WordPress Sicherheit Blog

All about WordPress security

Is WordPress Safe? Yes. Read on…

For us, WordPress is by far the best system for the vast majority of websites from small and medium-sized companies.

In consultations with new customers, we regularly explain what the WordPress software is and where its advantages lie. But we also point out what needs to be considered in connection with WordPress. One of those points is security.

There is always a discussion about WordPress security among web developers and web designers – and that’s exactly what we’re talking about in this blog article.

First of all: WordPress itself is a very secure system. If your website has a WordPress site However, you have to consider a few user-related points – more on that in a moment.

What is WordPress?

WordPress is a content management system (CMS for short) on which around 30% of all websites on the Internet are currently based. Originally, WordPress was blogging software – and it still is. But through the use of extensions, virtually anything is possible with WordPress. For example, smaller and larger company sites, portals or also online stores can be realized very well with WordPress.

As an inset – what are extensions?

Extensions are mainly themes and plugins. Themes ensure the graphic design of websites, while plugins are small software programs that bring functionality to the website.

In addition to the practical extensions, WordPress offers a user-friendly interface for the complete administration of websites. Content can be created quickly, and the appearance and functions of the site can be easily changed. Programming knowledge is not required for this.

Why do we use WordPress?

Thanks to the countless extensions for WordPress, we are able to find an individual solution for each customer.

We also see a big advantage in the CMS function: In principle, every customer can easily and independently exchange images and texts and manage and maintain the site themselves.

But perhaps the most important thing: Independence. The developer community behind WordPress is huge, WordPress is constantly being further developed, it is an open system – which ultimately also guarantees our customers independence and long-term sustainability. Who would want to be tied to a small, unknown system from a single provider?

But back to the fact that there are a lot of WordPress sites on the internet… that’s why WordPress security is such an important topic! And: WordPress is safe – but please note the following points:

1. Updates

The most important thing for WordPress are UPDATES. It is fundamentally important to regularly update the WordPress software and all plugins and themes on the site. This is because updates fix security vulnerabilities (and often add new features that may be useful.)

WordPress distinguishes between large and small updates. The small updates usually only fix security gaps and eliminate bugs, while the larger updates add new functions or improvements. However, you should run every update, big or small. The minor security updates are done automatically since WordPress 3.7.

Incidentally, updates are a normal routine for us at Christmann & Woll: All websites that we maintain for customers are updated daily and also at the weekend.

2. Backups

Before each update, you should create a backup of your website, eg in case there are problems with an update. Another advantage: If your WordPress site has been hacked – which of course can happen despite all security measures – you can more easily restore your site with the help of the backup.

Lots hoster make regular backups. If your host doesn’t offer this service, there are several other services that will do it for you. This is also quite normal for us: We back up before every update.

3. WordPress Security Plugins

For additional security, WordPress has various security plugins such as “iThemes Security” or “Wordfence Security”. These plugins also protect your website from various hacker attacks.

However, please note the requirements of the GDPR. Many of these plugins use the visitor’s IP address to protect the website. It is imperative that this function be deactivated.

4. Sources of Themes and Plugins

Another important topic in terms of WordPress security: the themes and plugins. Both are often a source of security problems. You should therefore make sure that you only install themes and plugins from well-known developers – and avoid “woods and meadows plugins”. It is helpful to look at how many WordPress sites use the extension and whether there are any reviews.

Furthermore, you should definitely consider not to install any unnecessary extensions and to remove or deactivate unused plugins and themes from your website.

5. Outdated themes and plugins

You should also remove outdated plugins and themes from your WordPress. Because when a development has been discontinued and no new updates are released, security risks arise. And that’s really dangerous.

6. Passwords and Users

As with any other platform, a weak password such as “123456” or your date of birth can pose a high security risk. So you should also use a strong password for your WordPress that cannot be cracked by hackers.

Random letters, numbers, and characters that are so complicated you can’t remember them are especially recommended. For this we recommend a password container (e.g. “LastPass”) and a password generator.

By the way: The more user profiles your WordPress has, the more entry gates there are for hackers. Therefore you should reduce your accounts to a minimum and use secure passwords for them. Another tip: Do not name your administrator account “admin” or “wp-admin”.

7. Configuration file and database

Additional changes can be made in the WordPress configuration file “wp-config.php” to make your website more secure. However, caution is advised here, since incorrect changes to the file can also paralyze the entire installation. If you make changes here, as always, make sure to create a backup of the website beforehand.

The individual posts, pages, etc. are stored in a MySQL database in WordPress. By default, each table in this database has the table prefix wp_. You should change this prefix during the installation of WordPress to ensure more security.

8. Login area

In order to avoid so-called brute force attacks, in which attempts are made to crack the password through many different attempts, it makes sense to limit the number of login attempts. We recommend the “Limit Login Attempts” plugin for this.

In addition, with every new WordPress installation, the admin area can be reached by default under /wp-admin. The best way to protect the login area is to use a plugin such as “Rename wp-login.php” to rename this area and make it more difficult to access.


By integrating an SSL certificate into your website, the page is switched to “https”. This means that all form entries such as contact forms or login data are transmitted in encrypted form. This means that user data cannot be intercepted.

Many hosters offer SSL certificates in addition to hosting. The free “LetsEncrypt” solution, which is completely sufficient for most websites, is now also widespread. Incidentally, LetsEncrypt was founded by Google and other large Internet companies – to make the network more secure.

10. Hosters

The security of the server on which your website is located also plays a major role. When making your selection, pay attention to security certificates and the quality and support of the provider.

Why is WordPress more secure than self-programmed CMS systems?
Behind a CMS like WordPress is a huge army of developers. In addition, countless security companies deal with the security of WordPress and other well-known CMS providers. A developer of a small, self-developed CMS cannot provide this level of security.

Of course, there are now more interested parties on the Internet who want to find security gaps in WordPress than in the small individual solution. Nevertheless, a targeted attack on a self-developed CMS is much easier than on a WordPress site.

We personally advise our customers against these “small” CMS solutions. Why? In our view, our customers do not gain any advantage from this. On the contrary: You bind yourself to a provider in the long term and thus become dependent.


WordPress is very secure if you just follow the rules above.

With a few simple steps, regular updates and the right choice of plugins, themes and passwords, you can make your website secure.

Finally, something personal: Both Sascha Woll and Lina Christmann from Christmann & Woll have been working with WordPress for more than ten years and neither of them have ever “lost” a website.

We are therefore convinced: For most small and medium-sized companies, WordPress is the best system – and also a secure system!

wordpress sicherheit Previous post WordPress security – Basics & professional tips for securing WordPress
Next post WordPress Security – Protect websites from attacks and failures – WordPress Agency Munich