3 Ways to Protect Your WordPress Website Without a Dedicated Plugin

Developers are a resourceful bunch – when an issue arises, you’ll tend to develop your own solutions. Website security is no different, although it may be worth considering the extra liability involved.

While there are a number of security plugins already on the market, you can easily update your theme’s functions.php file to add a few levels of extra security to WordPress. However, as you learn more about security and how important it is to fully secure your site, it quickly becomes a full-time job. This means investigating other solutions, especially if it can save you some time.

In this post, we’ll first introduce you to the functions.php file. Then, we’ll give you three easy tweaks you can make to secure your site. Finally, we will review when it might be a good idea to use a dedicated plugin. Let’s get started!

A Brief Introduction to the functions.php File

In every WordPress theme, there’s the option to use a functions.php file. As you may have guessed by the name, it is designed to add extra functionality to your site and can be found in your WordPress theme’s folder.

Rather than attempting to add features throughout your theme’s files, functions.php gives you one clean place to store them. You can activate theme options, register styles, access other built-in WordPress hooks, and more. You can also write your own functions to add new features.

Finally, the functions.php file can be used to secure your WordPress installation from would-be hackers by adding a few simple code snippets. Let’s take a look at three of them.

3 Ways to Protect Your WordPress Website Without a Dedicated Plugin

The following code snippets are helpful in securing your WordPress sites and are written using best practices for maximum compatibility and security. Although we encountered no issues when testing, always vet any code you add to functions.php to ensure you are not compromising your site, and carry out a full backup before starting!

1. Hide Any Detailed WordPress Information

HTML head for WordPress
An example of the Torque website’s HTML header.

When rendering your site, WordPress automatically adds some detailed installation information to the HTML code. While this can be helpful for debugging, hackers can also use it against you. For example, if someone knows the exact version of WordPress you’re using, they can use version-specific exploits to bring down your site faster.

To avoid this, you can mask details about your WordPress install that would normally display in your HTML area, by using a code snippet:

function secure_wordpress_header_data() 
    /* RSD, XMLRPC, WLW, WP Generator, 
       ShortLink and Comment Feed links */
    remove_action( 'wp_head', 'rsd_link' );
    remove_action( 'wp_head', 'wlwmanifest_link' );
    remove_action( 'wp_head', 'wp_generator' );
    remove_action( 'wp_head', 'wp_shortlink_wp_head' );
    remove_action( 'wp_head', 'feed_links', 2 ); 
    remove_action( 'wp_head', 'feed_links_extra', 3 );

    /* First, prev, and next article links */
    remove_action('wp_head', 'start_post_rel_link' );
    remove_action('wp_head', 'adjacent_posts_rel_link_wp_head' );

add_action( 'init', 'secure_wordpress_header_data' );

This hooks into WordPress’ installation details and tells it to simply remove the data. You can see this covers aspects such as HTML generator tags and extra RSS feeds that could be used to generate a Denial of Service (DoS) attack.

To take it further, you can also remove version parameter tags from your scripts. This means removing the ?ver=1.20.3 text from the end of included JavaScript and CSS links:

function remove_wp_version_from_scripts( $src ) 
    if ( strpos( $src, 'ver=' ) )
        $src = remove_query_arg( 'ver', $src );
        return $src;
add_filter( 'style_loader_src', 'remove_wp_version_from_scripts', 9999 );
add_filter( 'script_loader_src', 'remove_wp_version_from_scripts', 9999 );

Now your WordPress site’s installation information is a more obfuscated, let’s look at securing the login area.

2. Obscure Your Login Error Messages

WordPress login error
Standard WordPress login errors can give hackers a clue as to what they’ve got wrong.

When someone attempts to log in to your WordPress site with the wrong username or password, they’re given clues by default, which can make it easier for them to hack in. For example, the ERROR: Invalid username message tells them to quit trying to log in with that particular username.

