wordpress sicherheit

WordPress security – Basics & professional tips for securing WordPress

Every blogger will be the victim of a hacker attack at some point.

For many bloggers, one of these attacks will sometimes be successful.

You have to realize that hackers are not unwashed, long-haired teenagers in their darkened children’s rooms. This is a cliché and will rarely be found in reality. Attacks on blogs and websites are now fully automated.

You often hear and read about installing certain security plugins, giving you the false sense of security. By automating the attacks, the IP address can be changed in a flash after failed log-in attempts. This will bypass plugins like Limit Login Attempts and also trick other plugins’ IP bans.

In general, it can be said that attacks cannot be prevented, of course, and you cannot protect yourself 100 percent against completely taking over a page. However, hacking attempts are usually aborted quite quickly if the hurdles are too great.

It is therefore advisable to make it as difficult as possible for the attackers, because then they prefer to look for easier victims.

Basics for more WordPress security

As described in the introduction, it is important that you make it as difficult as possible for attackers to infect your site. Simply implementing the basics can make your WordPress blog much more secure. So, the first half of this article will cover several basics of WordPress security.

Pay attention to topicality

WordPress is continuously supplied with new updates to close discovered security gaps. This is also the case with the plugins and themes of professional developers. They release new versions as vulnerabilities become known to keep your blog safe.

Contrary to many myths, once WordPress is installed, the system is very secure.

If you don’t log into your blog that often, you won’t always be able to apply the latest updates right away. This makes your blog vulnerable. Either check the backend of your blog every few days, or use a plugin like the WP Updates Notifier to get email notifications of updates.

username and password

Yes I know, old hat. But this old hat can save you from some nasty surprises. Never use the username “admin” for your administrator account and enter a very secure password with several numbers and special characters.

host choice

In order to give WordPress security, you should make a wise decision when choosing a hoster. The hoster can already ensure on the server side that it is made as difficult as possible for attackers to attack your blog.

As a blogger in Germany, you should also use a German hoster. This is recommended simply because of the server location and the associated shorter loading time. I recommend RAIDBOXES* or all-inclusive*.

If you need more information about choosing a hoster, take a look at my article about why I am so happy with RAIDBOXES.

Check plugins

It is best to use as few plugins as possible. Each plugin means a bunch of additional programming code and thus offers potential targets for attack. If you want to install a new plugin, first of all check when it was last updated and if someone in the reviews has already looked at the source code and given it a positive rating.

Regular backups

If it does get you, it’s good to have a backup. It is best to have backups of your blog created automatically and at regular intervals.

It is important that you do not only save these backups on your server, because there they can be reached by possible malicious code. So always save them locally on your computer or store them online.

Creating a WordPress backup is easier than you think. You can find out how this works in my article: Save your blog – your WordPress backup in just 5 minutes.

Protect your computer

While the computer isn’t top of the list as a potential threat to your blog, it does make the list.

How so? Very easily.

You transfer images and other files from your computer to the blog. And you’ve probably already connected to your web space via FTP. In these ways, a virus or malware can spread from your computer to the blog.

Install an anti-virus program to rule out your computer as a threat. Free programs for Windows and OSX are for example Avast or Avira.

Secure WordPress like the pros

The above measures already provide a very good basis against attacks. But of course there are more hurdles that can be put in the way of hack attacks.

The nice thing is, you only have to set up these measures once. After that, they work completely by themselves and help to make your blog secure.

Set file permissions

File permissions determine who can access your WordPress files. If these permissions are set incorrectly, you open the floodgates for attackers.

You can easily change the permissions via FTP. You open Filezilla or another FTP program, connect to your web space and right-click on the relevant file or folder. You can then click on “File Permissions” and make the settings there.

The following permissions have proven themselves and are also recommended by WordPress:

  • All files get 644
  • All folders get 755
  • The wp-config.php gets 660 or 400

These permissions ensure that

  • your user account can read and edit files
  • WordPress can create, edit and delete files and folders
  • No one else can see your database credentials in wp-config.php

Lock the wp-config file

The wp-config.php file in the main directory of your WordPress installation contains access data to your database and other sensitive data. So that nobody can access them, you should block them completely.

