Make WordPress secure
One of the most used content management systems, or CMS for short, is WordPress. But that also makes it interesting for attackers (hackers), because if a security gap is found in the respective WordPress version, millions of websites are affected. For exactly this gap in the version, special scripts (malicious code) are then written very promptly, which search the Internet for exactly these WordPress versions and infect or hijack them. Once an attacker has taken control, it is easy for him to manipulate data.
You need to understand why it is extremely important to think about the security of your website. At the agency, we experience attempted attacks every day. One time better, the other time amateurish. But it’s shocking how often attempts are made to take over a website. Absolutely impossible to imagine what this someone could do then? In any case, in addition to reputational damage, there is also a risk of considerable financial damage due to claims for damages and warnings.
In this article, I will show you how you can use simple means to protect your website from attackers and avoid infection due to malware. With a few tricks and tweaks, it’s not hard to make your WordPress site(s) more secure.
Attackers try to take control of your website for a variety of reasons. I would like to mention the most important ones here:
Sending spam emails
After the attacker gains control, they can send spam mail on your behalf. Often with clear product recommendations from the pharmacy. As the site operator, you usually only notice something when it is already too late and the web host has blocked the entire domain due to spam abuse.
Avoid your website becoming a virus slingshot! Here, the attacker places executing malicious code as a script within your website. If a visitor now visits your website, the malicious code is downloaded to the visitor’s PC via the web browser.
Use of phishing sites
Here, the attacker creates static HTML pages on your domain, which are advertised via spam emails. These sites are often exact copies of bank sites, amazon accounts or ebay accounts. They easily trick the visitor into believing another identity and are used solely to obtain bank, access, address and telephone data.
The standard security settings of WordPress are in many cases absolutely insufficient and full of holes like Swiss cheese. I have shown above why it is worth investing some time in improving the security of the WordPress installation. To avoid unauthorized access, consider the following tips:
username and password
Be careful with your username. WordPress used to have the default username: admin. Therefore you should not name it admin, administrator or user. And now for the password. Hardly anything is more important than choosing a secure password. At this point, a little trick should be pointed out. Just think of an easy-to-remember sentence. For example, it could be:
My car is a Golf and I live in 49809 Lingen
Now take the first letter of each word, replace and with & and add the zip code. In this case: MAieG&ili49809L. If you end this sentence with a special character like $, you are on the safe side.
MA ie G & ili 4 9 8 0 9 L$
Once you’ve typed the new password a few times, that typing pattern will be remembered and you’ll have a 16-digit password. Try it out.
Up-to-dateness of the software
The easiest and also important way to close security gaps is to regularly update the WordPress system, the plugins and the themes used. WordPress updates itself. Unfortunately, the plugins and themes do not. These should always be updated manually if the plugin or theme manufacturer provides an update.
In order to block the back door for possible attackers, it is important to keep the entire WordPress installation up to date.
An attacker will always try to gain access to the administrator area. By default, the admin area of a WordPress installation is located in the wpadmin subdirectory. This is exactly where the majority of attackers try to start.
Change login link
Usually you log in via the address http://www.ihre-domain.de/wp-login.php. We change this link so that it reads, for example, http://www.ihre-domain.de/kaukasus83.php.
Opening hours of the admin panel
Next, we only allow access to the admin panel at certain times. It makes sense to generally block access to the admin panel from 7pm to 8am if you don’t need to work on the site during that time.
Access only from Germany
Suggestion: If you only work on your website from Germany, you can also block the admin area for all other countries. To do this, we exclude entire countries such as China, Ukraine, Peru, etc. by IP range. This is advantageous because a large number of attacks are carried out from abroad.
Obfuscate version number
As I mentioned at the beginning, security gaps are found and scanned based on the version number. However, the version number is usually of no interest to customers, so we remove the version number in the head area of the HTML source text.
Attackers very often not only infect the program code of the files, but also the database of your WordPress installation. Cleaning them up again after an infection is very tedious and time-consuming. Therefore, create regular backups of your database. In this way, they are able to quickly restore their database, albeit with an older database inventory, and then close the security gap.
To make it more difficult for hackers to do their job, there are a few things you can take into account when installing WordPress. During the installation routine you will be asked for the database prefix for the database tables. By default, WordPress uses wp_ as the database prefix. Change the default wp_ prefix to a different prefix. The WordPress database should also be protected with a password of at least 12 characters. I have already described above how to create a secure password.
To make WordPress more secure, there are a number of free plugins. I would like to briefly introduce some of them to you here. But be careful – to keep the attack surface as small as possible, only install the plugins that you really need.
Since WordPress allows a large number of login attempts by default, we limit them with the free plugin Limit Login Attempts.
iThemes Security, known to many as Better WP Security, is a powerful security tool in German. Over 700,000 active installations and more than 3200 5-star reviews (average 4.7) speak for themselves.
A very popular plugin is Wordfence Security. This plugin is available in a free and a paid premium version. This plugin is quite extensive, but also limited in its free version.
BulletProof Security takes a similar approach to IThemes Security. This plugin is easy to set up. All important settings are done with just a few clicks. You can also quickly see the security status in an overview. What is not yet certain is shown in red, what still needs fine adjustment is shown in yellow and what is done is shown in green. So very easy and quick to set up.
Further steps would be to secure the .htaccess file or, for the really tough cases, to temporarily rename the wp-login.php file in the main directory on the server to e.g. E.g. wp-login-h%)rt59g.ius§/adh.php. However, this requires in-depth knowledge and FTP access. Then give the files .htaccess and wp-config.ph permission 444. This means that both files have write protection and cannot be overwritten.
Something can always go wrong. They don’t necessarily have to be malicious attacks. Despite all security measures, you should always be prepared for the worst case. Regular backups secure your data. Creating a backup is very little effort compared to the time it would take to rebuild your website. By default, WordPress offers you a backup function for this under the menu item >>Tools >>Export data you can choose whether you want to back up all or specific content of your WordPress pages.
In addition, it is advisable to back up the data on the FTP server regularly. This turns out to be relatively simple. Automatic backups should be performed at night so as not to negatively impact website loading times for any visitors.
If you take the measures listed above into account, you have now reached a fairly high security threshold. A penetration into the WordPress website cannot be completely ruled out, but only real experts and specialists will be able to do so. When in doubt, just hire an expert to do the analysis if you’re not sure if your site has been hacked.
Security on the local PC must also be taken into account. Keep your operating system and software up to date. Apply important security updates in a timely manner. Up-to-date antivirus software should also be installed. The WordPress security is of no use at all if the FTP password is read out on the home PC by a Trojan.