WordPress Security without Plugins

In this post you will find information that will help you protect your WordPress sites without using a security plugin.

Before starting giving you recommendation, I would like to tell you that I don’t have any security in any of my WordPress sites.

These are practical recommendations to make your wordPress sites more secure.

Strong Username and Password

The first step is using a password manager so you can use long and complex passwords. I use LastPass to save all my passwords.

LastPass has an option to create complex password, you can create a complex username and password for your Wordpress site.

Create the username using this tool and then create your password.

In this way you can have a super strong username and password which would super hard for hacker to crack using brute force attacks.

Plugins and Themes

There are several things that you can do to make your site doesn’t get hacked via your theme and plugins

  1. Keep the plugins that you really need in your WordPress installation.
  2. Get rid of plugins that you don’t really need.
  3. Make sure that the plugins you use are regularly updated.
  4. Update all plugins as soon as there is an update or wait a few days after if you are completely sure that these don’t have an active vulnerability.
  5. Keep your version of WordPress updated.
  6. Download plugins and them directly from the developers and WordPress.org

Try to follow WordPress Security blogs and subscribe to their mailing list to get news about the active themes and plugins with vulnerabilities.


Make sure that you use a hosting provider or Cloud Hosting panel that backups your site regularly.

Cloudways does this for me. You can retain those backups for four weeks. The frequency could be set to a minimum of one hour or each seven days.

Besides this, I recommend using All in One WP Migration to make backups that you can save in a dropbox account.

You need to be ready to restore your site in case something bad happens. Cleaning a site can be expensive and restoring can save you time and money,

Don’t save backups in your WordPress installation. Those could be downloaded and use to access your database.

Protect your Database, FTP and SSH

There are many hosting providers and cloud hosting panel that will do something to prevent that your WordPress sites get hacked.

The Cloudways panel has the option to protect your Database, SFTP and SSH.

If I don’t add your IP address, you won’t be able to access my database, check my WordPress Installation or access my server and run remote commands.

Protect PHP Files with CloudFlare

The last thing that you can do to ensure that your site is super safe is creating CloudFlare Firewall Rules with CloudFlare.

I am a bit more proactive with WordPress security but this will be enough to make sure that nobody can check for PHP files in your WordPress site.

Whitelist your IP address to make sure you don’t get blocked. Just go to tool and add the IP addresses you want to whitelist.

A great deal of files that your visitors don’t need are blocked.


Up to this point, you have a strong password, updated plugins, themes and software, you have off-site backups, your connection to the database, WordPress installation and the ability to execute remote commands is limited to your IP address.

You have reliable hosting and your PHP files have been protected including the login page and xmlrpc.php

You have a pretty secure website.


Sobre Jose Manuel

I am José Manuel. I am writing about things I know and things that I am learning about WordPress. I hope you find this blog useful.