WordPress security comes first
WordPress Security has mutated to a pretty big topic in the last years, which is no wonder when you take a closer look at all the hacks, security holes and outdated plugins within the WordPress scene. Since WordPress has finally arrived in the mainstream, the quality of the individual Themes and Plugins increasingly, mainly because the inexperienced newcomers represent the greatest purchasing power and are only too happy to be deceived by feature promises and daring functions. Apart from that, almost anyone can cobble together and offer a small plugin or theme with the help of a tutorial, the quality of which is quite questionable.
As a user this is not always obvious, especially as an inexperienced user you often do not know who and how is actually responsible for the plugin and how good its reputation or reputation is. But most bloggers grow up after a while and realize that functions and features are not everything that security and Performance should come after all and are of great importance. Making WordPress safe has become the new popular sport among bloggers and probably rightly so.
Standards of the WordPress Security
Because WordPress is relatively secure by nature, it is usually the users themselves who create a security risk in their WordPress blog through dubious settings and strange plugins. This doesn't have to be the case and can be circumvented by bloggers who follow some basic standards. Here I simply linked some of the most important articles from mine, which will give you more information about WordPress security and surely give you a feeling for the essentials. Read in, learn, implement and then jump to the next paragraph.
- WordPress Security Test
- Rename WordPress Admin
- Replace MD5 passwords with Bcrypt
- WordPress Spam: Risk to security and performance
- 8 steps to ultimate WordPress security
- Lock admin area for normal users
- Disable XML-RPC completely
- What exactly is HTTPS?
- 12 tips to protect your WordPress block from hackers
WordPress Security Plugins
If you want to be on the safe side and not leave it at the standard, you should take a closer look at the different WordPress Security Plugins. Some of them are real firewalls, but there are also collections of useful functions that professionals and advanced users prefer to install, implement and activate by hand, but beginners can use them to get exactly this "Trouble" and to make WordPress more secure in a simple way.
Nevertheless, security plug-ins have their value today, as many attacks are now completely automated. WordPress installations are therefore scanned for certain weak points or known plug-ins in order to attack these in a targeted manner and exploit possible security gaps. Nowadays, this happens on the fly and virtually 24 hours a day. However, a firewall for WordPress can ward off a large number of these attacks at an early stage and ensure that the server is even noticeably relieved at the end of the day.
Here it also depends a little bit on how well your blog is found and how many users access it daily. Large blogs are often the target of major attacks, while small blogs are of course less likely to end up in automated lists. But that doesn't mean that unknown or small blogs shouldn't take precautions in terms of security, because they are vulnerable and often use all kinds of plugins that are considered unsafe. But the latter is something only the big blogger knows, who is actively involved in development, security, performance and co. and always informs accordingly. My series of articles on this topic will help you to choose a suitable WordPress Security Plugin.
- Security Plugins for WordPress: #1 Security is important
- Security Plugins for WordPress: #2 Wordfence Security
- Security Plugins for WordPress: #3 iThemes Security
- Security Plugins for WordPress: #4 NinjaFirewall
- Security Plugins for WordPress: #5 Sucuri Security
- Security Plugins for WordPress: #6 All In One WP Security
- Security Plugins for WordPress: #7 VaultPress
- Security Plugins for WordPress: #8 BBQ/6G Firewall
- Security Plugins for WordPress: #9 Sitelock
- Security Plugins for WordPress: #10 End
No comments and registrations
The spam within WordPress has become a real problem and that means not only the many spam comments but also the spam registrations. This spam is potentially dangerous and in the past there have been serious security holes where malicious code within WordPress could be introduced and executed via the comment field. Furthermore, comments and registrations in WordPress are quite database intensive and logged in users usually don't even get to see the cache, which can massively reduce performance. My personal recommendation is therefore: Use an external comment system and completely disable or even really ban registrations. Lock the backend of WordPress via .htpasswd, because otherwise there can be countless fake login attempts per minute, which also eat up a lot of performance and are a potential weak point, because they try to crack the admin password etc. via brute force attack.
Everything you need to know about this is in the article below. Many people still want to use the native comments of WordPress. I really can only advise against this, both for security and performance reasons. The differences are too extreme and turning it off brings much more than the comments ever could. Besides, Disqus etc. is very popular with most users anyway.
- Save WordPress Admin with .htpasswd
- Block WordPress login and prohibit registration
- Registration Honeypot: Against fake registrations
- WordPress Spam: Risk to security and performance
- Disable WordPress comments (without plugin)
- Optimize Disqus for performance
Set up honey trap for malicious bots
Jeff Starr is considered as true WordPress expert and programmed among other things the very ingenious BBQ Plugin (see above at Security Plugins), as well as the 6G Firewall. His solutions are solid and always have a perfect performance in mind, which is why they usually also reduce the server load significantly and thus provide a speed advantage. His plugin Blackhole for Bad Bots is a trap for malicious bots and thus a direct help for more security in WordPress. Basically this honey trap works quite simply.
