Make Your WordPress More Secure in Manually

In the previous blog, I introduced WordPress as a CMS. This time, I’ll be discussing security aspects for WordPress websites.

WordPress powers about 45% of all websites worldwide. It can be used for everything from simple profile sites to business platforms and full e‑commerce systems. Even today, our company continues to use WordPress, and this very website is built with it.

Before diving into security, let me first explain why WordPress is often chosen over other CMS platforms:

1. Strong Community
WordPress has a massive user and developer base. If you face a problem, you can easily find answers in the community. Most issues you encounter have already been solved by others, making troubleshooting much easier.

2. Wide Range of Themes and Plugins
WordPress offers themes for everything from personal profiles to business and e‑commerce. Many are built with design, UI/UX, and SEO standards in mind, making them easy to use. On the plugin side, you’ll find everything from small utilities to advanced security tools, all regularly updated. The newer versions even support auto‑updates, which is very convenient.

3. AI Integration
In today’s AI era, WordPress is keeping up. Many themes and plugins now include AI features, allowing you to optimize content, SEO, SEM, analytics, and even security with AI assistance.

4. Healthy Ecosystem
WordPress isn’t just about one company’s profit. It creates opportunities for developers. If you’re a WordPress developer, you can build and sell your own themes or plugins as a source of income.

5. Based on PHP
Around 75% of websites worldwide use PHP. Since most developers are already familiar with PHP, WordPress—being PHP‑based—makes development easier and more accessible.

These are just some of the advantages of WordPress. Based on my own experience, there are certainly more benefits beyond these.

 

WordPress in 2025: Usage & Impact in Web Technology

Global Market Share & Adoption
43.6% of all websites worldwide are built with WordPress. Among websites using a CMS (Content Management System), WordPress holds a 62.8% market share, far ahead of Shopify (6.2%), Wix (3.8%), and Squarespace (3%). As of today, over 810 million websites are powered by WordPress. This rapid growth highlights WordPress’s success in a relatively short period of time.

Let’s explore why WordPress has become so successful so quickly.

 

Plugin & Theme Ecosystem
The WordPress directory offers 70,000+ plugins and 30,000+ themes. Popular builders like Elementor, WPBakery, and Divi enable drag‑and‑drop design with advanced customization. WooCommerce powers 21% of WordPress sites and holds 38.7% of the eCommerce CMS market. These tools and ecosystems are major contributors to WordPress’s success.

 

Security & Performance Trends
A WordPress site is attacked every 22 minutes, making security a top priority. 92% of vulnerabilities come from outdated plugins and 80% of users now rely on auto‑updates, and 60% use two‑factor authentication (2FA). Because WordPress is designed to be flexible and compatible with everything, it can be considered weaker in terms of security. However, these weaknesses also exist because of user demands for flexibility. If you are a WordPress developer and keep your site’s security up to date, your website can still remain secure and reliable.

Mobile & User Experience
Around 50% of WordPress traffic comes from mobile devices and Over 90% of themes are mobile‑responsive by default. Optimized WordPress sites have an average load time of 2.5–3 seconds, aligning with SEO best practices. Mobile responsiveness is now an essential feature for modern websites. This is one of the main reasons many developers choose WordPress once you use it, mobile responsiveness is already built in.

Global Reach & Community
WordPress supports 200+ languages, making it accessible worldwide and The top countries using WordPress include the USA, Germany, UK, France, Brazil, and India. The WordPress community has hosted 1,200+ WordCamps in 395 cities across 65 countries. One of the biggest reasons for WordPress’s success is its strong and active community.

These are the key insights about WordPress in 2025. Next, let’s continue exploring why WordPress remains the leading CMS in the industry.

