Security is more important than many believe
The security of WordPress is more important today than ever before. More and more plugins appear, more and more security holes open up and more and more WordPress becomes the only serious content management system, which is used by more and more big websites and portals. If it hasn't already been for a long time, because WordPress is big and already now a large part of the publications on the Internet use WordPress as a substructure. But the more a system is established and spread, the weaker it inevitably becomes. What is widely spread is strongly attacked, even more so if it is always the same substructure. Why not? If a security hole is found, there may be millions of blogs that also have the security hole and can be hacked in a similar way. Whoever does not comply with WordPress Security standards is like a naked man in a meadow - completely defenseless. To counteract this we have picked out a few tips for you, which will help you to increase the security of WordPress. For even more security, take a look at the underside on the topic of WordPress Security.
Change username of the admin
A big security problem with WordPress is that the admin usually does not change his username and WordPress automatically calls him Admin. Every hacker knows this and therefore there are automated access attempts without end, because the username is known and only the password has to be cracked. To circumvent this, you should simply rename the admin. How to do this, you can find out here. Actually it is quite simple, it is just often forgotten.
Two-Factor Authentication for WordPress
A two-factor authentication for WordPress helps to make the CMS login even more secure or to give it an additional level of security. For example, you use the smartphone to generate a unique code for the direct login. This is done by a small WordPress plugin and make your blog a lot safer.
Secure login, reduce login attempts
Whoever uses WordPress should not use the user administration of the CMS in my opinion. Who does not allow registrations, can use the whole wp-Admin folder namely protect with a .htpasswd. From now on, nobody has access to the login without the correct password, which shuts down hacking attempts and automated access from the outset. But if you use registrations and allow other users to log in, you should at least reduce the login attempts. This is done a pluginwhich ensures that users only have three more attempts before the account is temporarily suspended, for example. This at least prevents the typical brute force attacks.
Update: Since more and more providers have also recognized this problem, many of them already offer this service. Two examples are 1und1, (in the managed WordPress version) or also Raidboxes.
Simply rename the login address
If you want even more security, you can also simply rename the WordPress login. The problem with WordPress is, as already mentioned, that every hacker knows all directories and file names. He knows that the folder "wp-admin" leads to the login and that the file itself is called "wp-login.php". A quite simple and effective solution is renaming, but beginners should not mess around with the files. A better solution is the Rename wp-login.php Pluginwhich adds appropriate redirections and protects both from unauthorized access.
Perfect password security
Thinking up a password for yourself usually leads to familiar words or phrases that are often and gladly used. But this makes a password hackable again, at least for people who know your preference for certain characters. A password generator creates security, because the randomly generated passwords are virtually unhackable and above all, they are nice and long. Norton offers for example such a generator with which you can easily create 30-character passwords that are completely random and enriched with special characters. Very secure and basically unbreakable. However, you should refrain from using short and self-chosen passwords.
Prohibit comments or use alternative
Believe it or not, but in the past the native comments of WordPress have always been the front door for hackers. There they could always smuggle in code, gain access, or get important information to infiltrate elsewhere. So the safest thing to do is to use an external system like Disqus to use. This is modern, filters spam without burdening your own server and is accordingly safe, at least if you use it without a plugin. The comments of WordPress on the other hand remain a danger.
Install firewall or security plugin
If you need additional protection, or simply sleep better after securing WordPress, you should use one of the many firewall plugins. They block malicious requests even before they reach your blog, which in the best case even increases the performance, because all the hacking attempts are blocked in advance and can't eat up any resources. My recommendation would be BBQ Pro and Ninja firewallbut there are many firewall plugins and more Recommendations. Just have a look around and choose your own favourite.
Update: our favorite is and remains NinjaFirewall because of its effectiveness and of course its "light weight".
Set up secure WordPress .htaccess
Like the perfect WordPress .htaccess we've shown you here before. But for more security, there are of course a lot of additional code snippets. Finally, you shouldn't overcrowd your .htaccess, because a too big file will have a negative effect on the overall state of your blog. If you also have a firewall installed, you can also do without many such entries, because the firewall already takes care of that.
Remove unnecessary WordPress headers
Although it is also part of the performance optimization to remove the unneeded header entries from WordPress, it also increases the general security, because certain things are hidden and not so easy to see. How you remove the unused headers from WordPress, we had you in one article already explained in detail. Don't worry, it's very simple.
Disable XML-RPC completely
The XML-RPC interface has been abused more than once and exploited for malicious access. Since most people do not use it, XML-RPC should simply be completely disabled in the blog. This used to be very easy, now it's just with one snippet and a few detours. But it is feasible and whoever wants to provide security should do it quickly.
Take WordPress update seriously
The most important thing about WordPress Security is and remains that you install updates for plugins and WordPress itself, directly and without delay. It is quite measurable that after the vulnerabilities of an old version have become known, they are massively exploited again to catch blogs that are still waiting with the update or have not closed the vulnerability yet. There are regular hacking waves after such updates. Nothing helps better than always using the latest version of WordPress and the corresponding plugins and not waiting several days for an update.
Do not install every plugin
Regardless of the performance issue, the safety factor must also be considered when installing plug-ins. As nice and great as all the great plugins are out there, which are often even completely free of charge - always keep in mind that often a single programmer is behind them. On the one hand, a lot of plugins are badly programmed and open the door to attackers, but also the issue of future updates is anything but self-evident.
You should always consider or check the following points here:
- do I really need the plugin or can I implement the function otherwise
- what are the ratings of the plugin
- who is behind the plugin (it feels like you should claim that a developer who has published and maintains several plugins, probably also maintains your chosen plugin)
- when was the last update of the plugin.
- also a short check via Google brings here and there interesting information about a plugin to light
Create regular backups
If nothing else helps, a backup always helps. For example, if you have been hacked, if there are problems of any other kind, if there are visible anomalies or if you have shot up your system yourself. The good old backup always helps, which can reset the entire blog and database to an old version. Plugins help to set up such backups, as do hosters.
Attacks are often automated
In the end, WordPress is and remains vulnerable simply because it is actively fought for. WordPress is like a war zone, where the attackers normally can't get past the tanks, but a wrong plugin is enough to open a secret door that gives access to all bad guys. Every day there are countless, completely automated hacking attempts that specifically exploit known vulnerabilities, or at least try to do so. There are complete routines that access your blog over and over again, or even brute force attacks that massively try to crack your login. If you don't put a stop to this, you will inevitably go down at some point. The main reason for this with WordPress is that attackers can quickly find out who is using WordPress and can start attacks automatically. The tips above help to counteract this. The major vulnerability of WordPress are still WordPress plugins, by the way, because only in this way attackers often succeed in penetrating your system. So keep your eyes open when it comes to security.