The popular WordPress content management system is now very widespread. In this article we would like to give you a few tips to secure your WordPress installation.
Due to the high distribution of wordpress it is unfortunately also a popular target for hackers and there are unfortunately also automated attacks on WordPress installations where it is checked whether they contain known security holes.
It is therefore very important that you always keep your WordPress up to date. For the professional use it is also reasonable to hire an agency to keep the WordPress up to date and to choose a webhoster who also uses a firewall to protect the system against known attacks.
We have listed the most important points how to protect your WordPress installation.
[tie_list type="checklist"]- Keep WordPress always up to date
WordPress is not only a software for blogs, but can also be equipped with various functions through so-called plug-ins, i.e. extensions. Many users use special plugins and designs (themes) for individual websites. The main problem of the attacks is the lack of updating the installations.
Tip: For the WordPress installation choose a web host with an administration interface that helps you to update WordPress and plugins. Our recommendation is the use of Plesk as management software.
Activate the automatic update of WordPress.
The software is then always kept up to date. This is also possible for many Plusins.
It is advisable to log into the administration interface of wordpress regularly and check the current state of the software. WordPress shows directly whether updates are available.
More problematic are themes, i.e. finished designs that usually contain paid plus-ins. These themes are usually not installed automatically, but must be updated manually. To do this, you have to download the current version of the theme from the manufacturer and copy it into the themes directory. After the update, usually only a few settings need to be made in the Theme Administrations.
[tie_list type="checklist"]- Use encrypted connections.
The WordPress login data is very much in demand and can easily be spied out in an insecure network, e.g. if you log in to an open WLan in a restaurant or hotel.
You should therefore always use a certificate for a homepage. It is best to choose a web host who can set up a certificate for you. This costs only a few Euro per year for a professional protection of your installation.
Please always make sure that you have encrypted access to your WordPress installation via https://, as well as secure e-mail retrieval and, if necessary, secure FTP login. Once you have used an unencrypted connection, we recommend changing all passwords immediately.
[tie_list type="checklist"]- Save the wp-login.php file
There is also a possibility to rename the wp-admin directory, but this can lead to problems with the WordPress functionality. The easy way to protect against most bruteforce attacks where passwords are simply guessed is to include a code in the .htaccess file. This can be combined well with password protection.
[tie_list type="checklist"]- Secure your administration directory with a password.
Additionally, you should protect this directory with a password. Your provider offers the option of setting up directory protection for certain directories. Protect your administration directory with a complicated user name and password that is at least 12 characters long and contains special characters. Never choose passwords that are only 8 characters long. These are now generally considered insecure and can usually be cracked quickly, since they have been precalculated depending on the type of encryption.
After the password protection, open the .htaccess file and insert the following code above
ErrorDocument 401 "Locked
ErrorDocument 403 "Locked
# Allows plugins access to admin-ajax.php despite password protection
Order allow,deny
Allow from all
Satisfy any
This ensures that the WordPress plugins can still call the files.
[tie_list type="checklist"]- Use plugins and themes that are as widely used as possible
Plugins are usually responsible for the security holes in your WordPress. The plugins and themes are small software packages that are provided by third party providers. In principle the idea is good, but there are now many dubious providers and also providers who simply have no knowledge and thus create software that contains security holes. There is practically no protection against this for the layman. We therefore recommend to use only plugins that have been installed very often and have a good rating.
Do not use free themes that you can download from any website. Buy a theme e.g. at Themeforest or Templatemonster from a so-called elite provider, i.e. professional programming teams that have generated a high turnover.
Also pay attention to the date of the last installation. Providers who do not update their plugins and themes or have already stopped development are not recommended.
[tie_list type="checklist"]- Delete unused themes and plugins
If your website is ready and you want to start, we always recommend to delete unused plugins and themes completely. This also applies to the WordPress own themes which cannot be removed easily. Possible attackers like to hide their files in these standard directories, so it is advisable to delete unused files completely. You can do this via the administration interface and if necessary also via FTP. Simply delete the directories from the themes directory that you do not use.
[tie_list type="checklist"]Use an application firewall
[/tie_list]If possible you should use an application firewall. This is a software that checks every connection and offers many possibilities to prevent potential attacks.
With many providers there are free options like fail2ban (recommended), mod_security WAF to block known attacks or dubious known IP addresses. With shared hosting environments, i.e. small hosting accounts, this is usually not possible because there are too many special features that cannot be set globally. For professional use, we recommend in any case to use a managed V-server, so a separate environment only for your website.
With some premium providers you can also use an external firewall solution for your website. In this case systems from e.g. Barracuda, Sonicwall or Imperva are suitable. These systems filter the traffic before it reaches the web server and thus block most attacks. Such a solution is relatively expensive with 50-250 Euro per month and is only suitable for professional use.
Conclusion: to create a website yourself is very easy with WordPress. Also the automatic update which many webhosters offer is helpful compared to other content management systems. If you always make sure that the extensions are up to date (at least once a week), then nothing much can happen to you.
What costs nothing is also no good. Unfortunately, this is true for many plugins and themes. Please note that many scammers infect themes with malicious code and then distribute them as their own theme for free. As soon as you have installed something like this, your website will be used in no time to send Spam or abuses attacks on others.
