Here are a few steps you can take to secure a WordPress website without using any plugins:
- Keep your WordPress core, themes, and plugins up to date. This ensures that any known security vulnerabilities are patched.
- Use a strong username and password for your administrator account. Avoid using “admin” as your username.
- Limit login attempts to prevent brute-force attacks. You can do this by editing your .htaccess file or using a security plugin.
- Use a security plugin like iThemes Security, Wordfence Security, All In One WP Security and Firewall, and Sucuri Security to harden your website security.
- Restrict access to your wp-admin directory by IP address. This can be done by editing your .htaccess file.
- Avoid using nulled themes and plugins, as they may contain malware or other security vulnerabilities.
- Use SFTP to transfer files to your server instead of FTP, as SFTP encrypts the data in transit.
- Keep a regular backup of your website, so that you can restore it in case of a hack or other problem.
- Use a Content Delivery Network (CDN) to distribute the load of your website and protect it from DDoS attacks.
- Regularly check your website for malware and suspicious activities.
Please note that following these steps will not guarantee that your website will never be hacked, but it will definitely minimize the risk.