Array / 8 min read

7 advanced WordPress security practices.

These advanced WordPress security practices will help you secure your website even more after you’ve taken the basic, minimum-security measures to protect it.

WordPress is one of the most commonly attacked CMSs, primarily because it’s the most popular worldwide. As a result, website owners should constantly update website components and take other security measures.

Apply these seven advanced WordPress security practices to stay protected.

Block image hotlinking

A woman typing a URL

Image “hotlinking” means embedding an image into a webpage by linking its original URL, which points to the server hosting it. It works like this: Website A embeds an image from Website B, so every time a visitor to Website A loads that image, it’s Website B’s server that’s using bandwidth and computing resources to provide it.

This means Website B’s server is using resources to provide an image without receiving traffic, which is terrible etiquette, increases hosting costs for Website B’s owners, and may open Website A’s users to security breaches if the link’s contents are ever changed to something malicious.

Depending on the brand of server you’re using, here’s what you need to do.

In Apache servers

If your site is hosted on an Apache server, you need to edit or create the .htaccess file to include the following snippet:

RewriteEngine on

RewriteCond %{HTTP_REFERER} !^$

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourdomain.com [NC]

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC]

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?bing.com [NC]

RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yahoo.com [NC]

RewriteRule \.(jpg|jpeg|png|gif|svg)$ - [F]

Where it says “yourdomain.com,” substitute it with your domain name. 

This command tells your server the following: “if you are serving a .gif, .png, .jpeg, .jpg, or .svg file, only serve it for these domains: Google, Bing, Yahoo, and my own website’s domain. If the domain requesting the file is not one of these, return a 403 error.”

You’re allowing popular search engines because traffic from search engines is good since they’re directing traffic to you rather than leeching off your server’s bandwidth.

In Nginx servers

If your site is hosted on an Nginx server, open your configuration file and add the following snippet:

location ~ .(gif|png|jpe?g|svg)$ {

     valid_referers none blocked ~.google. ~.bing. ~.yahoo. yourdomain.com *.yourdomain.com;

     if ($invalid_referer) {

        return 403;



Where it says “yourdomain.com,” substitute it with your domain name.

Disable XML-RPC

XML-RPC is a protocol that allows the WordPress core installation to communicate with other systems. It uses HTTP as the transport mechanism and XML for encoding. XML-RPC is necessary to use the WordPress app from your Android or iOS smartphone, which allows you to manage your website on the go. 

While useful, this protocol has known security vulnerabilities that may open your site to denial-of-service attacks and more. If you’re willing to sacrifice managing your website from your phone, you can protect it more by disabling the XML-RPC feature.

The fastest way to disable it is by installing the “Disable XML-RPC-API” plugin, which will immediately block it.

Filter user input

A woman typing

Filtering user input is essential to preventing attacks that rely on injecting code into a website through user input fields like comments, searches, and forms. Attackers can introduce commands and malicious scripts into these fields if the proper security checks aren’t in place.

Common attacks that take advantage of this vulnerability include cross-site scripting (XXS) and SQL injection attacks. Some of the measures you can take to prevent malicious inputs include the following:

  • Prepared statements: probably the best way to prevent SQL injection attacks. Prepared statements ensure that SQL code is sent to the database server and parsed separately from data, making it harder or impossible for a hacker to inject malicious SQL code. 
  • Stored procedures: a sequence of instructions that can be stored in the database for later reuse. They’re often created to handle sequences of queries frequently applied to the database’s model, executing them whenever necessary. Also great at preventing malicious SQL injections.
  • Prefer listing or whitelisting input: creating large lists of allowed input. Any user input is compared to this list and if it doesn’t match, it is discarded.
  • Escaping user input: a technique to prevent user input from being interpreted as code instead of a text string. Generally, it involves adding a special character right before the user-provided data.

There are many methods to apply input filtering. Some types will be more useful than others in specific cases, so many that they are beyond the scope of this article. Still, it’s something to remember if you want to avoid input field injection attacks.

Change your database table’s prefix.

Your site’s database contains information about usernames, passwords, comments, and other elements of your website. Its default prefix is “wp_”. If you leave the default value, your site may be vulnerable to attacks since attackers may try that prefix first. Secure your site by changing it to a less predictable one.

The easiest way to change your database’s prefix is to use the “Brozzme DB Prefix & Tools Addons” plugin. Remember to back up your site before making any changes.

The process goes like this:

  • Once installed, hover your cursor over the Brozzme button on your dashboard’s left-side panel and choose DB Prefix.
  • On the following page, you’ll see two fields. The first, Existing prefix, represents your database’s current prefix. You can’t modify Existing prefix. It’s just there to show you the current prefix. The other one is New prefix, which you can modify.
  • Change the text in New prefix to modify your database’s prefix, then press the Change DB prefix button below to update it.

Hide your WordPress version.

This may seem irrelevant, but WordPress versions say much about site security. Every time the developers at WordPress.org release a new version with security updates, they also release a log with all the vulnerabilities they patched.

Potential attackers read these logs as a source of information on which techniques they can use to attack outdated WordPress versions (the ones that don’t have these newer protections). Since many websites run on outdated WordPress versions, they have many victims at their disposal.

Your WordPress version appears in your website’s source code, but you can remove it manually or with a plugin. To do it manually, you need to add the following code snippet to your functions.php file:

* Hide WP version strings from scripts and styles

 * @return {string} $src

 * @filter script_loader_src

 * @filter style_loader_src


function social9_remove_wp_version_strings( $src ) {

     global $wp_version;

     parse_str(parse_url($src, PHP_URL_QUERY), $query);

     if ( !empty($query['ver']) && $query['ver'] === $wp_version ) {

          $src = remove_query_arg('ver', $src);


     return $src;


add_filter( 'script_loader_src', 'social9_remove_wp_version_strings' );

add_filter( 'style_loader_src', 'social9_remove_wp_version_strings' );

/* Hide WP version strings from generator meta tag */

function s9bg_remove_version() {

return '';


add_filter('the_generator', 's9bg_remove_version');

Another option is to use a plugin. Many plugins hide your WordPress version. In this case, we’ll use WP Security Safe. Other plugins may use slightly different processes. To hide it, do this:

  • Go to WP Security Safe on your dashboard’s left-side panel.
  • Go to the Privacy tab.
  • Check the Hide WordPress Version Publicly box.
  • Click Save Settings at the bottom to confirm.

Delete the default “admin” account.

The “admin” account exists by default, meaning that every person who knows anything about WordPress knows it exists. This is convenient for admins but also makes an attacker’s work easier because they only have to know the password rather than the username-password combination.

Before making any changes, back up your database and ensure there’s at least one other active administrator account you can use after deleting the default account.

To delete the default “admin” account, go to Users > All Users on your dashboard. Find the “admin” account and press Delete. You’ll be greeted with a screen asking whether you want to assign all content currently assigned to the “admin” account to another user.

Choose the user and confirm the deletion.

Hide your default login URL

Screen showing someone trying to login to the WordPress Login

Your site’s login URL is “www.yourwebsite123.com/wp-admin/” by default. This is convenient for admins but also for attackers trying to brute force their way into your dashboard.

You should change your login URL to a less predictable location. By hiding it from users outside the admin circle, you take a significant step toward securing your site.

Read our guide on using the WPS Hide Login plugin to change your login URL’s location.


Securing your site with advanced WordPress security practices is a constant game of updates and tweaks. It can seem overwhelming at first, but the more you get into it, the easier it becomes.

Combine these steps with basic measures like adding a good security plugin, limiting failed login, and enforcing strong passwords across all WordPress-related accounts. You’ll be in a much better position to prevent common security threats.