Plugin Security

Security is not an absolute, it’s a continuous process and should be managed as such. Security is about risk reduction, not risk elimination, and risk will never be zero. It’s about employing the appropriate security controls that best help address the risks and threats as they pertain to your website.

To improve the security, please follow the below steps.

Stay updated

Update theme and plugins, to turn on automatic update.

https://codex.wordpress.org/Configuring_Automatic_Background_Updates

Delete the default ‘admin’ user.

Delete the admin user and create new users with admin rights.

Delete the default post and page.

Delete the default post and page.

Change Comments Settings

Change the comments settings under Settings => Discussion

Comments Setting

Remove Unwanted themes / plugins

Delete any unwanted themes and plugins.

File / Directory Permission

Change all files permission to 644 and directories permission to 755.


find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;


find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;

.HTACCESS Control


ServerSignature Off
# Block the include-only files.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

# BEGIN WordPress


# Secure .htaccess
<files .htaccess>
order allow,deny
deny from all
</files>

Secure wp-config.php


<files wp-config.php>
order allow,deny
deny from all
</files>

Disable File Editing in wp-config.php


# Disable Editing in Dashboard
define('DISALLOW_FILE_EDIT', true);

For more information please check below link
https://codex.wordpress.org/Hardening_WordPress