This is done very easily with a short code that you enter in the .htaccess file of your main directory. So open your FTP program again and connect to the server. First create a backup of the file (simply transfer or copy it to your computer) and now edit the .htaccess file.

There will already be a few lines in there, you can simply ignore them and add a paragraph and the following code at the very end:

#Blockiert den Zugriff von außen auf die wp-config.php Datei
<files wp-config.php>
order allow,deny
deny from all

Prevent reading of the username

Let’s stick to editing the .htaccess file. Next we add a code that prevents your username from being read out in a simple way.

On WordPress websites, the author page of the user with ID 1 can be accessed directly via domain.de/?author=1. In most cases this is the administrator.

To add this protection, the following code must be in your .htaccess:

# Verhindert das einfache Auslesen von Nutzernamen
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} .*author=(.+.?) [NC]
RewriteRule (.*) /blog/?author= [NC,L,R=301]

Protect the login with a password

This is one of the most effective measures against hacking your blog via the login page and it replaces most of the security plugins. Automated programs often try to gain access to your blog using different usernames and passwords.

You can protect this login page with a password, which makes the login form inaccessible in the first place.

Although you have to log in twice every time you log in (if you are not logged in permanently), this is done quickly in practice. In addition, this minimal loss of comfort is noticeable through a significantly higher WordPress security.

The measure that I am going to explain to you now only works on so-called Apache servers. in 90% of the cases, your site is on such a server. This is the case if you are with all-inkl, Strato, Domainfactory, Hosteurope, 1und1, One or many other hosters.

If you want to be absolutely sure, just ask your hoster or look at the description of your hosting contract.

So, now we come to the implementation. Don’t worry, I’ll explain each step in detail:

  1. First you need a .htpasswd file in your main directory
  2. This file is then populated with a username and encrypted password
  3. Then there is a code in the .htaccess file

There are other ways to secure the WordPress login. You can find out everything about this in my article about the WordPress login.

Create .htpasswd

Create a file with an editor (Word is not, Notepad++ and Sublime Text are) and save it as .htpasswd. Do not add a file extension like .txt or similar.

The best way to create the content of the file is to use this generator. There you enter the user name and password, select “md5” as the encryption method and click on the “Generate .htpasswd” button.

You will now get a text spit out. Copy this and paste it into the .htpasswd you just created. Now upload this file via FTP to the main directory of your WordPress installation.

Customize .htaccess

Now call the .htaccess file from your main directory. Now insert (again at the very end) the following code. This indicates which file (wp-login.php) the protection applies to and where the file with the username and password is located.

# Ab Apache 2.4
# Auth protect wp-login.php
AuthType Basic
AuthName "Restricted Admin-Area"
AuthUserFile /PFAD/ZUR/.htpasswd/EINGEBEN
Require valid-user
# Deny access to important files
<FilesMatch "(.htaccess|.htpasswd)">
Require all denied

At the marked place you have to enter the path to your .htpasswd. Since you have both files in the main directory, this path is nothing more than “/” without the quotation marks, of course.

Test password protection

Now test the whole thing by going to your normal login page. It doesn’t matter whether that’s /wp-admin or /wp-login.
Now if you get another window where you have to enter your username and password to access the page, everything went fine.

Enable SSL encryption

You can encrypt the entire traffic of your blog with a so-called SSL certificate. An HTTPS connection between the client (user) and the server (website) encrypts the transmission of data and also confirms the identity of the server. This means that when a website is called up, a certificate is first sent from the server to the client to confirm the authenticity of the server.

Setting up this encryption requires a few steps. Since this is beyond the scope here, I refer you to another article of mine in which I explain exactly that to you in a very simple way: WordPress and HTTPS – secure SSL encryption for your blog.

So, if you have implemented these measures, you are a very big step further in terms of WordPress security. Which of these steps have you implemented and how do you protect yourself against attacks?

Wordpress Themes kostenlos Deutsch Previous post Top 5: The best free responsive WordPress themes in German
WordPress Sicherheit Blog Next post All about WordPress security