WordPress is the most commonly used content management system for creating websites. What started as a content management system for creating blogs has become the standard for websites of all kinds in recent years. Not only blogs can be created with WordPress, but almost any type of website. There are now also a large number of online shops that run on the basis of WordPress.
WordPress security: Setting up a WordPress site is very easy for non-technical users. However, protecting this page against cyber attacks is a challenge that is often underestimated. There are countless plugins and configurations that help to make the WordPress website more secure. I will now show which ones I would use to protect my site. It should be noted here, however, that there is no right way. Similar protection can also be achieved with other combinations of plugins. As a disclaimer, I have no cooperation with any plugins. Everything I say in this video is my own opinion.
- Hide login URL and rename admin: The default login URL is websitename/wp-admin. This should definitely be changed, since every attacker knows this URL and can therefore start attacks on the backend login. For this I use the plugin WPS Hide Login. After the installation, go to Settings and General and enter the new admin URL. In my case I chose “adminlogin”. This means that the admin area can no longer be reached via “/wp-admin”, but via “/adminlogin”. When choosing the URL you should be a little more creative than me. This ensures that an attacker cannot easily find the site login. Most importantly, none of the usernames should be easy to guess. Therefore, no user may be named “admin” or have a name that an attacker can easily guess. For example, I have attackers on my website every day who try to log in with the user name “admin”. This user does not exist, so the IPs of the attackers are blocked directly.
- Two-factor authentication: 2-factor authentication is a must for every WordPress site. How does that work. Well, in addition to the username and password, you have to enter an additional code when registering. This is generated anew each time. I use the Two Factor Authentication plugin for this purpose. To do this, install the Microsoft Authenticator app on your smartphone. The app is available for both iPhones and Android devices. In the app you create a new connection and scan the QR code that the plugin displays on the settings page. The second factor is now synchronized and can now be used. What is still missing is that each user must activate the use of 2FA themselves. To do this, the user logs into the site as usual and clicks on “Two Factor Auth” in the admin menu on the left and sets the 2FA to “enabled”. After this step, it has become much more difficult to hack your website admin account.
- Automatic security updates: The first thing to do is enable automatic WordPress security updates. To do this, go to the dashboard and updates. Here you can activate the corresponding updates. Next, I recommend setting all installed plugins to automatic updates. As a result, you no longer have to worry about maintaining the updates and you automatically always have the latest version of the plugins.
- application firewall: Setting up a web application firewall can protect against the website being attacked by various techniques. The firewall blocks requests if there are any abnormalities. This happens, for example, when someone tries to test different usernames that don’t even exist. For this I use the plugin “All In One WP Security & Firewall”. This plugin offers a whole range of security functions that can be activated. I will now show what settings I would recommend for the firewall. In the Basic Firewall Rules section, exactly as shown in the graphic. For Additional Firewall Rules I activated all options.
- Brute force blocking: Brute force is nothing more than when an attacker tests all possible combinations of usernames or passwords. I also use the “All In One WP Security & Firewall” plugin for this. If you go to the brute force setting and then to “Login Captcha”, you can also activate a captcha for the login. This has the advantage that a large number of automated attacks on the login can no longer be carried out. I show the option I chose in the screenshot. In the Brute Force settings under “Honeypot” you should also activate the option.
- Login lockdown: By this we mean that you can only afford a certain number of failed logins before you get blocked. The “All In One WP Security & Firewall” plugin helps me again here. In the settings of the plugin for “User Login” you will find the tab “Login Lockdown”. Here I recommend the configuration as shown in the picture.
- Bonus Tip: Backups: You should always create regular backups. I know it’s a tedious thing, so creating backups of the WordPress site can also be automated. For this I use the plugin “Duplicator Pro”. In the Pro version I have the possibility to set a schedule when backups should be created. For example, every other day. I can now automatically save these backups in a cloud service such as Google Drive or Dropbox and thus always have a complete copy of my WordPress site. If the site no longer works for any reason, I can have the entire site restored one-to-one with all data and all plugins from one of the backups.