WordPress is still gaining popularity as a content management system in the global market. According to W3Techs, in March 2021 over 40 percent of all websites were operated with WordPress. If websites without CMS are excluded, the market share is even 64 percent. However, this popularity also has a downside. In this article I will explain how you can declare war on attackers and protect your WordPress.
The more frequently an application is used, the more popular it becomes for attackers and hackers. Most attempted attacks are automated and not aimed at specific sites. Therefore, security is relevant for all websites, even if at first you might think: “Who would want to hack my little site?
- Keep everything up to date
- Avoid an update crash
- Plugins and themes – less is more
- How do I make WordPress generally secure?
- Use HTTPS
- User name
- Log in
- Increase security with configuration constants
- block xmlrpc.php
- Advanced protection of files and directories
The most important thing is to always keep the system and all its components up to date. Luckily, WordPress gets you through that convenient update quite easy. In this way, security gaps are permanently closed.
The core – i.e. WordPress itself – is automatically updated within a version – unless this has been deactivated by the user. This means that at least the core of WordPress is always up to date. Since WordPress 5.5 there is also Auto-updates for plugins and themes. A detailed post on this topic, in which I go into more detail, can be found here.
With an increasing number of installed plugins, the risk of errors after an update also increases. In my experience, gone Updates are 99 percent error-free, nevertheless, it can happen in individual cases that two plugins no longer “get along” or the theme causes problems. Auto-updates are a nice feature, but should be used with caution for this reason.
For large, very complex or essential plugins Is it worth doing the updates manually and a backup before each update to create. If the worst comes to the worst, the previous status can be restored. There are also plug-in solutions for this. However, these can become a problem in an emergency, for example because the backup can no longer be created without logging into the backend. Therefore should Backups always outside of WordPress respectively. Then the application can be restored even if backend access is no longer possible. And backups should always be tested (at least after the first creation). Because nothing is more annoying than an existing but not working backup.
Avoid an update crash
A simple solution is the procedure described above: create a backup, update and import the backup in the event of an error. But for a popular site with a lot of traffic or economic interest, one can Downtime of a few minutes high damage dish.
In such cases, updates should always be tested in a development environment first. Although this is a bit more work and not a 100% guarantee, it is the safest way if you don’t want any disruptions! You can either set up such a staging environment locally or use Mittwald’s Easy Staging.
Plugins and themes – less is more
The more plugins are used, the greater the risk of potential security vulnerabilities. In addition, any larger or badly programmed plugin works at the expense of performance – the sheer number of plugins is actually not that important. But there are many plugins that add not just a function, but a whole package. However, if only one of these features is required, the others naturally slow it down and offer an unnecessary risk of backdoors. Here it is worth looking for a slimmer plugin.
How do I make WordPress generally secure?
A timely and permanent update of WordPress, themes and plugins is certainly the most important factor. However, you should also implement the following points for a secure WordPress. Please note that this list is by no means complete and implementing these points does not guarantee 100% security, but it will bring you closer.
I always hope that it is now a matter of course, but unfortunately practice still shows the opposite. Every website should have HTTPS, so that encrypted transmission protocol, be used! You can find answers to the most frequently asked questions on this topic in our FAQ section. If your site has not yet switched to HTTPS, you can benefit from the simplified migration to HTTPS since WordPress 5.7.
You should avoid classic user names such as “admin” or “administrator”. As a result, attackers already have 50 percent of the access data and only the password is missing. Ideally use at least two users. A user with administrative rights, used exclusively for installations and updates. Of course, this should then be given a very secure password. Also, create a second user as an editor who is solely responsible for creating and publishing the content.
WordPress already generates a secure password for a new user. You should also use this or a comparable strong password. Simple passwords like “qwer1234” can be guessed far too quickly and do not offer sufficient protection. A password should consist of at least 12 characters, uppercase and lowercase letters as well as numbers and special characters. In order to be able to remember the password, it is helpful to form a sentence. You use the first letter of each word as well as at least one number and one special character, e.g. B. “I’ve loved WordPress since 2003 and host at Mittwald!” → “IlWP@2003uhbMw!”. Or you use a password manager to manage your passwords, then the passwords can be as complex as you like.
You can reach the WordPress backend with “/wp-admin” or “/wp-login.php” by default. Changing this path will prevent some automated attacks, but one is even better additional password protection for the admin directory. More on this shortly in a detailed article on the subject of “securing your login”.
Increase security with configuration constants
The wp-config.php file not only contains the access data to your database. There are many global constants that you can define with one line of code:
Some of these are real security features. The most important are:
- DISALLOW_FILE_EDIT: This turns off the editors for themes and plugins in the backend, which not only increases security but also clarity and protects users from themselves – code should not be edited directly on the productive site anyway.
- FORCE_SSL_ADMIN: Even if you already set up a redirect to HTTPS for your server, I would set FORCE_SSL_ADMIN to true. This always prevents an insecure login.
The xmlrpc.php is a WordPress interface for exchanging data with other sites. Experience has shown that this is only used relatively rarely, but attackers like to use it. Especially since the introduction of the REST API, this interface is becoming less and less important. Therefore you should at least block access to this file via .htaccess.
Advanced protection of files and directories
Many other access rules, which can increase security, can also be transmitted to the web server via the htaccess file already mentioned. Torsten Landsiedel presented and explained some snippets in his article “More security for WordPress via htaccess”. The post is a bit old, but still relevant. As Torsten says: “You should only use code snippets if you fully understand them”. Errors in the .htaccess file mean that your site is no longer accessible – and access to a certain point may no longer work as expected. Therefore, this tip is more for professionals.
Most attacks to date have been due to Directory-level vulnerabilities. Here, for example, file contents in index.php or another file have been changed. So you go one step further if you revoke write permissions for files and directories. Even in the event of a security gap, no manipulation of the files can take place. However, care must be taken here so that you can continue to upload image files and use caching directories. And with an unfavorable configuration, updates can no longer be carried out, which should definitely be avoided. So that’s also a pro tip.
WordPress is the most widespread CMS, but it is also a popular target for attacks. The core is already a pretty secure system, but if you pay attention to a few general aspects, you can keep security high over the long term. With a little more effort, you can achieve even more. Do you have any other tips? Feel free to share them in the comments!
Lukas works in product development at Mittwald and is therefore always interested in current developments in web development. As an experienced WordPress developer, he is also part of the WordPress competence team and takes care of profound WordPress problems. When he’s not programming in his free time, you can find him on his bike or on the dance floor.