7 steps to a secure WordPress website

7 steps to a secure WordPress website

WordPress is one of the most popular CMS systems worldwide. Almost 40 percent of all websites are created with the open source system and of course there are many reasons for this. By the way, I will name some of them in the blog post “5 good reasons why you should build your website with WordPress.”

Of course, the CMS system is also a popular target for hackers. Security and hacking protection are therefore important topics that you should also deal with for your website. You really don’t want to experience the horror scenario of waking up one morning and not being able to reach your site or realizing that hackers have stolen customer data. To avoid that, I give today 7 tips, strategies and techniques on how to improve your WordPress security.

#1 Secure Hosting

A lot stands and falls with your hosting or the server used. According to a study by WP Template, over 40 percent of successful attacks are on WordPress sites insecure servers attributed. Unfortunately, this case is completely out of your control and you are the lead in this case. Therefore it is important rely on a good hoster from the start, which already offers the most important security topics in the hosting.

For example, my websites are all hosted by a special WordPress hoster, namely Raidboxes. A read-only WP core is already included in my hosting there, which means that the most important WordPress data is read-only. In addition, a login protector and IP blocking are included. Preventing file changes in WordPress outside of the dashboard can also be activated.

So you see, with good quality hosting, many possible security gaps for hackers are already neutralized and you have a much easier life.

#2 Avoid outdated WordPress and plugin versions

The second important construction site is the Your website is up to date, ie the WordPress version, the theme you use and the plugins used. As you can probably guess, these are updated and developed for a reason, and often one of those reasons is security and Bug fixes of found security vulnerabilities.

Many companies are running websites with outdated plugins and WordPress versions because they don’t think they need the “new features” or think that “the site will break” if they update something. In fact, a majority of successful hacking attacks are due to outdated WordPress instances. Hence: keep your website up to date.

Additional tip at this point: Always use secure plugins. In the WordPress plugin search, for example, the categories “Featured” and “Popular” are a good place to start. On the other hand, you should not use plugins with poor ratings and very few installations.

#3 Use a current PHP version

In addition to the WordPress core and the plugins, you should of course also use your Keep PHP version up to date. What exactly is PHP, you ask yourself?

PHP is an open source scripting language, which is especially suitable for web programming and is therefore very important for WordPress websites. Similar to WordPress itself, it is constantly being further developed, which is why a new version is usually “supported” for around 2 years. That means bugs and security issues are fixed regularly.

The shocking thing is that over two-thirds of all websites use versions of PHP that are outdated and are currently no longer supported. In most cases this is due to incompatibility with the website code and the website does not work with the latest PHP version. But sticking your head in the sand is certainly not the right solution, because the security gaps are getting bigger and bigger.

By the way: You can use the PHP version of your website set with your hoster. At the current time (March 2021) the latest PHP version is V 8.0.3. – currently versions 7.3.12. and 7.4.13. still supported.

#4 Strong Passwords

I probably shouldn’t have to mention this tip, but unfortunately it is a sad reality that many users use passwords like “123456” or “password”.

The Admin password for your website should be unique and really secure. If you find it difficult to create a suitable password, use generators such as Strong Password Generator. Apple has already implemented a similar functionality in newer MacBooks. This makes it much easier to create strong passwords and thus protect your website.

Certainly it is more difficult to remember with such passwords. But there is a workaround for this too. A good free password manager tool for this is KeePass.

In addition to secure passwords, the Two-Factor Authentication a good way to protect the login area of ​​your own website. Strong passwords and these double authentication methods are one of the best defenses against backdoor attacks and brute force login attempts.

#5 Never admin as username

Have you ever looked into brute force attacks on your website? And did you notice that a majority of these attacks try to use the username “admin”? No? Then you know now.

Unfortunately, the default username in WordPress is “Admin” and you as the website owner have to actively rename it. Many hosting providers are now enforcing this, but you should still check here – and this is how it works:

  1. Log in with the existing “Admin” account.
  2. Create a new user and assign him the “Administrator” role.
  3. Now you can log in with your new admin account and simply delete the old admin user.

By the way: With some hosters you can automatically block login attempts via “admin” or blacklist the IP addresses of the attacks directly. This is really a very helpful tool.

#6 Hide your WordPress version

Unfortunately, this tip cannot be implemented in the WordPress dashboard, but it is not complicated.

The idea behind this is that the less attackers know about your WordPress site configuration, the less attack surface there is. If it is visible that you are using an outdated WordPress installation, security gaps can be found quickly. Your WordPress version is displayed in the source code header by default.

However, you can turn off this ad by adding a small code snippet to your website. The code must be in the functions.php Added to your WordPress theme:

function wp_version_remove_version() {
return '';
add_filter('the_generator', 'wp_version_remove_version');

#7 Always work with an admin and an editor login

Last but not least: Don’t just use one login for your website. You do not have to work in the administrator account for editorial adjustments, the creation of a new blog post or similar. An editorial account is sufficient for this. If one of your accounts is hacked, you also have the option of logging into the site with a different login.

Conclusion on security on your website

As you can see, there are numerous relatively easy ways to increase your WordPress security. Basics such as using secure passwords, regularly updating the WordPress core and plugins, but also choosing the right hosting provider should definitely be on your agenda.

Do you have another important WordPress security tip? Then be sure to let me know!
If you have any questions about your website, you are of course welcome to contact me and we can talk in one free introductory talk about your project 🚀

Previous post WordPress – for sure!
Next post How to troubleshoot HTTPS and SSL issues on your WordPress website