WordPress is very popular and is now used by 23.3% of the top 10 million websites (January 2015). But this also has negative consequences: hackers like to check popular CMS for security gaps, which are then exploited. Even sites with a small number of users can be affected because the attackers are usually only interested in using your server to send spam e-mails. You can effectively increase your WordPress security with a few relatively simple steps:
Basically, regular updates of WordPress, installed plugins and themes are an absolute must for your WordPress security. This also applies to plugins or themes that are currently inactive. So don’t ignore update requests, install updates as soon as they are available and avoid WordPress security vulnerabilities.
The passwords for your site should not be chosen too simply. You can increase your WordPress security by actively protecting yourself against so-called “dictionary attacks” and avoiding existing words in all languages when choosing your passwords. Instead, use a combination of numbers, letters, and special characters. There are various tricks on how to create a secure password that you can also easily remember. A popular and safe variant is the sentence method: You take a catchy sentence, for example a proverb like “Luck in the game, bad luck in love!” You take every first letter of the sentence and the special characters, which results in “GiS,PidL!” Then replace individual letters with numbers that look similar, for example o with 0 or i with 1. In this case it would be “G1S,P1dL!” You can also replace an S with the special character $. The result “G1$,P1dL!” is easy to remember via the derivation, but difficult to crack. You can also use the title of your favorite song or film, add your house number or the cross sum of all the letters in the sentence. There are no limits to your imagination when it comes to increasing your WordPress security. Also, you should never use the same password for different sites.
When programming your WordPress site, make sure that you comply with the specifications of the WordPress Codex. In particular, you should follow the security policy to increase your WordPress security. With third-party plugins, you can hardly control this point. Therefore, when choosing your plugins, pay attention to user comments and ratings and only use plugins that are updated regularly so as not to jeopardize your WordPress security.
Another trick to increase your WordPress security is to hide the login page. If you rename “wp-login.php”, you can prevent automated attacks on this file and thus access to the content of your WordPress site. If your site is maintained by several authors, this must be clearly communicated, otherwise it can lead to confusion.
You can already do something for your WordPress security during the installation. When customizing the configuration file (wp-config.php), you need to generate several security keys on the dedicated website. You can either use a generator or enter the key yourself. If you create the keys yourself, you should use combinations of letters, special characters and numbers that are as long as possible.
Next, change the prefix for the database tables. By default, these are named “wp_”. Individualize the designation, for example rename it to “projectname_” after your project. This makes it more difficult for attackers to track down your applications and increases WordPress security.
Changing the username for your admin account has a similar effect on your WordPress security. Avoid designations such as admin, demo, test, wordpress or webmaster. There are attacks that specialize in trying these usernames in combination with different passwords to gain access to your WordPress site.
If you write or blog a lot on the go, you should set up an author account with limited access rights so as not to jeopardize your WordPress security on the go. Mobile logins are even more vulnerable to attacks and should this account be hacked, it cannot do as much damage as with admin access.
One way to make it harder for automated attacks that try different username and password combinations and thus increase your WordPress security is to install a plugin that limits the number of invalid login attempts. If several invalid login attempts are registered from an IP address, this plugin blocks the address for a certain period of time.
There are other security plugins in the WordPress repository, but not all of them are useful for improving your WordPress security. Some also have a negative effect on the performance of your website. This also applies in general if the number of plugins is too high. The more plugins you have installed, the higher the probability of a WordPress security breach, for example due to a poorly maintained plugin that is not updated regularly. So choose your plugins wisely! To ensure your WordPress security, your plugins should come from the WordPress repository. Avoid third-party extensions that are not listed there.
Regular backups of your WordPress site are generally recommended. This not only gives you security when you have made changes to your site, but also reduces the damage should your WordPress site be hacked. For your WordPress security, you should create several backups on different days, because hacked WordPress sites are not always recognized immediately. As a result, the latest backups may already contain hacked pages.