Increase WordPress Security | WP agency Webtimiser

WordPress is a really great blog and CMS system, which unfortunately is not fully developed in terms of security. However, by adjusting the default settings and using a few plugins, you can protect your website from attacks very well. I have put together some important tips for optimizing WordPress security for you.

WordPress Security Tips

1. WordPress security through updates

WordPress regularly provides updates. These not only bring new features, but also fix those that have become known vulnerabilities. By updating to the latest version, you reduce the risk of attacks.

Of course, this also applies to plugins. You should also update these regularly.

2. Do not use “Admin” as username

Admin is the first username an attacker will use to try to hack your website. It is best to delete the “Admin” user and create a new administrator.

Here’s how:

  • First log in with the existing admin account.
  • Then create a new user. Of course, you still have to assign him the “Administrator” role.
  • Now you can login with your new admin account and delete the old admin user.

3. Use strong passwords

Passwords like “12345” are still very common and easy for hackers to guess. Therefore, you should use strong passwords. these should have at least 8 digits, contain special characters (%, #,…) and numbers.

strong passwords

4. Rename login area

The WordPress admin area can be reached by default at www.meineseite.de/wp-admin. To protect this access, you can simply rename it with the WPS Hide Login plugin. For example, he will then be available at www.meineseite.de/meine-anmeldung.

WPS Hide LoginWith WPS Hide Login you simply rename the admin login.

5. Limit the number of login attempts

Unfortunately, WordPress does not offer a way to limit the number of login attempts. To prevent brute force attacks, we recommend installing the Limit Login Attempts Reloaded plugin.

Limit login attempts for more security

There you can set the number of login attempts in the settings. In addition, IP addresses can also be blocked. If you want, you can also be informed by email about failed login attempts.

Log in

6. Protect WordPress login area

The best way to secure the login area is server-side protection. This will protect the login page itself with username and password.

Disadvantage: You have to set up this protection via the .htaccess file. And you have to remember additional login data.

But you are quite well protected against brute force attacks on the login area.
I have described in detail in this tutorial how you can secure the WP login with this method.

Additional login via htaccessPre-login

7. Change table prefix

When installing WordPress, all tables are created according to the pattern “wp_” named. You can easily do this via the configuration file wp-config.php to change.

Replace the default prefix with a new one:

$table_prefix  = 'wp_';
$table_prefix  = 'y2rmd_';

8. Prohibit editing theme files via admin panel

Once a hacker gains access to the admin panel, they can easily make changes through the theme and plugin editor. And of course install malware.
You can easily disable this option with a line of code in the wp-config.php file.

define('DISALLOW_FILE_EDIT',true);

9. Change security key

When a user logs into WordPress, cookies containing user information are automatically generated. So that these cannot be manipulated, you should definitely include the security key in the file wp-config enter.

define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');

replace ‘put your unique phrase here’ through a randomly generated security key. You can have it created on the page https://api.wordpress.org/secret-key/1.1/.

10. Check FTP file permissions

On the web server you can set certain rights (read, write, execute) for files and folders. It’s best if you know the order 775 and the files 644 to.

11. Backup

You should back up the WordPress database and content at regular intervals. The easiest way to set this up is via backup plugins such as UpdraftPlus. Additionally, you can also clone the entire site with Duplicator.

I explained how important regular backups are and how to back up WordPress with UpdraftPlus in the How to create a WordPress backup with UpdraftPlus guide.

WordPress backup plugin UpdraftPlus

12. Use SSL

Switch WordPress to HTTPS. Data transmission is secured by SSL encryption. This not only encrypts form entries, but also the login data for the admin area.

13. Firewalls

There are numerous firewall plugins for WP. I prefer to use NinjaFirewall here.

Ninja Firewall

This allows WordPress to be well and reliably secured. In addition, the plugin can be used in compliance with DFSVO and hardly affects the loading times.