As of 2021, more than 43% of websites are created using WordPress for 4 reasons. Reliability, security, regular updates, ease of use, and ease of use. However, most DevOps experts will state a different opinion that securing a WordPress website is a daunting task.
Generally, using plugins is the best way to secure a website besides giving added functionalities. However, using plugins make a site heavy and vulnerable at the same time. So, what if you could use 17 working tips to know how to secure a WordPress site without a plugin?
In this article, we will discuss some of the best tips to secure a website without using plugins. By the end, you will know precisely how to secure a WordPress site without a plugin.
Let’s begin.
Advantages of Securing WordPress Sites Without Plugins
The advantages of securing a WordPress site without using plugins are simple yet bring an outstandingly noticeable difference.
First, you need not think about updating any plugins frequently without using plugins. Not updating plugins removes the need for other dependencies.
Second, avoiding plugins eliminates any chance of leaving vulnerable ends on the website. Nowadays, most feature-enriched plugins perform multiple API calls from other websites to show price comparison charts, discounts, etc. Avoiding such plugins helps to protect your website from unwanted access.
Third, we all know that a lightweight website does wonders on Google SERP. If you manage to secure a website without using plugins, you can comfortably score more than 90 on Google Page Speed Rank. Of course, it will increase your ranking faster, and it will also create a load super quickly on the user’s end.
Steps of securing WordPress site without plugins
1| Avoid Using The Default Admin Username Provided By WordPress
The most common yet trivial mistake people make as a website owner is to use the default credentials given by the WordPress administrator account. The default password may be strong, but it leaves your site open for brute force attacks. For example – using passwords such as – “admin”, “test”, or “administrator” makes it very easy to gain access to your WP-Admin dashboard.

Alternate Solution
If you cannot change the default WP-Admin credentials, it’s better to create a new WordPress admin account under a separate username. Here’s how to do it:
- Go to your WP dashboard and choose Users > Add New
- Create a new user and assign a different username and password
- Set the Role as Administrator from the dropdown
- Confirm with Add New User
2| Enable SSL/HTTPS
Enabling a Secure Socket Layer (SSL) is crucial for maintaining a secure data exchange between the website and its users. A website without SSL is easy to identify since it runs on the HTTP protocol. However, installing an SSL will change the security layer to the HTTPS protocol.

To install the SSL, go to Settings > General. Then, go to Site Address (URL), give it a new name and save the new settings.

Ensuring a valid SSL Certificate is essential as the data exchange is required during login, making purchases, etc. Additionally, it also increases the impression and ranking of the site on Google SERP.
Most hosting providers offer an SSL certificate for free with the hosting plan. So, if you’ve already purchased a hosting plan, you have already received a valid SSL without paying extra money.
3| Change The Default WordPress Login URL
Most hackers target the default WordPress login page as the first step to gaining access to your site. The second step is to attempt a brute force attack on it. So, how should you change the default WordPress Login Page URL?

All WordPress login page is located on a URL like this – yourdomain.com/wp-admin. And here’s how to change it:
#Pro-Tip
Change the WP Admin login page URL to something that is easy to remember yet is unpredictable. For example – if your site is best-ukeles.com/wp-admin, you can change it to something like this best-ukeles.com/surf-buddy-home.
Alternately, you can move the login page into a separate folder so the URL becomes totally unpredictable. For example – cooldronereviews.com/bumblebee/drone-access
4| High-Level Users Should Utilize Strong Passwords
Weak passwords are the entry point of an unprecedented attack. However, as general users, we can prevent such incidents by setting up a strong password. You can create a strong password by going through the NIST Password Guideline.
It’s better to use a strong password to secure all things that link with your website which are – your admin account, email address, stripe/PayPal account, hosting account, WP admin, WP database, and everything else.
Alternate Solution
Long passwords with a good mixture of space, dots, and special characters are considered safe. Alternately you can write a 5-6 word rhyme using spaces and different combinations of letters. For example – apple and waffle goes well with bagels. To show you that it really works, here is a little test result that might surprise you:
5| Get Rid Of Unnecessary Themes And Plugins
Removing unnecessary themes and plugins from your website is like cutting out excess fat from the body. It makes the website more lightweight just like your body. Additionally, it also loads faster.

