Last updated on November 30, 2018 by J M Mubasshir Rahman

10 WordPress Security Tips for DIY Users

WordPress security tips for DIY users

In my previous post we shown a comparison of security plugins. I am trying to post everything for DIY user of wordpress. So that you can learn wordpress security and you don’t need to hire a wordpress security expert and save your money. With that phase today we will discuss about 10 WordPress Security Tips for DIY users. So lets get started.

Top 10 WordPress Security Tips for DIY users:

  • Change the Default “admin” username
  • Disable File Editing
  • Disable PHP File Execution
  • Limit Login Attempts
  • Change WordPress Database Prefix
  • Password Protect WP-Admin and Login
  • Disable Directory Indexing and Browsing
  • Disable XML-RPC in WordPress
  • Automatically log out Idle Users
  • Add Security Questions to WordPress Login

Change the Default “admin” username

Once upon a time every webmaster used “admin” username for their dashboard. So it is easy to guess the username for a malicious hacker and harm your website. So, you need to change your default “admin” username. There is 3 ways to change WordPress Admin Username

  • Manually change the default admin username in WordPress
  • Via Plugin
  • Using PHPmyAdmin

Manually change the default admin username in WordPress

This a very easy and effective method to change username in wordpress. To complete this method follow these steps:

  • Log into your Dashboard. On the left-hand menu, hover to Users and choose Add New.

Add new users

  • Fill in all required information. You should give it a harder-to-remember username (that’s our purpose). In the Role drop-down menu, choose Administrator so that this new user has the right as an admin. Then hit Add New User.

Save new user

  • Hover to the top right of the page to log out.

Log out of admin account

  • Now log in again to your Dashboard but by new user account.

Log in with new user account

  • Choose to view All Users in Users section. Hover to the default admin and click on Delete.

Delete the default admin

  • To save all the contents you have previously created with the old admin account, tick on Attribute all content to. And from the drop-down menu choose the new admin username.Finally, Confirm Deletion.

Confirm the deletion

Disable File Editing in WordPress

WordPress has a default theme and plugin editor within it’s dashboard. If it is in wrong hand it could be dangerous. So you need to disable this feature of wordpress. To do this:

  • Open up your wp-config.php file in a text editor.
  • Anywhere above the line in that add the line

define( 'DISALLOW_FILE_EDIT', true );

  • Save the file.Check your WordPress dashboard, you should no longer see (even on an Administrator account), the links at “Appearance > Editor” and “Plugins > Editor”.

Limit Login Attempts on WordPress

If you do not enable this your website can be hacked by brute force method. So you need to Limit Login Attempts on WordPress. There is several plugins what does this. You can find Best WordPress Security Plugins in this article.

Change WordPress Database Prefix

As you already know wordpress is a very secured and flexible content management system. Though you need a hard security for your website. So that no hacker can bypass your security. WordPress default table prefix is: “WP_” what is common. So you need to change this. There is two method for changing this:



  • Open your wp-config.php.
  • find $table_prefix = ‘wp_’;.
  • And replace the “wp_” with your own prefix. Such as: “wp1234_”.
  • Hit save and continue to install


Before you begin Create a backup of your wordpress website. Now proceed:

  • Open your wp-config.php.
  • find $table_prefix = ‘wp_’;.
  • And replace the “wp_” with your own prefix. Such as: “wp1234_”.
  • Hit save
  • Open phpMyAdmin and select your desired Database.
  • Now one way to do that is to rename each table manually.
  • To make things faster, here’s a list of SQL commands that you can run to rename all 12 of the default WordPress tables:
RENAME table `wp_commentmeta` TO `wp_ a1b2c3d4_commentmeta`;
RENAME table `wp_comments` TO `wp_ a1b2c3d4_comments`;
RENAME table `wp_links` TO `wp_ a1b2c3d4_links`;
RENAME table `wp_options` TO `wp_ a1b2c3d4_options`;
RENAME table `wp_postmeta` TO `wp_ a1b2c3d4_postmeta`;
RENAME table `wp_posts` TO `wp_ a1b2c3d4_posts`;
RENAME table `wp_terms` TO `wp_ a1b2c3d4_terms`;
RENAME table `wp_termmeta` TO `wp_ a1b2c3d4_termmeta`;
RENAME table `wp_term_relationships` TO `wp_ a1b2c3d4_term_relationships`;
RENAME table `wp_term_taxonomy` TO `wp_ a1b2c3d4_term_taxonomy`;
RENAME table `wp_usermeta` TO `wp_ a1b2c3d4_usermeta`;
RENAME table `wp_users` TO `wp_ a1b2c3d4_users`;
SELECT * FROM `wp_ a1b2c3d4_options` WHERE `option_name` LIKE '%wp_%'
SELECT * FROM `wp_ a1b2c3d4_usermeta` WHERE `meta_key` LIKE ‘%wp_%’

This will change prefix of your website.

Password Protect Your WordPress Admin (wp-admin) Directory

This can be done in two methods. Such as:

  • Direct From Cpanel
  • Manually with help of .htaccess

Create A Password Protected Directory Directly From cPanel

  • Login to your cpanel
  • Navigate to security section
  • Click on Directory Password.
  • Type your password and save.

Create A Password Protected Directory – cPanel

Create A Password Protected Directory Manually

  • Login to cpanel or ftp
  • Create a file with dot (.) such as: “.wpadmin”.

Create .wpadmin file in cpanel

This will create file under /home/<username>/public_html/wp-admin/.wpadmin location.

  • Go to link.
  • Enter Username and Password
  • You will see username and password combination like this: wperrfix:$apr1$QX7hS6Zh$otGcsnk/LnjvzK3SGWnaC1

password protect wordpress login and admin page

  • Now open .wpadmin and paste the username and password combination.
  • Now create a .htaccess file in wp-admin directory. And paste these lines in the .htaccess:
ErrorDocument 401 “Sorry. Unauthorized Access. You are not allowed to access /wp-admin/ page.”
ErrorDocument 403 “Forbidden”
<FilesMatch “wp-login.php”>
AuthName “Authorized Only”
AuthType Basic
AuthUserFile /home/username/public_html/wp-admin/.wpadmin
require validuser
And that’s it.

Disable Directory Indexing and Browsing

Some WordPress folders like wp-content or wp-includes contain sensitive data. As you know, the wp-content folder contains your themes, plugins and media uploads. Anyone can simply surf through those media files and hackers can find potential exploits. So that's why you need to disable directory indexing and Browsing. To do this:
  • Open your .htaccess and Paste the line:
Options All -Indexes

Disable XML-RPC in WordPress

The XMLRPC allows remote connection to WordPress. So you need the xml-rpc for your wordpress website for so many advance works. But if you don’t need this you need to disable this. This can be done using a plugin or manually using .htaccess. I am showing you the .htaccess method. Cause it is manual and it is effective. You can find so many plugins but you won’t find .htaccess method. To do this add these lines into your .htaccess:

# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from

Automatically log out Idle Users In WordPress

You need to log out automatically idle users. Otherwise malicious users can use session hijacking and hack your website. To do this you need to add a plugin idle users logout plugin or you can use any of the best wordpress security plugins.

Add Security Questions to WordPress Login

  • Install a plugin WP Security Question .
  • Navigate to Settings » Security Questions
  • Type your security questions and done.

securityquestions 2

  • Check your wp-login.php page

Login Question


This was a very long post. With this post you will understand and learn a lot of things about wordpress security. This will help if you are newbie to wordpress security or if you are a DIY(Do It Yourself) user. If you are not DIY user you can simply use our contact us  and message us if you need any wordpress maintenance service or wordpress security service.

Keep Learning