7 tips for your website

.novashare-pinterest-image{height:100%;width:100%}body .wp-block-image .novashare-pinterest-image+figcaption{display:block}body .novashare-pinterest-image-button{opacity:0 ;transition:.3s;position:absolute;height:18px;max-height:18px;width:auto!important;padding:10px;cursor:pointer;background:#c92228;color:#fff;font-size:16px; line-height:18px;z-index:1;text-decoration:none;box-sizing:content-box;top:10px;left:10px}body .novashare-pinterest-image-button:hover{background:#b51f24 }body .novashare-pinterest-image-button:visited{color:#fff}body .novashare-pinterest-image:hover .novashare-pinterest-image-button{opacity:1}body .novashare-pinterest-image-button svg {width:18px;height:18px;vertical-align:middle;pointer-events:none}]]>

Not only in times of the DSGVO is it important to pay attention to the security of your WordPress installation. Unfortunately, there is a risk of hacker attacks and a hacked website can not only cause problems in terms of data protection, but also damage your sales and reputation. It’s not that difficult to protect your website. In this article I will show you how you can protect your WordPress website with a few simple steps.

update, update, update!

Tip number 1: Always keep WordPress up to date. By default, WordPress installs minor updates itself. For major version updates, you have to do it yourself.

By the way, this doesn’t just apply to him WordPress Core: also plugins and theme should be updated regularly. (Note: for this reason alone, you should always make changes to the theme in a child theme, never in the parent theme – because your changes will be overwritten by a theme update).

Assign secure passwords and user rights

Most hacking attempts are based on stolen passwords. Creating strong, hard-to-guess passwords and making sure those passwords don’t fall into the wrong hands is half the battle.

At Password-Generator.com you can generate secure passwords. The passwords are not saved and you can select the desired password security using the slider.

Also password manager like my favorite KeePass for Windows or MacPass for Mac (the tool is also available for iPhone, Android and other operating systems and devices, see Download Page) have a function to generate secure passwords.

In general, I would advise you to generally only save passwords in programs or apps that store the passwords in encrypted form and that can be protected with a master password (please also pay attention to password security here?). Saving passwords in the browser is not necessarily the most secure option. Alternative to this: the cloud password manager LastPass, which you can install using a browser addon.

Please do not write down the passwords in plain text (e.g. in a freely accessible Word or Excel document or in a notebook that you then leave on the train or plane…)

And please do not send passwords in plain text by email! You should use email encryption for this or transfer passwords in another way, via another medium (if possible: not Facebook or WhatsApp Messenger).

On the subject of user rights: if you have several authors on your blog, perhaps a VA who enters articles, it is advisable to only grant the rights that are urgently needed. Anyone who only publishes articles but does not update plugins etc. does not need admin access.

Rely on good hosting

Security starts with hosting. Here you should not save at the wrong end. If you have no experience with the administration of web servers yourself, you should rely on managed hosting. Here the hoster takes care of important updates of the server software. Recommended hosters are All-inkl.com and Raidboxes.

Only install themes & plugins from safe sources

Only install plugins and themes from WordPress.org via repository or trusted sources. Make sure you download a current version.

A small rule of thumb that works quite well for me: I always check whether the respective plugin was recently updated (and the last update was not 2 years ago) and how many downloads the plugin had so far. So I can be relatively sure that the plugin will continue to be supported and that it is not a “flash in the pan”.

The motto for plugins is: less is more! Only install the plugins that are urgently needed – this minimizes the risk of security gaps even more.

Secure the admin area

Never use wp_admin!

First rule: the admin should never be called admin, wp_admin, administrator or root! If this is the case for you, you should change it via the database.

Change login URL

By default, the WordPress login URL is /wp-admin. Of course, that’s what hackers look for first. You can change the URL with the help of plugins like WPS Hide Login and Loginizer.

Backup dashboard via .htaccess

If you are hosted on an Apache server, we recommend using .htaccess protection. This makes it even more difficult for hackers to access your site. A password prompt is placed before the login form. Here you will find good instructions on how to implement such protection.

Use security plugins

There are numerous security plugins such as iThemes Security, Sucuri, WordFence, Ninja Firewall. In principle, you do not necessarily need them if you have followed the instructions above. It is important to know here: Security plugins usually save the IP addresses of the users, so you should include a note in the data protection declaration here. You can find more information about WordPress security plugins and GDPR here.

make backups!

For emergencies – not only in terms of hacker attacks, but also operating errors – it is advisable to always have a backup ready. This allows you to restore your installation in an emergency. Good backup plugins are BackWPUp or UpdraftPlus.

This article was intended to provide a small overview of how you can make WordPress more secure. If you have any questions or suggestions, please use the comment function below the article!