WordPress is one of the most widely used content management systems (CMS) in the world. However, due to its popularity, it is also a frequent target for hacker attacks. In this article, you will learn how to effectively secure your WordPress installation.
Why is WordPress a target?
The widespread use of WordPress makes it attractive to hackers who try to exploit known security vulnerabilities. Automated attacks systematically check whether a WordPress installation is outdated or has vulnerabilities. It is therefore essential to always keep your system up to date.
A professional web host with integrated Firewall can offer additional protection. If you don't have time to carry out regular updates yourself, you should consider hiring a service provider. Agency think about it.
Keeping WordPress secure - the most important measures
1. update WordPress and plugins regularly
- Activate the automatic update if possible.
- Log into the WordPress dashboard regularly and check for pending updates.
- Pay particular attention to premium themes, which often have to be updated manually.
2. use secure connections
- Use an SSL certificate for your website so that access is always possible via https:// takes place.
- Use secure connections for e-mail retrieval and FTP access.
- If you have ever used an unencrypted connection, change all passwords immediately.
3. secure the wp-login.php
- Set up an additional password query for the administration directory.
- Use a
.htaccess-lock to prevent unauthorized access.
4. protect the WordPress administration directory
In addition to protecting the login page, you should also protect the entire administration directory:
- Activate the Directory protection with your hoster.
- Choose a secure password with at least 12 characters, including special characters.
- Complete the
.htaccess-file with protection mechanisms against unauthorized access:
ErrorDocument 401 "Locked" ErrorDocument 403 "Locked" # Allow access for plugins to admin-ajax.php despite password protection Order allow,deny Allow from all Satisfy any
5. choose secure plugins and themes
- Use only plugins and themeswhich are frequently installed and regularly updated.
- Buy premium themes from trustworthy providers such as ThemeForest or TemplateMonster.
- Pay attention to when the last update of a plugin or theme was.
Avoid free themes from unknown websites, as these are often infected with malware.
6. delete unused plugins and themes
- Delete unused plugins directly via the WordPress interface.
- You can also remove superfluous default themes manually via FTP if they cannot be easily uninstalled.
7. use an application firewall
A Application Firewall can help to block attacks at an early stage. Recommended solutions are:
- Fail2Ban (free of charge, recognizes suspicious login attempts)
- mod_security WAF (Web application firewall for blocking known attack patterns)
- External firewall providers such as Barracuda, SonicWall or Imperva (professional solutions from 50-250 € per month)
A firewall is often not possible with shared hosting. In this case, a Managed V-Server is the more secure alternative.
Conclusion: WordPress security is not rocket science
With regular updates, secure passwords and the right protective measures, you can reliably secure your WordPress website. Invest in secure hosting and avoid free, unknown plugins and themes. If you follow these tips, you will significantly minimize the risk of attacks.
