Skip to main content

Tips to Install a Secure WordPress

All of us know that WordPress is the most common CMS and it is the easiest one ever, Now I will put here some tips to install a secure WordPress

  1. Install WordPress CMS platform Here is the link 
  2. Install these common and important Plugins
    5. for Pixel ID
    6. Google Analytics
    7. Caching :
    8. SEO:
    9. Duplicate Posts :
    10. for SMTP setting :

the Above plugins are the most important plugin you might use

Now the next step is to make your website secure as much as possible,


Some important tips

Hide Wordpress version

By default WordPress uses the Generator meta tag in the website’s html <head> section to disclose the version number, as seen in the below example:

<meta name="generator" content="WordPress 4.5.0" />

add this code to remove the version from the website and from the rss


remove_action('wp_head', 'wp_generator');

function remove_wp_version_rss() {



Hide All Meta Generators


//Remove All Meta Generators
function remove_meta_generators($html) {
    $pattern = '/<meta name(.*)=(.*)"generator"(.*)>/i';
    $html = preg_replace($pattern, '', $html);
    return $html;
function clean_meta_generators($html) {
add_action('get_header', 'clean_meta_generators', 100);
add_action('wp_footer', function(){ ob_end_flush(); }, 100);



Disallow file editing

If a user has admin access to your WordPress dashboard they can edit any files that are part of your WordPress installation. This includes all plugins and themes.

If you disallow file editing, no one will be able to modify any of the files – even if a hacker obtains admin access to your WordPress dashboard.

To make this work, add the following to the wp-config.php file (at very end of the file):

define('DISALLOW_FILE_EDIT', true);


 Disable directory listing with .htaccess

If you create a new directory as part of your website and do not put an index.html file in it, you may be surprised to find that your visitors can get a full directory listing of everything that’s in that directory.

For example, if you create a directory called “data”, you can see everything in that directory simply by typing in your browser. No password or anything is needed.

You can prevent this by adding the following line of code in your .htaccess file:

Options All -Indexes


How to Disable WP-Cron

To disable WP-Cron, add the following to your wp-config.php file, just before the line that says “That’s all, stop editing! Happy blogging.” Note: This disables it from running on page load, not when you call it directly via wp-cron.php.

define('DISABLE_WP_CRON', true);



Hide author page 

function redirect_to_home_if_author_parameter() {

	$is_author_set = get_query_var( 'author', '' );
	if ( $is_author_set != '' && !is_admin()) {
		wp_redirect( home_url(), 301 );
add_action( 'template_redirect', 'redirect_to_home_if_author_parameter' );


using htaccess

RewriteEngine On
RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} author=\d
RewriteRule ^ /? [L,R=301]


To remove the version number from scripts and styles:


function remove_version_from_style_js( $src ) {
if ( strpos( $src, 'ver=' . get_bloginfo( 'version' ) ) )
$src = remove_query_arg( 'ver', $src );
return $src;
add_filter( 'style_loader_src', 'remove_version_from_style_js',9999);
add_filter( 'script_loader_src', 'remove_version_from_style_js',9999);


List of the directory to check in WordPress 









    Prevent SQL Injections And URL Hacking


    <IfModule mod_rewrite.c>
    RewriteEngine On
    RewriteBase /
    RewriteRule ^(.*)$ - [F,L]
    RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
    RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
    RewriteCond %{QUERY_STRING} tag\= [NC,OR]
    RewriteCond %{QUERY_STRING} ftp\:  [NC,OR]
    RewriteCond %{QUERY_STRING} http\:  [NC,OR]
    RewriteCond %{QUERY_STRING} https\:  [NC,OR]
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
    RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>|ê|"|;|\?|\*|=$).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(&#x22;|&#x27;|&#x3C;|&#x3E;|&#x5C;|&#x7B;|&#x7C;).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
    RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC]
    RewriteCond %{HTTP_COOKIE} !^.*WordPress_logged_in_.*$
    RewriteRule ^(.*)$ - [F,L]


    Deny Access To Sensitive Files in WordPress

    Options All -Indexes
    <files .htaccess>
    Order allow,deny
    Deny from all
    <files readme.html>
    Order allow,deny
    Deny from all
    <files license.txt>
    Order allow,deny
    Deny from all
    <files install.php>
    Order allow,deny
    Deny from all
    <files wp-config.php>
    Order allow,deny
    Deny from all
    <files error_log>
    Order allow,deny
    Deny from all
    <files fantastico_fileslist.txt>
    Order allow,deny
    Deny from all
    <files fantversion.php>
    Order allow,deny
    Deny from all