Please note that the following links lead to external sites. Host Europe assumes no responsibility for the correctness and topicality of the content. This article refers to WordPress blogs hosted on a Host Europe web hosting product.
Unfortunately, in recent months we have heard more and more about hacked websites that were created with the CMS (Content Management System) WordPress. But what exactly does it mean for the operators and visitors if the website has been hacked? Strangers (hackers and script kiddies) have gained access to your website through various means in order to misuse it in various ways and harm others. This can range from suddenly advertising for potency-enhancing drugs under your domain to thousands of emails with questionable content. Furthermore, infected WordPress blogs are increasingly being used to carry out targeted attacks on third-party systems. In the end, this falls back on you, so it is important to think about the security aspect in advance.
Here we would like to suggest a few simple but very effective ways to protect yourself and your visitors.
1) Use strong passwords & usernames
Please always use secure passwords and, if possible, secure user names. For example, it is not advisable to use “admin” as the user name, even if this is suggested during installation. Why? Simply because most administrators use “admin”, the attacker already has 50% of the data they need to log into the administrator area. But if, for example, you use “HostEurope2013” as the user name and then ideally also “my%pass&is!safe” as the password, you make it more difficult for the attacker to get to the data. In general, don’t use any word as a password that appears in any dictionary in the world! The same applies to FTP access or databases, although you are not 100% free to choose the username from Host Europe, as we already specify a part. The use of secure passwords is all the more important here. Please do not use the data given above, these are only intended to illustrate how to create a secure configuration! Please use your own user names and passwords! A good password generator can be found in the KIS under the point Customer Account – Password & Username.
2) Keep your website up to date!
This applies not only to the editorial part but at least as much to the technical part. The developers release updates for this CMS at irregular intervals. These should be uploaded to your website in a timely manner, since these updates close security gaps that have come to light in the course of operation. There are now several major versions of the popular WordPress CMS:
WordPress 1.x (no more updates–version 1.5 was released on 02/17/2005)
Wordpress 2.x (no more updates–version 2.9 was released on 12/18/2009)
Wordpress 3.x (no more updates–version 3.9.27 was released on 03/13/2019)
Wordpress 4.x (is no longer supported, but still receives some security updates)
Wordpress 5.x (latest officially supported version)
As you can see from the listing above, versions 1 & 2 are no longer supported. This means that there will be no more updates for these versions. It is therefore important to switch to the latest version 4.x.
Unfortunately, as soon as there is an update, the potential attackers also find out about it and they then look for any new security gaps that may exist. So it’s really important here to check regularly for updates. In the WordPress backend, the menu bar shows you whether an update is available.
Now just click on the icon and you will be shown all available updates. In addition to the actual WordPress updates, the updates for the templates and the installed plugins are also displayed here. Very important: Before performing the updates, make a backup of your blog. If something goes wrong with the update, you can restore the backup and not lose your entire blog! You are welcome to start a backup “on the fly” via the HIS. A detailed FAQ article on the subject of backup “on the fly” can be found here.
3) Save your upload directory!
The most common type of malware infection is via uploaded PHP files. You can easily protect yourself against this, you only have to create an .htaccess with the following content in your wp-content/uploads directory:
php_flag engine off
4) Backup, backup & backup again!
Host Europe creates a backup of your website every night. This includes the data on the server and the associated databases. You have access to the backups of the last 14 days and can import them again at any time via your KIS access. A corresponding FAQ article can be found here. Due to manual actions, a database restore can only be carried out during business hours (Mon-Fri 9 a.m. – 5 p.m.). However, you should always have your own backup of your data (web space, database) so that you can restore it yourself at any time. This saves you time and you are on the safe side. There are useful components for this, such as BackUpWordPress. With this component, you can create backups at defined times – fully automatically. You can find this plugin under the link: wordpress.org/plugins/backupwordpress/
5) Protect your administration area!
Anyone who has ever dealt with WordPress knows how to access the admin panel. This can always be reached at
and also under
. This is also known to the attackers. A simple but effective way to protect yourself is to protect this area with access protection.
Here you can work with a .htaccess file that prevents access to wp-login.php and the subdirectory /wp-admin. The .htaccess server file (usually used by WordPress to control the permalinks), which is already present in most cases, is expanded by 2 code blocks with minimal path adjustments. You also need a .htpasswd file with access data that also belongs in the main directory of your blog.
Note: Below is an example of such an htaccess file. Please note that this access protection in the .htaccess does not apply if you are using a WebPack M, since only permalink rules are executed here.
Instructions for access protection via .htaccess
- Please create an empty file named .htpasswd in the root of your blog.
- Please open the created file with an editor. We recommend notepad++ or pspad. In our FAQ area, pspad is available under Downloads.
- Call up the htaccess generator under the following link at www.htaccesstools.com/htpasswd-generator/ and enter the desired user name and a secure password in the input fields – this combination of user name and password is the access for the .htaccess query. The string generated by the htpasswd generator is inserted into the opened .htpasswd file and saved.
- Open the .htaccess file in the editor and add the code below. Please note that the path to .htpasswd must be adjusted so that the server can also find and load this file. If you don’t know the correct path, put a PHP file with the following content on your package:
- Save changes and check the result.
Access protection + internal protection for system files (htaccess code)
Require all denied
The path to htpasswd must then be entered correctly in the file. You can find the path information in the HIS under Product management – Your product area – Configuration – General – General information Here you will find an entry “Path” in the “General” table. This is the path on our server to your package.
There are many other options to protect the backend from access, from URL extensions to WordPress Firewall etc. However, since this is all generated via plugins and you can never be sure whether these plugins will ultimately lead to a security problem, we concentrate us here on the simple ways, which are usually the best and most effective.
6) Secure your extensions with Captcha queries
If you operate forms, guest books or forums under WordPress, it is important that you secure them accordingly. Various Captcha plugins are available here. It is advisable to research in advance whether there are any recommendations for the plugins used. Sometimes captchas are already integrated or prepared in the plugin. A small overview of proven captchas for WordPress blogs can be found here:
Also check whether you are actually using all installed plugins and modules on your website. You often test different extensions during the creation of the website, but ultimately do not use them at all. These extensions are usually not maintained either, thus providing easy ways for strangers to infect your website. Please uninstall these unused extensions via the backend.
7) Customize, optimize and secure file permissions!
Many users set the file permissions very high because this way you can prevent problems with your WordPress blog or the installed components, modules or plugins. While this is understandable, it doesn’t make sense because you also allow attackers to abuse these rights. We therefore recommend the following assignment of rights:
- User: ftpXXXXX
- Group: wpXXXXX
- all directories get the rights 750
- all files are given 640 permissions
The following directories require the rights 770 so that WordPress can work correctly:
For these directories, please set the permissions recursively (this means that these permissions apply to the directory and all subdirectories):