Secure WordPress With a Few Easy Steps Without a Security Plugin

Secure your Wordpress website
Here are a few easy steps on how to secure your Wordpress website without a security plugin that anyone must follow.
Generally speaking security plugins could be great but they could sometimes lead to poor website performance. Here are my suggestions on how to reduce the chance of your site getting hacked.
1. The basics
Here are some general suggestions that anyone without any technical knowledge must follow. Also note that this is your own responsibility to do these simple things here and if your site gets hacked due to one of the following things - you would be the only one to blame.
1.1 Always update WordPress to the latest version
Security is arguably the most important reason why you should keep your WordPress website up to date. You really do not have any excuses for not updating your WordPress version as this can be done with just a click of a button and it only takes a few seconds/minutes.
1.2 Keep an eye on your plugins
I would strongly recommend to keep the plugin count to a minimum and always keep your plugins updated. More often than not attackers are able to gain access via an outdated plugin. I would also suggest deleting any plugins that you are not using
1.3 Delete any themes that you're not using
Quite often people would install a few themes and just leave them on the site disabled and outdated. This opens up a lot of vulnerabilities so I would suggest just deleting any themes that you do not use and just have your active theme installed.
2. The power of the .htaccess file
Here are some nice .htaccess rules that you could use in order to protect your site, this takes only a few minutes to copy and paste these rules into your .htaccess file so I strongly suggest that you add at least some of them.
2.1 Protect your wp-config.php
<files wp-config.php>
order allow,deny deny from all </files>
2.2 Secure your wp-includes
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
2.3 Protect the .htaccess
<files ~ "^.*\.([Hh][Tt][Aa])"> order allow,deny deny from all satisfy all
</files>
2.4 Disable hotlinking
Note: Change the yourdomain.com part.
RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http(s)?://(www.\.)?yourdomain.com [NC] RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]
2.5 Disable directory listing
Options -Indexes
2.6 Disable all php files in your uploads folder
This one is a bit more specific as you should not add it to your main htaccess file.
Upload a file called .htaccess to the root of wp-content/uploads with the following line:
<Files *.php>
deny from all
</Files>
3. Protect your wp-admin area
3.1 Use 2FA
For example, you could try using the Google authentication plugin.
3.2 Enable limit login attempts
This would protect you against brute force attacks.
3.3 Enable reCacptcha
Generally speaking, this would protect you against any kind of bots.
3.4 Use a complex unique password for your admin user.
Last but not least!
Conclusion
These are pretty simple steps that you could implement for less than 10 minutes but would enormously benefit your site's security.
Hope that this helps and if anyone has any other suggestions please feel free to reach out to me :)
Recent Posts

How DigitalOcean Simplifies Cloud Computing for Developers
2023-01-18 12:35:28
How to Get Current Route Name in Laravel
2020-11-08 08:57:11
How to check the logs of running and crashed pods in Kubernetes?
2020-10-28 09:01:44
Top 10 VScode Shortcuts For Mac and Windows to Help You be More Productive
2020-10-28 07:12:51