8 More Great Free Ways To Secure WordPress Websites

Updated on By

In one of the previous articles we brought you 10 great free ways to protect your WordPress websites. We have listed the best ways to prevent attackers from trying to harm or take control of your website. Considering that we constantly have to work on bolstering the security of our websites, in today’s articles we bring you another 8 great free ways to secure WordPress websites.

1. Enable URL Lockdown

This is a great way to disable access to an entire website or just a URL. As you can guess, we want to block access to our wp-admin URL – we block access to the login page.

To accomplish this task you will need to use one of the popular firewall services such as Cloudflare. Within that service you can specify a specific IP range that can access the specified URL on your website. Any other IP address will be blocked and unable to access.

It is important to note that you can block access by country or related to the visitor’s geographic location.

If you don’t want to spend money on popular services like Cloudflare or Sucuri, then you can restrict access to wp-login.php by adding a rule to your .htaccess file. This way you can allow access to the login page from only one IP address.

8 Great Free Ways To Secure WordPress Websites

As you can see in the image above, access to all other IP addresses is prohibited except for the ones I have listed and which are hidden for obvious reasons.

If you are going to implement this protection, don’t forget to backup the .htaccess file because even the smallest error can bring your website into a non-functional state.

2.Delete themes and plugins that are not in use

Yes, you read that right. Even products you don’t use can be helpful to attackers and threaten your website. Even if you don’t use them these files are still on your server and may contain bugs that hackers will use to gain access.

That is why it is very important that you regularly delete themes and plugins that are not in use.

Open your admin dashboard, click on “Plugins” and delete all those that are not in use. It is important to note that you must deactivate each plugin before deleting it.

The same applies to themes, when you open “Themes” click on “Details” and then on “Delete” to leave only the currently used theme.

Besides having a large number of plugins is a security issue, this will also slow down your website so you should delete them to free up your server’s resources.

If you have installed a very large number of plugins, whether for production or for testing purposes, and you don’t have time to delete them one by one, you can always install a plugin for bulk uninstall. You have many quality and free ones inside the WordPress repository.

3.Monitor your users

If you have many users accessing your website such as administrators and authors then it would be best to monitor their activity. This is especially important for website owners who have not clearly defined user roles and disabled certain users from doing some actions such as plugin or theme configuration.

One of the best ways to monitor user activity is to install a plugin called WP Activity Log. You can find this excellent plugin in the WordPress repository, it monitors changes on your website including changes on posts, themes, plugins and pages. Absolutely all changes such as deleting files, adding new files or modifying existing ones will be recorded.

This plugin has an excellent dashboard that will provide information in real time about who made a change to the website files or if an unauthorized person gained access to your website. In addition to tracking changes to WordPress files, you will also receive information about changes to the user account such as password and email change, display name, role changes, users activity such as login, logout, failed logins. There is also a commercial version that is much more powerful and provides the ability to monitor more things.

4.Turn Off file editing

Every attack on the website happens in the way that hackers write certain content inside our WordPress files. This is especially pronounced if someone gains access to your website using an administrator account. Within WordPress, there is a file editor that can be used to edit any file very easily. To prevent the content of your WordPress files from being changed, you will need to edit the wp-config.php file.

Open the wp-config.php file located in the root of your WordPress installation and add the code from the image:

8 More Great Free Ways To Secure WordPress Websites

In this way you have prevented files from being edited. If you don’t want to manually enter the code or edit the wp-config.php file, then you can install one of the free plugins for this purpose.

5.Change DB prefix

When you install WordPress, you have the option to choose a database prefix, and the default is “wp_.” You should never have a default database prefix because attackers know and use this information to locate files and perform SQL injection attacks.

Therefore, it is best to use a combination of letters and numbers as a database prefix, for example “my12_db3_.”

Changing the database prefix is ​​a very easy task if you have just started installing a WordPress website, however if you have a website that is in production then you have to be very careful.

There are two ways to change database prefix. The first and much more difficult way is to manually change the database prefix within your phpMyAdmin panel, and then execute a SQL query so that the new prefix is ​​replicated to all database entries.

If you are not experienced in working with databases, we advise you not to do this task on your own.

Another and much simpler way is to install some of the plugins for this purpose. One of the best is Brozme DB Prefix & Tools Addons plugin which will complete this task in just a few clicks.

This plugin does not have any configuration options. All you have to do is enter the new DB prefix and click the button, everything else will be completed in a few minutes.

It is very important that you make a backup of the complete database before this change, because you never know what could go wrong.

6.Frequent password changes

This is a task that you would have to implement on your WordPress sites. Regardless of whether your users are administrators or regular users you must force them to change their password after a certain time.

One of the good plugins for this purpose is the WP Force Password WordPress plugin.

8 More Great Free Ways To Secure WordPress Websites

You can set password reset days and choose which user roles must change their password in a certain period of time.

This is a great plugin that does not have many options for configuration, and you can set it to add password reset days, select user roles that must change the password, you can enable or disable changing the password for any user individually, you can send a reminder via e-mail to each user that the password should be changed. Since it is a free plugin you should give it a try.

7.Scan WordPress files periodically

One of the very important things that very few administrators do is scanning WordPress files for malware and malicious code. Although many good hosting providers offer a scan of your website for free, it is necessary to run a scan from time to time to make sure that our files are in order and that there is no code that could damage the operation of our websites.

One of the best plugins for this purpose is Jetpack Protect by Automattic.

This excellent plugin will scan the entire website for vulnerabilities and inform you immediately.

It works in such a way that it scans your WordPress website every day and reports to you which WordPress version is installed and whether it has any vulnerabilities, it reports on plugins and their vulnerabilities, also scans themes and reports if they have any vulnerabilities. This is an excellent plugin that is also suitable for absolute beginners. No configuration is required other than installation and activation. You will find that the Wordfence plugin also has a great scanner tool for alerting you if anything is suspicious with your WordPress website.

8.Strong database password

Using a strong database password is very important. If you left the default database password that was offered to you during the installation of WordPress CMS, then you should not have any problems. It is a random password that is long enough and is a combination of numbers, letters and special characters.

This password is impossible to guess. However, if you entered the database password arbitrarily and did not make sure that it was strong, then you must act. There are several ways to change the password, and we will list the easiest one.

If your hosting has cPanel, log in and select phpMyAdmin. Click on your database and change the database password. However, after that the website will not be functional yet. You must go to the root of your website, edit the wp-config.php file and enter a new password inside it.

After you have entered the new password in wp-config.php, the “error establishing database connection” error will no longer appear and your website will be operational.


Although WordPress is a very secure CMS, there is always a way to increase the level of security to further protect your WordPress website. In this article we have described another 8 great free ways to secure your website. We hope you find these tips useful and that you will successfully defend yourself against potential attacks.

See another 10 Great Free Ways To Secure WordPress Websites


Share This Post:
Disclosure: This page contains external affiliate links that may result in us receiving a commission if you choose to purchase mentioned product. The opinions on this page are our own and we don't receive additional bonus for positive reviews.