WordPress Security Without Plugins: 6 Best Tips

Published on June 3, 2021 | Updated on July 4, 2024

Do you use a security plugin to take care of your WordPress site?, Do you understand what most of the features on security plugins do?

I am not a big fan of using security plugins so I have been investing a little bit of time figuring out what do to protect my WordPress sites.

These are my best recommendations to protect your WordPress site.

Create a Strong Username and Password

The first step is using a password manager, so you can create and use long and complex passwords.

I use Bitwarden to save all my passwords but feel free to use the one you like the most.

Password Managers have options to create complex passwords, so you can create a complex username and password for your WordPress site.

Create a complex username and then do the same thing for your password:


That would make your username and password super hard for hackers and bots to crack using brute force attacks.

According to Bitwarden’s Password Strength Testing Tool, the username and passwords shown above will take centuries to crack.

Block XML-RPC Access

The XML-RPC protocol allows multiple login attempts in a single request, so this means attackers can submit numerous login attempts in one go, bypassing standard rate-limiting measures that protect the login page.

If your site doesn’t use XML-RPC, consider disabling it altogether. This can be done using a PHP snippet.

add_filter('xmlrpc_enabled', '__return_false');

You can create a mu-plugin and forget about attacks made to the XML-RPC once and for all.

Using a mu-plugin to block access to the XML-RPC is technically speaking a security but not one that requires updates, upgrades to do its job well.

WordPress Core, Plugins and Themes

There are several things that you can do to make your site doesn’t get hacked via your theme and plugins

  1. Install and Keep the plugins that you really need.
  2. Get rid of plugins that you don’t really need.
  3. Update all plugins as soon as there is an update or wait a few days only if you are completely sure that these don’t have an active vulnerability.
  4. Keep your version of WordPress updated.
  5. Download plugins and themes directly from the developers and WordPress.org
  6. Don’t install nulled garbage.
  7. Avoid the practice of installing a plugin for every tiny thing you want to add or remove from WordPress.

Try to follow WordPress Security blogs and subscribe to their mailing lists to get news about the themes and plugins with active vulnerabilities.

Make Site Backups Regularly

Make sure that you use a hosting provider or Cloud Hosting panel that backs up your site regularly.

Cloudways does this for me. You can retain those backups for four weeks.

The frequency of the backups could be set to a minimum of one hour.

Besides this, I recommend using All in One WP Migration to make backups that you can save in a Dropbox or Google Drive account

You need to be ready to restore your site in case something bad happens to one of your sites.

Cleaning a site can be expensive and restoring can save you lots of time and money.

Don’t save backups in your WordPress installation. Those could be downloaded and used to access your database and hack your WordPress site.

Protect your Database, FTP and SSH Access

There are many hosting providers and cloud hosting panels that will do something to prevent your WordPress sites get hacked.

The Cloudways panel has the option to protect your Database, SFTP, and SSH.

If I don’t add your IP address, you won’t be able to access my database, check my WordPress Installation or access my server and run remote commands.

Create a Firewall

The last thing that you can do to ensure that your site is super safe is to create Cloudflare Firewall Rules.

You can create up to five rules to help you deal with most types of threats.

I am a bit more proactive with WordPress security but this will be enough to make sure that nobody can check for PHP files on your WordPress site.

Whitelist your IP address and your server IP address to make sure you don’t get blocked by the rules you create.

These Features aren’t Needed

These are some features that user keeps recommending and that you don’t need when you follow some of the previous recommendations.

  • You don’t need to activate two-factor authentication when no bot or person has access to your site’s login page.
  • You don’t need to have other forms of login protection when no bot or person has access to your site’s login page.
  • You don’t need a complex Firewall managed by security experts when you have all you need to build a custom one for free.


I recommend using security plugins when users don’t know sh*t about how basic WordPress security works or if users are too busy to learn about how to keep most threats at bay.

Manuel Campos

Manuel Campos

I am José Manuel. I am writing about things I know and things that I am learning about WordPress. I hope you find the content of this blog useful.






© 2024 WP SURFER • Made with Love in Costa Rica