Each WordPress installation in the root directory of the application has a file wp-config.php. Add these two lines of code above the require_once line (not at the very bottom of the file) so they take effect before WordPress core loads:
// SECURE WP
define( 'FORCE_SSL_ADMIN', true );
define( 'DISALLOW_FILE_MODS', true );
FORCE_SSL_ADMIN forces SSL on the WordPress admin dashboard, protecting login credentials and session data from interception. Note that this setting only covers /wp-admin/. To redirect all front-end traffic to HTTPS, add a redirect rule in your web server configuration — a RewriteRule in .htaccess for Apache or a return 301 block for Nginx.
DISALLOW_FILE_MODS blocks plugin and theme installation, updates, and file editing from the admin panel. It also prevents WordPress core updates. This significantly reduces the attack surface on production sites. To manage updates without re-enabling the admin UI, use WP-CLI over SSH — for example wp plugin update --all or wp core update.
These two defines are the minimum starting point. For stronger WordPress security, also limit login attempts (using a plugin like Limit Login Attempts Reloaded), enforce strong passwords, keep WordPress core, plugins, and themes updated, and consider a web application firewall (WAF) such as Cloudflare or Sucuri to block malicious traffic before it reaches your server.
Related What I Do
Related What I Do
These What I Do pages are matched from the subject matter of this article, creating a cleaner path from educational content to implementation work.
Continue reading
Related articles
Based on shared categories first, then the strongest overlap in tags.