 

Why WordPress Still Leads in Web Tech

• Built on PHP and MySQL, WordPress remains open-source and highly customizable
• It’s used for everything from blogs and portfolios to enterprise platforms and headless CMS setups
• Developers, marketers, and creators choose WordPress for its flexibility, scalability, and ownership

 

How to Secure Your WordPress Website Manually in 2025

WordPress is powerful, flexible, and widely used  but that also makes it a prime target for cyberattacks. While security plugins offer convenience, manually hardening your site provides stronger protection and full control. Whether you’re running a blog, business site, or WooCommerce store, this guide outlines the essential steps to secure your WordPress site manually  no plugins required.

WordPress security plugins are powerful, but they come with limitations.
For example: features and pricing.
Some features require you to pay extra. If you don’t want to pay, you can still configure security manually. Below are 8 key steps you can take:

1. Disable File Editing from the Admin Panel
If hackers gain access to your dashboard, they can inject malicious code via the theme or plugin editor. Prevent this by adding the following line to your wp-config.php file:

`php
define(‘DISALLOWFILEEDIT’, true);
`

This is one of the most basic but important steps. Every WordPress site should have this configuration to reduce risks from themes and plugins.

 

2. Change the Default Admin Username
Never use “admin” as your username — it’s the first thing bots try.
– Create a new user with administrator rights.
– Delete the old “admin” account.

This isn’t a technical method, but it’s a simple way to avoid bot attacks. However, this step alone won’t fully protect your site.

 

3. Limit Login Attempts
To prevent brute-force attacks, add this code to your .htaccess file (for Apache servers):

`apache
<IfModule modauthzcore.c>
<Location “/wp-login.php”>
Require all denied
</Location>
</IfModule>
`

Alternatively, use server-level tools like Fail2Ban or Cloudflare Rules to rate-limit login attempts. You can also use plugins to set limits. On Namecheap servers, this feature is included automatically with WordPress installs, and other hosting providers may also provide it.

 

4. Disable Directory Browsing
Prevent attackers from viewing your file structure by adding this to .htaccess:

`apache
Options -Indexes
`

This is a very effective method. If hackers can see your file structure, it gives them an opportunity to exploit your site. Blocking directory browsing closes that door.

 

5. Set Correct File Permissions
Restrict unauthorized access by setting these permissions:

`text
Files: 644
Directories: 755
wp-config.php: 440 or 400
`

This ensures your files are properly protected within your hosting environment. You can set these permissions via FTP or SSH using the chmod command.

 

6. Disable PHP Execution in the Uploads Folder
To prevent malware from running inside /wp-content/uploads, create a .htaccess file in that folder with:

`apache
<FilesMatch “\.php$”>
Deny from all
</FilesMatch>
`

This blocks malicious PHP files from executing if they are uploaded.

 

7. Regular Backups (Manual or Cron Jobs)
Back up your site manually using mysqldump and rsync:

`bash
mysqldump -u username -p database_name > backup.sql
rsync -avz /var/www/html/ /backup/location/
`

For daily backups, automate the process with cron jobs.

 

8. Monitor for File Changes
Track changes in core files using a bash script or Git:

`bash
find /var/www/html -type f -exec md5sum {} \; > file-checksums.txt
`

Compare checksums periodically to detect unauthorized modifications.

These are some of the manual security configurations you can apply to your WordPress site without relying on plugins. They are simple to implement and accessible even for junior developers. In fact, these practices should be part of standard security training for anyone working with WordPress.

 

Final Thought

This blog explains how to configure WordPress website security manually. This method is still widely used by many developers today. In WordPress, security can be handled in two ways: manual configuration or using plugins.

Using plugins for security configuration is easier and less error‑prone compared to manual methods, which makes it more convenient for junior developers. However, plugins may sometimes include unwanted background processes, so caution is required.

For this reason, many senior developers prefer manual security configuration. But manual configuration involves editing WordPress core files, which leaves no room for mistakes. If something goes wrong, the entire website could go down.

Therefore, if you are at a junior level, I recommend using plugin‑based configuration instead. In the next blog, I will explain how to configure WordPress security using plugins.

---