Why Every Business Must Use These 5 Crucial WordPress Security Techniques To Protect Their Websites

The importance of WordPress website security is growing because consumers shopping more online and sharing personal information on websites more frequently. Securing websites and customer confidential information are top priorities for business owners today.

Here are five technical techniques to secure your WordPress website:

1.  Remove Version Number

The WordPress version number of a website is shown in the view source (HTML version) of the website. To see it, all you have to do to enter view-source:https://www.example.com/ (replace www.example.com with the respective website URL) in the browser and search for “generator”.

The WordPress version number creates vulnerabilities for websites because a hacker can find the WordPress version number of a website and identify known security issues for that WordPress version and hack the website using its vulnerable spots.

To remove WordPress version number from your website, go to wp-content > theme > folder of the theme you are using and open functions.php file and past the following code at the bottom of the functions.php file:

// remove version from head

remove_action(‘wp_head’, ‘wp_generator’);

// remove version from rss

add_filter(‘the_generator’, ‘__return_empty_string’);

// remove version from scripts and styles

function shapeSpace_remove_version_scripts_styles($src) {

if (strpos($src, ‘ver=’)) {

$src = remove_query_arg(‘ver’, $src);


return $src;


add_filter(‘style_loader_src’, ‘shapeSpace_remove_version_scripts_styles’, 9999);

add_filter(‘script_loader_src’, ‘shapeSpace_remove_version_scripts_styles’, 9999);

You may need a website developer’s or technical digital marketer’s help with the implementation.

Remove WordPress Version

After the code has been added.

Remove WordPress Version


2. Disallow File Editing in The Admin Section

By default, WordPress admin users can edit files such as PHP and CSS files and plugins in the admin section to make changes to their websites. While this access makes updating websites efficient because users can update website directly in the admin section instead of accessing their WordPress directory, downloading and making changes to file on their local computers, and re-uploading the files onto the directory, the access creates vulnerability to their websites. When a hacker gains access to a WordPress website that allows file editing in the admin section, s/he can easily make changes or inject malicious codes in the files.

Disallow File Editing WordPress Admin

To disable file editing in the admin section, add the following code in your wp-config file: define(‘DISALLOW_FILE_EDIT’, true);

To open your wp-config.php file, access your WordPress directory, go to the wp-include folder and you will see the wp-config.php file.

Disallow File Editing WordPress Admin


File editing is disallowed after the code has been added

3. Block Automated Referrer Spam

Referrer spam is fake traffic referred from another website to your website without a human actually visiting your website. This type of traffic is often called “ghost traffic”. Hackers sometime use “ghost traffic” to spam your comments section by injecting malicious codes or building backlinks to poisonous websites. The spam will hurt your search ranking or compromise your website. To block automated referred spam, go to your .htaccess file and add the following code:


RewriteEngine On


RewriteCond %{HTTP_USER_AGENT} ^$ [OR]

RewriteCond %{HTTP_REFERER} !yourdomain.com [NC]

RewriteCond %{REQUEST_URI} /wp-comments-post\.php [NC]

RewriteRule .* – [F,L]

Please replace yourdomain.com with your actual domain URL.

4. Change User Login URL

The default login URL for WordPress website is /wp-admin. If this URL is not changed, it is easy for hackers to go to your login page URL and attempt to login your website.

A simple way to protect your user login URL is changing the URL to another different URL. To do so, download and activate the plugin WPS Hide Login.

5. Prevent User Enumeration

When you enter /?author=[a number] at the end of a WordPress domain (e.g. https://miss604.com/), you will be directed to the author page whose ID is associated with the number. For example, when you enter www.miss604.com/?author=2, you will be directed to https://miss604.com/author/john-bollwitt. Oftentimes, the author name is the same as the username. This creates vulnerability for a WordPress website because a hacker can find out an username using the technique above and attempt to login the website by trying different passwords.

To prevent user enumeration, simply download and active the plugin Stop User Enumeration and ?author=[number] cannot be used.

Securing your WordPress website should be a top priority for any business. If a website is hacked, customer and company information will be compromised and your search ranking will drop because Google thinks your website is malicious.

If you want a comprehensive security audit of your WordPress website, please email us at raywang@rwdigital.ca or submit a form below.

Get In Touch

Contact Us

We are here to help you 7 days a week. If you have any questions or want to say ‘hi’, please feel free to get in touch!