WordPress security plugins and tricks

WordPress is one of the most secure content managers but it becomes vulnerable when webmasters start installing plugins that have security holes.

In this article, we are going to show you how you can shield your WordPress.

We are going to show you two ways to do it:

  • In a manual way, only recommended for more advanced users.
  • With a single plugin, more advanced, but that consumes more resources and space.

Before going into these two different ways to protect WordPress, we are going to give you some basic tips that any user should follow to avoid being cannon fodder for hackers.

Basic security recommendations for WordPress

1) Delete the admin user that has the identifier number

If you have not understood this point, do not worry, we will explain it to you.

One of the worst security mistakes that a person who has a WordPress can make is to use the name “Admin” as a username.

If in the WordPress installer you put “Admin” as the username, the identifier (id) number 1 will be assigned by default.

If your id=1 is Admin, hackers can get into your WordPress “easily”.

We recommend putting the username “Admin” in the WordPress installer so that it is assigned the id=1. However, once inside the WordPress dashboard, we create a new user that will be the definitive one.

We recommend putting a compound name, for example: Marta Casas. Next, we grant it admin permissions.

Then you log out and re-enter your WordPress, but this time with your new username (Marta Casas). Next, you go to the “Users” section of your WordPress and delete the Admin user.

With just this simple action, your WordPress is much less vulnerable than the rest of the websites you can see on the Internet.

You will have a composite username and with an identifier that is not the number 1.

2) Make a strong password for your WordPress user.

A strong password is:

  • Long.
  • Includes letters and numbers.
  • Includes special characters.

The WordPress password generator itself provides very strong passwords. You can generate one, write it down and save the changes.


WordPress security tips for advanced users

Working on WordPress security begins before installing all the files included in this CMS (content manager).

1) Customize the wp-config.php file

WordPress has many files that are necessary for the proper functioning of a website. One of these files is wp-config.php, one of the most important to configure so that everything works well.

This file contains the password and other requirements to connect to the Database. It also has certain security settings that we can editto make our WordPress more secure.

Javier Casares is an expert WordPress system administrator, creator of the website.

It has a wp-config file model that contains everything necessary to make our WordPress more secure and more optimized when it comes to consuming resources.

You just have to copy it and replace it with the one that comes by default in the WordPress installation. The only thing you have to customize is the name, username, and password of the Database.

Every time your website is reloaded,a different wp-config is generated that incorporates, among other things:

– A custom Database table prefix.

In WordPress, all Database table prefixes start with “wp_”, and hackers know that.

In your wp-config that prefix is ​​for example ‘wp0muul6_’. Obviously it is not always the same. Every time you reload its website, it provides you with a different prefix.

– Long security keys.

WordPress has a security system called SALT.

They are random data that encrypt the credentials of sensitive aspects for WordPress security, such as the data necessary to start the session, for example.

By default, the wp-config.pgp always carries in the SALTs this phrase “put your random phrase here”.

The problem is that 98% of people do not modify that sentence.

The wp-config generated by Javier Casares’ website offers you a long string of numbers and characters in those SALTs.

– Disables automatic WordPress Core updates.

Large WordPress updates are always delicate because they can generate incompatibilities with any plugin that we have installed.

It’s best to do those updates by hand, i.e. click the update button when we’re there.

2) Disable the xmlrpc.php

Many hackers have used this WordPress file to break into the installation and modify the files at will.

This file connects, through an API, your WordPress with other applications. It is not usually used, beyond receiving ping backs and trackbacks, that is, notifying you when someone links a post of yours.

However, it is a malware gateway and the cause of many DDOS attacks that slow down your WordPress. It’s not worth keeping active.

What we have to do to deactivate it is to rename it in the WordPress file system. We can access it from the Filezilla program, an FTP client manager to connect with the files that have been installed on our hosting.


In this case, what we have done is add the number 1. With that it would be deactivated, but it is not enough.

Next, we have to edit the wp-config.php file (we already told you that this file was very important) and add the following code at the end of it:

add_filter(‘xmlrpc_enabled’, ‘__return_false’);

To finish, we must make a modification in the functions.php file and add the following code at the end of it:

add_filter( ‘xmlrpc_methods’, function( $methods ) {

unset( $methods[‘’] );

return $methods;

} );

Remember to make a backup of your WordPress before editing these files.

3) Change the default settings in WordPress comments.

Now that we have disabled PingBacks and Trackbacks, there is no point in keeping them active in our WordPress comment settings. Let’s disable them:


Additional security plugins to these manual configurations

Having made these manual configurations, we would only need to add two very simple and lightweight plugins to finish shielding our WordPress:

Plugin Limit Login Attempts Reloaded

You can download this plugin here. What it does is limit the number of login attempts to our WordPress to protect us from brute force attacks.

One of the most common attacks on WordPress is trying to access the administrator by guessing the password.

Thousands of requests are made to the Database becausethousands of password combinations are being checked. What this does is slow down our WordPress.

Plugin WPS Hide Login

You can download it here. This plugin allows you to customize the access url to our WordPress, which by default is

Once installed, you can go to “Settings” – “Permalinks” and add whatever you want. For example:

It is better that the path consists of two words to strengthen security.

Install the best security plugin for non-advanced users


For those users who are not able to carry out all the actions that we have mentioned above, there is a plugin called iThemes Security that you can download here.

This plugin makes all the recommendations we have discussed and adds some extra security features.

This plugin protects you from brute force attacks, allows you to change the database table prefix, disable xmlrcp.php, change SALTs, customize the access url and much more.

The downside is that it consumes more resources and space in your WordPress installation, so we recommend doing the manual actions.

However, it is a very complete and optimized plugin. Highly recommended for those people who do not want to complicate their lives and want to have their WordPress installation more secure.

Wordfence: the alternative security plugin to iThemes Security


This is another security plugin that has many installs and you can download it here.

I don’t like this so much because it makes the Database tables quite dirty, but it perfectly fulfills its function.

However, I find the iThemes Security plugin more complete, lighter and better optimized.

After reading this article, you already know some of the most important tricks to protect your blog from possible attacks. At Doowebs, the web development company in Valencia we take care of protecting your blog with the most advanced tricks.