Make WordPress secure – practical tips

Category: WordPress tips

WordPress is the most widely used content management system in the world. Due to the numerous blogs and forums dealing with WordPress, you can get an answer to almost every question. However, this popularity also has disadvantages – because there are so many WordPress installations, it is worthwhile for hackers to look for security holes and target WordPress websites. It is therefore absolutely necessary to secure your own WordPress site against hacker attacks. The tips described here can significantly improve the security of your own WordPress installation. Also make sure your site is SSL encrypted.

contents

Change default table prefix wp_

When installing WordPress, you should use the default table prefix wp_ change to distinguish from the other installations, which mostly use the default prefix wp_ have left. Therefore, by default, the tables are named wp_content,wp_options,.. This same naming makes automated attacks on these database tables easier, so it is recommended to change the table prefix to increase security against automated hacker attacks.

The default setting

should be changed to an individual database prefix.

Use strong password

In the next step of the WordPress installation, the password can be entered. Care should be taken to choose a password that potential attackers cannot guess. The password should contain letters, numbers and upper and lower case letters. The password suggested by WordPress is a good choice if you don’t want to come up with your own secure password.

Protect WordPress login with .htaccess

To prevent hackers from even getting to the login page, the wp-login.php page can be protected by .htaccess access protection. This means that access to the login page is already password-protected before you get to the actual password query for the WordPress backend. This means that two user/password combinations must be entered before you can log into the backend.

First you have to determine the absolute path to the .htaccess file. To do this, upload this file saved as path.php via FTP to the directory in which the .htaccess file is also located:

<?php
$pfad = dirname(__FILE__);
echo $pfad;
?>

Then you enter http://www.ihredomain.de/pfad.php and the absolute path appears on the screen. You have to copy this path and then delete the file pfad.php for security reasons.

In the next step you have to insert the following code into the .htaccess, where at absolutepath the previously copied path is pasted.

<Files wp-login.php>
AuthType Basic
AuthName "Passwortabfrage"
AuthUserFile absoluterPfad/.htpasswd
Require valid-user
</Files>

Now an empty file called .htpasswd must be created. The user name and the encrypted password are entered in this file.

To do this, go to http://www.htpasswdgenerator.de/ and choose a username and password and leave the encryption method at md5 and finally click on the bottom right Generate .htpasswd. The content of the Result field is now copied to the .htpasswd file, this file is uploaded to the server’s root directory.

If all of these steps have been carried out correctly, the next time you access the login page, you will be asked for a password before you get to the WordPress login form.

Lock wp-config.php through .htaccess

In addition to numerous other details, the WordPress configuration file also contains the access data to the WordPress database. In order to prevent hackers from reading this data, access to wp-config.php can be blocked using .htaccess. All you have to do is add the following code snippet to the . insert htaccess.

<files wp-config.php>
order allow,deny
deny from all
</files>

Perform regular updates

WordPress is constantly striving to further develop the system and make new versions available. Therefore, it is important to update the WordPress installation regularly. You will be made aware of these updates by WordPress in the backend and can go through Please update now. carry out these updates without any problems.

With this approach, you have control over when the update to the new WordPress version takes place. If you always want to have the latest WordPress version installed, you can also have these updates done automatically. Putting the following lines in wp-config.php will always update WordPress automatically.

define( 'WP_AUTO_UPDATE_CORE', true );

However, it should always be noted that automatic updates may at least temporarily paralyze your own site or lead to error messages if the installed theme or certain plugins are not compatible with the installed WordPress version. Therefore, a backup of the website should be made regularly.

A recommended solution to avoid the problems described above is the variant to only carry out the so-called minor updates automatically. These updates only fix security deficiencies and errors, but do not add any new functions. An update from version 4.5.1 to 4.5.2 is called a minor update, while an update from 4.5 to 4.6 is called a major update. Minor updates do not have any theme or plugin compatibility issues, while major updates may have these issues.

So if you only want to have the smaller (minor) updates carried out automatically and continue to carry out the main updates yourself, you should add this code to wp-config.php:

define( 'WP_AUTO_UPDATE_CORE', 'minor' ); 

Plugins can also be updated automatically, but since many installations have numerous plugins, it is better to update these plugins regularly by hand, otherwise compatibility problems can arise with constant plugin updates.

Unused plugins or themes should be deleted completely, as these files also pose a potential security risk.

Turn off PHP error reporting

Displaying any PHP errors is a useful thing when developing a website, in order to be able to eliminate problems quickly and effectively. However, if the page is already online, the display of PHP errors has a serious disadvantage and should therefore be turned off. For some PHP errors, the absolute path of the PHP file may be displayed. This path can make it much easier for hackers to attack the website, so you should disable PHP error reporting in the live environment with the following code.

ini_set('display_errors','Off');
ini_set('error_reporting', E_ALL );
define('WP_DEBUG', false);
define('WP_DEBUG_DISPLAY', false);

Related posts

Different WordPress single.php per category

The template file single.php determines the layout of WordPress posts. Each post gets the same look if there is only the single.php file for displaying posts. Many WordPress blogs feature

Customize WordPress backend

The backend of WordPress can be significantly improved or embellished with a few tips. In the following, the implementation of these tips is explained using practical examples. Styling WordPress login form content

WordPress tips on categories

In WordPress, the written posts can be divided into categories to increase clarity for the reader. The categories should be given names that are as clear and meaningful as possible. Content WordPress categories

Explanation of the WordPress template tag wp_list_pages

With the template tag wp_list_pages all static pages of a WordPress installation are listed. Many different changes can be made through the available parameters and the code to the

WordPress hooks – an introduction

When a WordPress page is called up, various processes are executed one after the other. With a hook you can hook into the WordPress code via functions.php and change these processes. The hooks remain