Besides, keeping unused plugins can do more harm than good. If not maintained regularly, plugins and themes increase the risk of a potential cyber attack. If you want to remove unused plugins, here’s how to do it:
- Go to Plugins > Installed Plugins
- Select the checkbox to the left of the plugin name
- Click the Delete from under the name
- A follow-up window should appear with the plugin details. Click Delete
6| Don’t Use Nulled Themes
Nulled themes are used to refer to premium themes that have already been hacked or exploited multiple times. It may contain injected code that may tamper with user data, collect sensitive information, etc.
Nulled themes are distributed via third parties through Facebook and Telegram groups. Moreover, some of these distributors are actual hackers. It’s better to steer clear of using such themes that you cannot control, cannot update, and certainly know what codes are hidden in them.
7| Perform Updates Regularly
Regularly updating your WordPress Version is one of the best ways to stay secure. However, to improve WordPress security even further, you can update manually from the admin dashboard.
But to make your life easier, enable auto-updates to ease your workload. But, sometimes auto-updates can be incompatible with other plugins and break some parts of the website. So, it is essential to back up the site regularly.

- Go to Dashboard > Updates and check for updates manually
- Scroll to Plugins and Themes and check for updates
- Click Update Plugins if an update is available.
8| Disable File Editing
Disallowing file editing privilege is important to save your site from being destroyed even if it falls in the wrong hands. Here’s how you can disable file editing from the WordPress admin dashboard:

- Go to File Manager > Public_html > wp-config.php and open the file in a text editor like Notepad, Notepad++, VSCode, Sublime Text, etc.
- Write the following code in the editor
define ( 'FORCE_SSL_ADMIN', true );
9| Disable Your Plugin And Theme Modifications
By default, WordPress allows a website admin to edit and customize its themes. But, disabling plugins and theme modification allows the user only to manipulate them. Here is how to disable plugins and theme modification.
- Go to File Manager > Public_html > wp-config.php and open the file
- Write the following code in the editor. There are 2 commands to do this. You can choose either one but not both.
define ( 'DISALLOW_FILE_EDIT', true );
Or
define ( 'DISALLOW_FILE_MODS', true );
3. Save the wp-config.php file
If you want to keep updating your themes and plugins as an admin but stop external tampering, then use DISALLOW_FILE_EDIT.

Alternately, if you want to completely disable plugins and theme updates along with the background updates, use DISALLOW_FILE_MODS. If you use this code, then you need to update it manually each time from the FTP/SFTP.
10| Do Not Allow Unfiltered HTML
Restricting access to unfiltered HTML is important to notice if someone tries to tamper with your website. This is because WordPress allows the site admin to edit the HTML and JavaScript codes in each page, post, widget, and comment. So, if someone has gained access already, you can see what damage has been done to your site.

Here is how you can prevent hackers from posting on your site. Just write this code in the wp-config.php file and save yourself from unnecessary trouble.
define ( 'DISALLOW_UNFILTERED_HTML', true );
11| Deny Access To Your Wp-Config File & .htaccess File
The wp-config and the .htaccess files are two of the most crucial files on your website that gives all kinds of permission and imposes restrictions. Here is how you can stop external parties from getting access to your wp-config file:

- Open the .htaccess file on your website folder
- 2. Paste the following code in the editor
<files wp-config.php>
order allow,deny
deny from all
</files>
3. And to save access to all your .htaccess files, paste this code below:
<Files ~ “^.*\.([Hh][Tt][Aa])”>
Order Allow,Deny
Deny from all
Satisfy all
</Files>
12| Limit Login Attempts
WordPress offers unlimited login attempts to the site owners to access the site. But unfortunately, that privilege will definitely be misused if it falls in the wrong hands. So, a good way to secure your site is to limit the number of attempts per IP address. Alternately, a log is maintained to check the hacker’s IP and location.

