When I first installed WordPress, I was just excited to get my blog online.
A few clicks, a theme, and boom — I had a live site.
What I didn’t realize was:
WordPress out of the box is like an open house.
Everyone’s invited — including bots, brute force scripts, and shady crawlers.
After a couple of weird traffic spikes and a login attempt from somewhere I’d never even heard of, I knew I had to lock things down.
Here’s how I hardened my WordPress install — step by step — without breaking themes, plugins, or my sanity.
Step 1 — Change the Login URL
The default login URL (/wp-login.php or /wp-admin) is basically a red carpet for bots.
I used a plugin called WPS Hide Login to change it to something less obvious — something like:
/my-secret-panel
No more random login attempts. It was quiet from day one.
Step 2 — Disable XML-RPC
Unless you’re using Jetpack or a mobile app, XML-RPC is useless. And it’s a known security hole.
I disabled it completely:
add_filter('xmlrpc_enabled', '__return_false');
Or, with Nginx:
location = /xmlrpc.php {
deny all;
}
Peace of mind = +1.
Step 3 — Install a Security Plugin (But Just One)
I didn’t want to bloat my site with 50 overlapping plugins. I chose Wordfence because it offers:
- Real-time traffic logging
- Login attempt limits
- File change alerts
- Basic firewall
It’s like having a security camera on your front porch.
Step 4 — Disable File Editing from the Admin Panel
If anyone ever gets access to your WordPress dashboard, they shouldn’t be able to modify themes or plugins directly.
I added this to wp-config.php:
define('DISALLOW_FILE_EDIT', true);
One line. Big win.
Step 5 — Backup and Auto-Update
Security is nothing if you can’t roll back.
- I use UpdraftPlus to automate daily backups to Google Drive.
- I enabled auto-updates for minor WordPress versions and plugins.
If something breaks, I’m never more than 24 hours behind.
Bonus — Set Proper File Permissions
I SSH’d into my server and ran:
find /var/www/html -type d -exec chmod 755 {} \;
find /var/www/html -type f -exec chmod 644 {} \;
No more random 777 folders.
No more “world-writable” nightmares.
Final Thought
Securing WordPress doesn’t have to be complicated.
It just needs a little attention — and the willingness to not trust defaults.
Once I locked down the basics, my site ran smoother, stayed cleaner, and I stopped waking up to “unauthorized login attempt” emails.
If you’re running WordPress and haven’t done any of this yet — start today. Your future self (and server logs) will thank you.
Leave a Comment