Tel.: +49 9152 408 639 4 - Mail: info (at)

Secure WordPress in 2020


Based on the CMS WordPress, more than 30% of all websites currently run on the Internet. Therefore, increased security measures apply to WordPress websites.

Securing WordPress at the webserver level:

Users can execute scripts in the uploads folder on the web server, this must be prohibited in the /wp-contents/uploads/ folder. To do this, create a file with the name “.htaccess” and insert the following lines.

Options -ExecCGI
#Block javascript except for visualcomposer (VC) plugin
RewriteEngine On
RewriteCond %{REQUEST_URI} !^.*wp-content/uploads/visualcomposer-assets/.*\.js$
RewriteRule ^(.*\.js)$ - [F,L]

# Block executables<FilesMatch "\.(php|phtml|php3|php4|php5|pl|py|jsp|asp|html|htm|shtml|sh|cgi|suspected)$">deny from all</FilesMatch>

These prohibit running JS and PHP files, except for some of Visual Composer.

You should also secure the files and folders by assigning the “755” authorization to all the folders and the “644” authorization to all the files. This can be done with an FTP client, e.g. Filezilla, easy.

Secure WordPress with plugins:

There are millions of WordPress plugins. I list the most important ones for securing WordPress here with a short description.

Wordfence Login Security

Wordfence Login Security makes 2-factor authentication easy. This allows you to set the authorization level at which a six-digit code, e.g. generated by “Authy” or the “Google Authenticator” must be entered. This creates another level of security when logging in. In the plugin you can also integrate Google’s reCaptcha, which checks whether a bot is trying to log in.

WPS Hide Login

With WPS Hide Login you can change the login URL of the WordPress installation to any URL. By default, you log into WordPress with the URL “”. But since this makes work easier for hackers, you can use WPS Hide Login to e.g. change to “”. But that won’t create 100% security either. It is therefore important to additionally secure the login with WordFence.

It is also important that plugins and themes that are not required are deleted. Only the current WordPress “Twenty Twenty” theme should remain deactivated if you use other themes. If the current theme breaks, WordPress has at least the option to use the standard WordPress theme.

Securing WordPress at the user level:

Usernames like Administrator, Admin or WP-Admin are no help when it comes to the security of the WordPress installation. I recommend that the admin user be as anonymous as possible. That’s why I use an arbitrary combination of letters and numbers as well as an unknown password. Since you should always use a password manager like Enpass anyway, I don’t have to remember these names.

Another no-go is to publish as an administrator account on the WordPress site. Creates an additional user who only has “Author” authorization. So you can safely create and publish articles and pages.


This Blog is hosted at *. The file-level security tips described here relate to the server infrastructure at


Affiliate links / advertising links
The links marked with an asterisk (*) are so-called affiliate links. If you click on such an affiliate link and buy via this link, I will receive a commission from the online shop or provider in question. The price does not change for you.

Picture: © Daniel Wenzlik

Related Posts