Safety first

WordPress is a very popular software, with many fans and many users. The problem what this kind of popularity always brings with it is the fact that it attracts attackers. They have been tampering with the system for years, developing bots and hacks, using security holes and script injections.

Normally, attackers don't get away with it in the first place, but security comes first. However, this is often forgotten or neglected, because security does not help directly, but only in an emergency. But from the very beginning users of WordPress should remember that in case of an attack all files are quickly infected, deleted, changed or destroyed. So security is the most important thing.
Here are seven basic steps to significantly increase WordPress security.

1. protection against script injections

The GET and POST requests are usually carefully protected, but what about the GLOBALS and _REQUEST variables? They are usually not handled very well, so the following command in .htaccess provides more security. This blocks script injections and attempts to change the corresponding variables.

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

2nd block Bad Queries

The plugin BBQ: Block Bad Queries ...I only introduced you a short time ago. This will protect you from long requests, which are usually only aimed at finding a security hole or loophole. With Block Bad Queries such requests are simply stalled and receive a 414-forwarding.

It must be said, however, that WordPress already offers good protection by default, but this can be extended even further. In my case, Block Bad Queries also gave me a slightly better performance, because suddenly the many queries couldn't get through anymore and couldn't create any load.

3. change the user name of the administrator

Standard for all webmasters who use WordPress is to change the username of the admin after installation. Instead of Admin, it should have a different title, simply because there are a lot of attacks that try to crack the admin password by brute force. To change the name, you can simply execute the following SQL command (at "New username" enter the desired name).

UPDATE wp_users SET user_login = 'NEW USER NAME' WHERE user_login = 'Admin';

Here you can find detailed instructions with different options how to change the WordPress username admin.

4. lock WP-Admin

A fantastic way to prevent the many brute force attacks on the admin or backend of WordPress is to simply lock the whole area. This has many advantages, but also disadvantages. For example, you can only block the folder wp-admin if there are no registered users who are allowed to log in independently.

But the performance increases afterwards, because all the brute force attacks on the login suddenly come to nothing. I therefore recommend all blogs that do not allow registration to close the complete folder wp-admin with .htaccess and .htpasswd. The whole thing is basically very simple and explained here once more in detail.

5. protect files with .htaccess

Besides the .htaccess in the folder wp-admin, you should of course have a corresponding file in the main directory. There you will find security settings and performance optimizations, you can find all information about this in my Articles about the perfect .htaccess. For security reasons, the following entries are useful, which prohibit access to corresponding files.

order allow,deny
deny from all

order allow,deny
deny from all

6. disable directory browsing

With many hosters it is allowed that folders can be addressed directly. With WordPress the URL "" then list all files in the corresponding directory. To prevent this from happening, the following code helps in the .htaccess in the root directory.

Options All -Indexes

7. remove unnecessary header entries

Security is important and even useless entries in the header may indicate security holes or activated software. Apart from that, a small and lean header also increases the overall performance considerably. To remove all unimportant entries from the headeryou should copy the following code into the functions.php of your theme.

add_action('init', 'remheadlink');
function remheadlink()
 remove_action('wp_head', 'rsd_link');
 remove_action('wp_head', 'wp_generator');
 remove_action('wp_head', 'index_rel_link');
 remove_action('wp_head', 'wlwmanifest_link');
 remove_action('wp_head', 'feed_links', 2);
 remove_action('wp_head', 'feed_links_extra', 3);
 remove_action('wp_head', 'parent_post_rel_link', 10, 0);
 remove_action('wp_head', 'start_post_rel_link', 10, 0);
 remove_action('wp_head', 'wp_shortlink_wp_head', 10, 0);
 remove_action('wp_head', 'adjacent_posts_rel_link_wp_head', 10, 0);

8. switch off XML-RPC

XML-RPC should also be deactivated if you do not use it. Since WordPress 3.5 the interface is permanently active, even if it is not in use. The problem with this is that an activated interface is always a danger and a security risk. However, deactivating it is not as easy as you might think, because to deactivate XML-RPC completely, a few steps are necessary. Here you can find my complete manualto disable XML-RPC.

WordPress is secure

That was basically it. Eight steps were necessary to suddenly increase the WordPress security. Eight steps, all of which are very important and do not present blunt methods. Eight steps that really protect you from nasty attacks, that really work and make sure you can sleep at night.

Anyone who has ever "chopped" knows how much work and nerves it takes to restore a destroyed WordPress installation. Basically, all that is left is a completely new setup of the server, after all, not a bit of hacked malicious code must remain. So it's better to be careful than lenient, because otherwise you could be in big trouble.

With the Eight Steps to Ultimate WordPress Security, you are now at least significantly better protected.

About Christian

My name is Christian and I am co-founder of the platform fastWP. Here in the magazine I am responsible for the more "technical" topics but I like to write about SEO, which has been my passion for over 10 years now.

1 thought on “8 Schritte zur ultimativen WordPress Sicherheit”

Leave a Comment

Your email address will not be published. Required fields are marked *