The WordPress plugin adds a randomly generated link, hides it and asks bots via "nofollow" and robots.txt not to follow the link. But evil bots still can't resist the honey (the link) and they don't care about rules. So they ignore the requests of the markers and follow the link anyway. The result: From now on, they are completely blocked from the site. This way you can quickly catch some bad bots overnight, which from now on won't get access anymore and therefore can't cause any server load.
This is quite handy, especially since these bots are either looking for security holes, copying the website or stealing articles. With the black hole you can at least lock out the bots that do not follow the rules. Bad guys just have to stay outside. Effectively and easily implemented as a simple WordPress Security Plugin.
Plugin and themes are a risk
To ensure a certain level of security within WordPress, it is also advisable to use only plugins, themes and snippets from trusted sources. Especially with so-called "Zeroed" versions, that is, stolen and illegally offered themesmalicious code is often infiltrated, which is usually not noticed by inexperienced users.
Many young people with their first WordPress blog, who have little money and want to test a theme before buying it, so they buy it illegally, fall into this trap. The same applies of course to the illegal WordPress plugins. Basically, the number of plugins is also crucial, but the quality is of course much more important. Statistically speaking, if you use and install few plugins, there is less risk of installing a plugin with a security hole. By the way, there are quite a lot of them, not least because a lot of the plugins in the official directory are outdated. Find a remedy Directories for Premium Pluginswhich then cost a small amount, but usually also provide or even guarantee permanent support, i.e. regular updates.
So you can be sure that many premium plugins will be adapted to new standards and will be quickly updated or improved if any security holes become known. Since the support factor has always been a weak point, Envato's large marketplace now also guarantees support times. But there are also some points apart from that which can help you to distinguish high-quality plugins from inferior ones. These points are also valid for WordPress themes and can be summarized as follows.
Updates: Secure and high quality WordPress plugins and themes always get regular updates. Trusted developers let their "babies" don't just hang, they update regularly, maintain the code, and in case development is stopped, it will at least be communicated openly and in advance, so you have a chance to change. The last update should therefore ideally only be a few weeks ago, so be sure to check the changelog of the respective theme or plugin. As usual, themes need less updates than plugins, but nevertheless WordPress changes a lot and should be adapted accordingly.
Support: High quality plugins and themes for WordPress always provide support. Even free. How to test your support best? Ask a beginner's question and see how long it takes the developer to react and especially in what tone he does it. Bad and arrogant developers often react to beginner problems in an annoyed and indifferent way, good developers take their time and explain everything to you in peace, no matter how annoying or typical the question may be. If you care and make an effort, you also handle the code responsibly. At least that's my opinion. If you are arrogant, you often stop being annoyed at some point, especially when it comes to free extensions or themes.
Rating: With WordPress, the ratings are a bit like Amazon (so they are not always accurate), but they still provide an approximate overview of the overall situation or the overall impression of a plugin or theme. On average (typical Internet) either 1 star or 5 are awarded. Be sure to read the reviews and see if any criticism is negative for you. Sometimes users just complain about little things that are not important in your case and sometimes only 1 star is given because something didn't work out but the mistake was on the user's side. So be sure to read the reviews, at least some of them. Only then you will know what's going on and have some clues for possible errors or problems that might bother you.
installations: For some time now, shows wordpress.org also indicates the number of installations. This way you don't just see the number of downloads (an easily manipulated number), but actual installations, i.e. on how many blogs a plugin is really active. This doesn't say anything about the quality of the plugin, but it's a real indication for a popular plugin which will not be discontinued that fast, so it should be provided with updates. What is frequently used, usually has a large number of users and they often help each other, especially with WordPress.
Use WordPress safely
If you follow these simple basic rules and pay attention to a few points, you usually have a secure WordPress installation. Most security holes still bring plugins, especially the complex ones that integrate all kinds of functions and scripts and extend WordPress with countless features. So don't always just look for new features and functions for your own blog, but also pay attention to the quality and always keep in mind that there is a potential risk.
Ask yourself beforehand: What happens if development is stopped? Is it possible to switch to another plugin, does my site work without the plugin? If you take all these hints to heart and question every new plugin, theme etc. several times, you will live relatively safely within the WordPress scene. If you are still afraid, you can additionally activate a WordPress firewall to successfully filter out the many automated attacks and minimize the risk of a hack.