To make guessing login credentials harder, you can remove the default error messages. You want your login forms to be less informative for malicious visitors, while also making the experience pleasant for real users. Given this, always double-check that any forgotten password feature is accessible and working!

A simple way to disable hints altogether is by adding a code snippet that returns the same error no matter what went wrong:

function one_default_error_message() 
    return 'Something is wrong!';

add_filter( 'login_errors', 'one_default_error_message' );

You can modify this snippet to show any error message you’d like. However, it doesn’t offer a lost password link, so try adding this to the returned text:

$forgot_link = wp_lostpassword_url( get_permalink() );
return "Something is wrong! Forgot your password?";

This will automatically add the lost password URL so that users can still reset their password when necessary.

3. Load Your Scripts Securely

jQuery loaded over SSL
We recommend loading any scripts (such as jQuery) over a secure, encrypted connection.

Many WordPress sites load external libraries (such as jQuery) to offer extra functionality or styles to your site. Unfortunately, any script not loaded using Secure Socket Layers (SSL) is vulnerable to man-in-the-middle attacks.

Because of this, it’s especially important to force external scripts to load using SSL over HTTPS. This reduces the opportunity for hackers to inject malicious code into your site when others are viewing it. As jQuery is one of the most commonly used scripts, here’s an example of how to load it securely:

if ( !is_admin() ) 
    wp_register_script('jquery', ("https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js"), false);

This script checks whether it’s loading jQuery onto the front end, and if so, registers the jQuery script through HTTPS. You can follow this pattern to ensure the rest of your scripts are also loading using HTTPS.

When to Use a Dedicated Security Plugin

Wordfence Security Plugin
Wordfence Security is one of the best plugins available for protecting your website.

There are a lot of small tweaks you can perform on your WordPress site that extend even further than a theme’s functions.php file. This is where dedicated security plugins come in, and each one will vary with regard to features.

Of course, there are some plugins that accomplish specific security tasks as well. You can completely obscure all of the usual WordPress breadcrumbs with WP Hide & Security Enhancer. A plugin such as WP Force SSL will ensure all scripts on your site load securely, but it does require you to have an SSL certificate installed as well. In some situations (customizing login errors, for example), a functions.php fix is so simple that there’s no need for a dedicated plugin.

If you’re interested in fully locking down your WordPress site, it may be worth investigating the features that come with some of the major security plugins. You can learn to replicate the most important features on your own site, or alternatively, take one for a spin. However, you’ll likely need to do more than add code to your theme’s functions.php file, so be prepared!

As far as plugin options go, Wordfence Security is a stellar option. You’ll find advanced server protection, enhanced login security measures, scanning and monitoring features, and much more. Alternatively, All In One WP Security & Firewall focuses on user account and login security and runs backups of important files. Finally, iThemes Security takes a more general approach, offering over thirty options for shutting out potential malicious users. This plugin also offers regular backups of your site as a fallback.

It’s always better to carry out some security measures than none at all. That being said, while a few simple tweaks added to the functions.php file can serve you well in some areas, a dedicated security plugin can save you a lot of time, offer advanced functionality, and provide a codebase that’s more secure all around.


Although developers are skilled at their work, security is a specialty requiring lots of time and effort to fully implement. While a few tweaks to the WordPress functions.php file can help, it’s worth considering whether a dedicated security plugin is suitable for the situation.

In this post, we first covered three specific functions which filter through some of WordPress’ weaker front end aspects. Then, we introduced you to some dedicated security plugins and why they might be the right choice. We recommend doing your research, learning by imitating the pros, then deciding whether it makes more sense to simply use a plugin, a snippet, or a mixture of both.

What questions do you have about protecting your WordPress website? Ask away in the comments section below!

Image credit: Scott Webb.

John Hughes

John is a blogging addict, WordPress fanatic, and a staff writer for WordCandy.

The post 3 Ways to Protect Your WordPress Website Without a Dedicated Plugin appeared first on Torque.