Creating a Secure WordPress Website with Htaccess and Wordfence

WordPress is the most popular CMS in the world by a substantial margin, powering millions of websites and serving content to nearly every single internet user. WordPress has evolved from a simple blogging platform to a complete ecosystem of plugins and themes that can handle everything from membership sites to complicated e-commerce systems. Of course, this complexity also has its downsides – and the sheer number of WordPress sites on the internet make WordPress a tantalizing target for hackers that want to vandalize websites, upload malicious content, or hack into servers to steal private information. The following security tips will help you ensure that your WordPress site is protected from thieves and hackers – and they will keep your users safe and your site running smoothly.

Minimal Plugin Reliance

To begin with, every single plugin that you add to your WordPress installation produces a possible avenue for a hacker to take control of your site. While most plugins are perfectly safe, and written with relatively simple code, some plugins are intentionally malicious – or they haven’t been updated in a long time and are no longer secure. Most current WordPress attacks target websites with out-of-date plugins or plugins that have known security flaws – so keeping the total number of plugins on your website to a minimum is important to simplify your site and produce fewer number of “holes” in the overall inbuilt security of the WordPress system.

Only download plugins from reliable sites that have already been vetted by the WordPress community – and keep the plugins updated. If one of your plugins is no longer supported, and it is no longer receiving regular updates, it might be a good idea to deactivate and delete that plugin since it will only continue to get more and more out of date – and more and more likely to be compromised.

Htaccess Rules

.htaccess is a directory level file that controls the configuration of your web server – and gives you the ability to create specific rules for the domain that your WordPress website is running on. Don’t ever overwrite these rules without checking with documentation to make sure that your formatting and logic is correct – but don’t be afraid to make security changes after you’ve done the proper research.

IP Range Blocking

To begin with, one of the fastest ways to secure your website is with IP blocking. IP blocking basically makes your site inaccessible from IP addresses that fit within a range of your choice. There are two main ways to use blocking to your advantage. For one, you can find IP range blacklists that are constantly updated every time there is a hack attempt – automatically adding some of the known botnets and malicious computers to the blacklist. Secondly, you can block IP ranges from countries that you know won’t be visiting your website. For example, if you are only doing business in the United States, you might want to block some of the countries that have a high origination rate for hack attempts – primarily China, Russia, India, Romania, and (to a lesser extent) Syria.


One exception to the rule that WordPress plugins usually make your site less secure is Wordfence. While there are certainly other plugins that are designed to increase your site’s security, Wordfence is one of the longest running and most trusted. Wordfence automatically contains a live attack-response system that adds IP addresses to a blacklist that is maintained between every WordPress site that is running the plugin. This gives your site the benefit of a vast network of intelligence that keeps up to date on current attacks. Wordfence also allows you to set IP range blocking and other security rules directly from your WordPress dashboard without having to access the individual files – and it includes a few other security features as well, such as the ability to use two factor authentication for your log on.

Advanced Considerations

One of the most common attacks on a WordPress site is the attempt to “guess” the log on password by brute forcing with common passwords and usernames. A complex password can certainly help prevent this kind of attack – but so can using advanced methods like “hiding” the login files to the public, and only making it possible to log in to the dashboard of the site from an approved IP address that correlates to your home or office.