Over 120,000 websites are hacked every day. A secure WordPress website is the be-all and end-all to ensure that failures with all their negative consequences do not occur in the first place. In this article, we have listed typical security measures that you should consider for your web project.
Security basics to protect against hacking
Average websites can hardly counter a serious hacking attack. Sooner or later they will crack. The good news is: small and medium-sized business websites are rarely the main target of a hacking attack. Company sites are attacked much more often as part of automated processes. The more critical the security status of the website, the more likely it is that these attacks will be successful.
With these six measures you can fundamentally protect your website against hacking. At the same time, they also reduce the risk that their website will fail in the long term due to dubious extensions or the like.
Your hoster can already do a lot to protect your website from attacks. This includes protection against DDoS attacks, the use of hardware firewalls and an up-to-date server operating system.
Good hosters openly communicate the relevant security measures – for example, our customers always know exactly what measures we are using to secure their projects.
“Username: Admin” and “Password: 12345678” are by far the most insecure credentials for your WordPress site. Secure passwords and an individual username for admin access go a long way towards protecting a website from automated brute force attacks, for example.
Additional security measures:
- 2-factor authentication
- Limitation of failed login attempts (via plugin/security tool)
- Mask login path as an alternative to the well-known “/wp-admin” path
Run security updates
Since the major update to WordPress 3.7, critical security updates in WordPress are carried out automatically – unless they are switched off manually.
Since 2020 with the update to version 5.5, automatic updates can also be assigned for individual plugins and themes.
The big advantage of automatic updates: They are automatically installed and immediately fix any security leaks. The WordPress core area and the plugins used remain up to date and offer less potential for backdoor attacks.
Attention: In the ongoing operation of shops or sites with high customer traffic, failures due to automatic updates could have serious consequences. In these cases, WordPress hosting with staging and professional WordPress maintenance is the much more sensible method of keeping all WordPress instances up to date at all times and avoiding expensive downtime.
Permissions and role management
The more users have access to the backend of a website, the more likely it is that security gaps will open up that can be used for hacking attacks.
Therefore, for a secure WordPress website (and any other CMS):
- as few users with access rights as possible
- Graduated rights management: assign appropriate roles for editors and admins
- Require secure password management for users
- Check permissions and access requirements regularly and, if necessary, revoke access permissions to the website for resigned members or terminated employees
plugins and themes
Should a new plugin be installed? A quick check in the WordPress repository shows when the extension was last updated; how many people have already downloaded/installed it and if it is compatible with the current WordPress version.
The same applies to themes: are they up-to-date, compatible with the latest WordPress version and well rated?
Purchase plugins and themes are subject to strict quality criteria if they are listed on the usual sales platforms. You should be careful with niche products whose developers cannot provide any comprehensible information on security and code quality. Better: Only use plugins and themes from reliable sources!
They should be self-evident, but they are not necessarily. Up-to-date backups help ensure that, should the worst come to the worst, your website can be restored to the state it was in before a security breach occurred.
Basic rules for secure websites
Every CMS is only as good as its users. Secure passwords, regular updates and strict access control to a website’s backend should be standard in website maintenance.
PHP versions that are no longer supported, websites without Https protocol or without SSL encryption are not up to date and are simply avoidable security gaps.
We keep an eye on these framework conditions for our customers and point out possible security gaps in good time.