WordPress is a really great blog and CMS system, which unfortunately is not fully developed in terms of security. However, by adjusting the default settings and using a few plugins, you can protect your website from attacks very well. I have put together some important tips for optimizing WordPress security for you.
WordPress Security Tips
1. WordPress security through updates
WordPress regularly provides updates. These not only bring new features, but also fix those that have become known vulnerabilities. By updating to the latest version, you reduce the risk of attacks.
Of course, this also applies to plugins. You should also update these regularly.
2. Do not use “Admin” as username
Admin is the first username an attacker will use to try to hack your website. It is best to delete the “Admin” user and create a new administrator.
- First log in with the existing admin account.
- Then create a new user. Of course, you still have to assign him the “Administrator” role.
- Now you can login with your new admin account and delete the old admin user.
3. Use strong passwords
Passwords like “12345” are still very common and easy for hackers to guess. Therefore, you should use strong passwords. these should have at least 8 digits, contain special characters (%, #,…) and numbers.
4. Rename login area
The WordPress admin area can be reached by default at www.meineseite.de/wp-admin. To protect this access, you can simply rename it with the WPS Hide Login plugin. For example, he will then be available at www.meineseite.de/meine-anmeldung.With WPS Hide Login you simply rename the admin login.
5. Limit the number of login attempts
Unfortunately, WordPress does not offer a way to limit the number of login attempts. To prevent brute force attacks, we recommend installing the Limit Login Attempts Reloaded plugin.
There you can set the number of login attempts in the settings. In addition, IP addresses can also be blocked. If you want, you can also be informed by email about failed login attempts.
6. Protect WordPress login area
The best way to secure the login area is server-side protection. This will protect the login page itself with username and password.
Disadvantage: You have to set up this protection via the .htaccess file. And you have to remember additional login data.
But you are quite well protected against brute force attacks on the login area.
I have described in detail in this tutorial how you can secure the WP login with this method.
7. Change table prefix
When installing WordPress, all tables are created according to the pattern “wp_” named. You can easily do this via the configuration file wp-config.php to change.
Replace the default prefix with a new one:
$table_prefix = 'wp_';
$table_prefix = 'y2rmd_';
8. Prohibit editing theme files via admin panel
Once a hacker gains access to the admin panel, they can easily make changes through the theme and plugin editor. And of course install malware.
You can easily disable this option with a line of code in the wp-config.php file.
9. Change security key
When a user logs into WordPress, cookies containing user information are automatically generated. So that these cannot be manipulated, you should definitely include the security key in the file wp-config enter.
define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here');
replace ‘put your unique phrase here’ through a randomly generated security key. You can have it created on the page https://api.wordpress.org/secret-key/1.1/.
10. Check FTP file permissions
On the web server you can set certain rights (read, write, execute) for files and folders. It’s best if you know the order 775 and the files 644 to.
You should back up the WordPress database and content at regular intervals. The easiest way to set this up is via backup plugins such as UpdraftPlus. Additionally, you can also clone the entire site with Duplicator.
I explained how important regular backups are and how to back up WordPress with UpdraftPlus in the How to create a WordPress backup with UpdraftPlus guide.
12. Use SSL
Switch WordPress to HTTPS. Data transmission is secured by SSL encryption. This not only encrypts form entries, but also the login data for the admin area.
There are numerous firewall plugins for WP. I prefer to use NinjaFirewall here.
This allows WordPress to be well and reliably secured. In addition, the plugin can be used in compliance with DFSVO and hardly affects the loading times.