Pro-Tip
- Find the functions.php file from the File Director > Public_html directory
- Open functions.php
- Paste this code to limit login attempts
function check_attempted_login( $user, $username, $password ) {
if ( get_transient( 'attempted_login' ) ) {
$datas = get_transient( 'attempted_login' );
if ( $datas['tried'] >= 3 ) {
$until = get_option( '_transient_timeout_' . 'attempted_login' );
$time = time_to_go( $until );
return new WP_Error( 'too_many_tried', sprintf( __( 'ERROR: You have reached authentication limit, you will be able to try again in %1$s.' ) , $time ) );
}
}
return $user;
}
add_filter( 'authenticate', 'check_attempted_login', 30, 3 );
function login_failed( $username ) {
if ( get_transient( 'attempted_login' ) ) {
$datas = get_transient( 'attempted_login' );
$datas['tried']++;
if ( $datas['tried'] <= 3 )
set_transient( 'attempted_login', $datas , 300 );
} else {
$datas = array(
'tried' => 1
);
set_transient( 'attempted_login', $datas , 300 );
}
}
add_action( 'wp_login_failed', 'login_failed', 10, 1 );
function time_to_go($timestamp)
{
// converting the mysql timestamp to php time
$periods = array(
"second",
"minute",
"hour",
"day",
"week",
"month",
"year"
);
$lengths = array(
"60",
"60",
"24",
"7",
"4.35",
"12"
);
$current_timestamp = time();
$difference = abs($current_timestamp - $timestamp);
for ($i = 0; $difference >= $lengths[$i] && $i < count($lengths) - 1; $i ++) {
$difference /= $lengths[$i];
}
$difference = round($difference);
if (isset($difference)) {
if ($difference != 1)
$periods[$i] .= "s";
$output = "$difference $periods[$i]";
return $output;
}
}
13| Disable Directory Browsing

Disabling directory listing is essential to further secure your site. Use the code below on your .htaccesss file for added security.
Options -Indexes
14| DDoS Protection (Cloudflare)
DDoS attacks are one of the most challenging attacks. But a few basic measures can ensure the stability of your WordPress sites and prevent them from DDoS attacks. Here are some steps you can take:
Disabling XML RPC
Paste the following code into your .htaccess file.
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>
Activating WAF (Website Application Firewall)
Disabling REST API and XML RPC is an excellent way to tackle small DDoS attacks. But, to fend off large scale attacks, it is essential to activate the WAF and block suspicious requests. The WAF acts as a proxy between your website and the traffic and uses an intelligent algorithm to sort out the malicious requests and filter them.
15| Add Security Questions To WordPress Login
Ensuring further protection on your website is essential if the hacker has gained access to your website using brute force. So, adding security questions and 2FA is a crucial decision to prevent the hacker from causing further damage.
16| Backup Your Site Regularly

17| Use A Reliable & Secure Hosting Company
Ensuring further protection on your website is essential if the hacker has gained access to your website using brute force. So, adding security questions and 2FA is a crucial decision to prevent the hacker from causing further damage.
Frequently Asked Questions (FAQ)
Losing site access, losing control of the database, accessing financial transactions, etc. – are some of the many consequences you can face if your site is not secure enough.
Securing a WordPress site is possible without using security plugins. Even though you can fend off the most common attacks without using plugins, you definitely cannot fend off DDoS or other sophisticated attacks. Using a few plugins like – 2 Factor Authentication, Website Application Firewall, etc.
Some of the common WordPress security risks include brute force attacks, cross-site scripting (XSS) attacks, SQL injections, Malware injections, Exploits, DDoS attacks, etc. Over 15 million users search for WordPress security to eliminate these issues.
Final Words
At the core of WordPress website management is its security issues. So, knowing how to secure a WordPress site without a plugin is an excellent way to ensure that your site is good to fend off most attacks on its own. Above all, these tips should help you know about the bare minimum security required to secure your site from unwanted access before deciding whether to use plugins on your website.