ensure safety. However, when it comes to security, there is nothing complete than being updated with latest security news and best practices.

Updating WordPress, plugin, themes, etc are also very important. Developers work hard to fixes security issue. We should NOT ignore it.

You’re welcome!


How this is done sir?


Simple one step,

  • Go to phpMyAdmin MySQL manager > wp_users table > make changes as shared in the above screenshot.


Thanks for this sir…


How can we ensure Directory browsing is not possible by outsider?


Very simple.

  1. Please login to File Manager
  2. Go to public_html directory
  3. Make sure hidden file is also visible
  4. Create a .htaccess file with the following Apache rule.

Options -Indexes

Most good hosting does itself, because they value security. :slight_smile:

Anyone who is reading this for them…

How to check if your site is affected by open directory?

Type your site URL /wp-includes/

If it list any files, means you need to fix it.

Ideally, it should return error message 403.


Can we stop direct execution of php when wordpress is not loaded at all


now try to put any printing statement… it gets executed

lot of plugin have this to prevent direct access

// Exit if accessed directly
if( !defined( 'ABSPATH' ) ) exit;

Think of the case when plugin is badly coded and don’t have this line in each php file.


To learn more, here’s a valuable video at Lynda by Jeff Starr.

I found this resources on WordPress Security from FAQs section while I was looking for BBQ: Block Bad Queries plugin.


Hi bro :slight_smile:

I have already .htaccess file. How can I block the requests for wp-include folder, upload folder and wp-config.php file?

Thank you so much

# Disable directory browsing
Options -Indexes

# Protect wp-config.php file
<files wp-config.php>
order allow,deny
deny from all

# Protect wp-includes folder
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]


I have made all of your recommendations above without firewall. (leaking of real username of Wordpress, 2FA, backing up, blocking xmlrpc.php, changing wp-login path, hard username and password, using theme from Themeforest not nulled.)

And also I have blocked requests for wp-includes folder and wp-config.php file via .htaccess

Thank you so much bro. I’m learning Wordpress thanks to you. :slight_smile:


Did you try BBQ plugin? Is it working well?

EDIT: I asked that because when I check gulshankumar.net’s HTTP headers via https://securityheaders.com, your server is blocking the tool’s bot. How do you block that? @GulshanKumar


Im using wps plugin for changing admin link what about that?


Not yet!


It’s a good plugin. But I prefer simply hiding username first. For example, at my blog you may see everywhere author name “anonymous” but that is not actual username. It’s different which is not visible anywhere in the HTML source code, but remains inside database. I have written above steps for it.


So How do you block these types of bots?


I use UFW firewall at Server and nothing else. :slight_smile: