11 simple tips to secure your WordPress website.

Word­Press is one of the most used con­tent manage­ment sys­tems in the world. Which also makes it more and more attrac­ti­ve for bots and hackers.

Is WordPress safe? #

As a rule, yes. Of cour­se, it depends on many aspects. For one, is Word­Press regu­lar­ly main­tai­ned by you? Are plug­ins used and if so, are they still up to date? The same appli­es to the the­me. Has a fire­wall been set up (WAF)? What about the pass­words? Many ques­ti­ons. Most of the time the pro­blem is in front of the screen. Becau­se your sys­tem is only as good as you tre­at it.

This is not to say that the­re are no vul­nerabi­li­ties for Word­Press. Like your ope­ra­ting sys­tem, Word­Press is also affec­ted. Through regu­lar updates, but the­se are clo­sed as soon as they were detec­ted.

What are the vulnerabilities of WordPress? #

Here is a list of Word­Press secu­ri­ty vul­nerabi­li­ties:

• Back­doors
• DDoS Attacks
• Bru­­te-Force Attacks
• Cross-Site-Scrip­­ting (XSS)

Backdoors

This exploits out­da­ted plug­ins or secu­ri­ty holes in plug­ins, the­mes and Word­Press its­elf to open a back­door to your Word­Press web­site.

Most of the time, it modi­fies files. A mali­cious code is inser­ted that allows remo­te access to your data. Most of the time, the­se chan­ges to your PHP files look like a ran­dom sequence of cha­rac­ters. This is becau­se the PHP func­tions are first encoded with Base64. Using Eval, the string can then be easi­ly inter­pre­ted as PHP code.

Looks harm­less at first. Howe­ver, the­re may be a lot behind it, for exam­p­le a script that auto­ma­ti­cal­ly copies data from ano­ther ser­ver to you and exe­cu­tes it.

Back­doors can be fixed quick­ly. First, you should check whe­ther you have any vul­nerabi­li­ties. If so, you should clo­se the affec­ted are­as with an update. By chan­ging file per­mis­si­ons and exclu­ding PHP files from various fol­ders, you can alre­a­dy com­bat num­e­rous thre­ats.

Brute-Force Attacks

This is the term used to descri­be auto­ma­ted attacks that use simp­le pass­words to gain access to your web­site. To pre­vent this, you should defi­ni­te­ly limit the log­in attempts to your sys­tem. Blo­cking IP addres­ses and using strong pass­words will also help to con­trol the pro­blem.

Cross-Site Scripting (XSS)

Cross-site scrip­ting is what it is cal­led once a mali­cious script is injec­ted into a trus­ted web­site or appli­ca­ti­on.

The mali­cious code is usual­ly inser­ted into the sys­tem via unse­cu­red input opti­ons (forms). The­se are often scripts that are exe­cu­ted in the visitor’s brow­ser (Java­Script).

This is an attempt to grab the visitor’s data. This includes cre­dit card infor­ma­ti­on, for exam­p­le. But also the redi­rec­tion to other web­sites or the inser­ti­on of adver­ti­sing (spam) is part of it.

DDoS Attacks — Denial-of-Service

In a DDoS attack, errors and bugs in the code are exploi­ted to over­load the ser­ver. The tar­get is con­ti­nuous­ly addres­sed via various ser­vers. This is refer­red to as a bot­net. Smal­ler web­sites are the­r­e­fo­re often infil­tra­ted in order to use them to launch a DDoS attack on a lar­ger tar­get.

Your WordPress Security Guide for 2021 #

To pre­vent your Word­Press web­site from beco­ming a tar­get of an attack, you should fol­low the­se secu­ri­ty tips.

Do not use default names for users

Attacks on Word­Press are usual­ly auto­ma­ted. This means that a script (bot) tri­es to gain access to your Word­Press using pre­de­fi­ned methods.

Deve­lo­pers of the­se bots of cour­se know that admin is the default user­na­me for Word­Press admi­nis­tra­tors.

So wri­te a list of poten­ti­al names the bot will try to log in with in order.

Of cour­se, this also appli­es to pass­words. The­re are count­less lists of pass­word com­bi­na­ti­ons on the Inter­net that are sim­ply play­ed through.

For exam­p­le, you can check whe­ther you have ever been found on the web with your email or pho­ne num­ber on Have I Been Pwned.

Bots are now pro­grammed to search for names and email addres­ses on the web­site as well, which you then test for log­in.

Unfort­u­na­te­ly, Word­Press does not offer the pos­si­bi­li­ty to chan­ge user­na­mes after­wards. The­r­e­fo­re, here are two vari­ants how you can do it wit­hout a plug­in:

1. Crea­te a new admin user and then dele­te the old one.
2. Cus­to­mi­ze the user­na­me direct­ly from the data­ba­se.

Secure your wp-config

The wp-config.php is by far the most important file on your sys­tem. The­r­e­fo­re, you should pay spe­cial atten­ti­on to it when it comes to the secu­ri­ty of your Word­Press web­site.

It con­ta­ins the data­ba­se log­in data and secu­ri­ty keys. The secu­ri­ty keys are respon­si­ble for encryp­ting your coo­kie infor­ma­ti­on.

Disable editing of files

Word­Press has an inter­nal code edi­tor. This allows you to edit the­me and plug­in files via Word­Press.

If an atta­cker suc­ceeds in log­ging into Word­Press, he can also edit the­se files. Often you don’t even noti­ce this.

To pre­vent this from hap­pe­ning, all you have to do is add the fol­lo­wing line to your wp-config.php:

define('DISALLOW_FILE_EDIT', true);

The who­le thing then looks like this:

Move the wp-config.php

Usual­ly, wp-config.php is loca­ted in the root direc­to­ry of your web­site. Howe­ver, you can move it to any other direc­to­ry that is not acces­si­ble via WWW.

To move your wp-config.php file, sim­ply copy the com­ple­te con­tent into ano­ther file. Then save this file in a direc­to­ry of your choice.

Then wri­te the fol­lo­wing line in your wp-config.php:

<?php
require_once('/pfad/zu/deiner/datei.php');

This pre­vents your PHP from being down­loa­ded at ran­dom if the­re is a hos­ting error. This can hap­pen, for exam­p­le, if PHP has not been set up or is no lon­ger working pro­per­ly due to an error. Ins­tead of inter­pre­ting the file, the ser­ver then offers it as a down­load. Due to this error, the file can then be ope­ned, and your data can be read.

Update security key for WordPress

The secu­ri­ty keys impro­ve the encryp­ti­on of infor­ma­ti­on stored in users’ coo­kies. They con­sist of a series of ran­dom cha­rac­ters.

During the instal­la­ti­on of Word­Press, the­se are gene­ra­ted auto­ma­ti­cal­ly. But it can be useful to renew them, for exam­p­le after moving your web­site.

For this, Word­Press offers you a free tool with which you can gene­ra­te the secu­ri­ty keys. Just open the link and replace the secu­ri­ty keys in your wp-config.php file.

Customize file permissions

File per­mis­si­ons allow you to spe­ci­fy who can access the file or fol­der. File per­mis­si­ons can be chan­ged with an FTP cli­ent such as File­Zil­la.

Con­nect to your ser­ver with your FTP cli­ent and navi­ga­te to the Word­Press direc­to­ry. Right-click on a file/folder to open the con­text menu.

At the bot­tom of the list of opti­ons, you will find the ent­ry File Per­mis­si­ons. Click on it to chan­ge the file attri­bu­tes.

The­re you can easi­ly set the per­mis­si­ons. Atten­ti­on: By chan­ging the file per­mis­si­ons you can dama­ge your web­site. You should the­r­e­fo­re only make the chan­ges if you are fami­li­ar with them.

In the Word­Press docu­men­ta­ti­on, you can find the file per­mis­si­ons gui­de­lines.

Accor­din­gly, you should set the file per­mis­si­ons for wp-config.php to 440 or 400.

Disable running PHP for directories

You can pre­vent the exe­cu­ti­on of PHP files for indi­vi­du­al direc­to­ries. For exam­p­le, one of the direc­to­ries whe­re PHP files have no place is /wp-con­­ten­­t/u­­ploa­d­s/.

With the help of a .htac­cess file we can disable the exe­cu­ti­on of PHP files:

1. Crea­te a new .htac­cess file in the /wp-con­­ten­­t/u­­ploa­d­s/ direc­to­ry of your Word­Press instal­la­ti­on. Note: The .htac­cess file will then also affect all sub­fol­ders in the direc­to­ry.
2. Insert the fol­lo­wing con­tent the­re

<Files *.php> 
deny from all 
</Files>

You have now made all PHP files in the direc­to­ry unusable.

Limit the number of login attempts

Next, be sure to set a limit for log­in attempts.

Atta­ckers often try to gain access to the sys­tem by ente­ring dif­fe­rent user­na­mes and pass­word com­bi­na­ti­ons. If you don’t set a limit here, atta­ckers can try to guess your pass­words every second.

For this, you can use a secu­ri­ty plug­in like Sucu­ri or Limit Log­in Attemps Rel­oa­ded.

You can direct­ly use the default set­tings. If you have a sta­tic IP address, you can store it direct­ly.

Her­eby you ensu­re that after 3 incor­rect log­ins from an IP address, this will be blo­cked for fur­ther log­ins for 20 minu­tes. In addi­ti­on, the IP address will be blo­cked for 24 hours if it has alre­a­dy been blo­cked 4 times within 24 hours.

As an extra, you can also be noti­fied by e‑mail as soon as a blo­cking has taken place.

Change WordPress database prefix

Word­Press is assi­gned a data­ba­se pre­fix by default during instal­la­ti­on. This is, if you have not chan­ged it wp_.

You can cus­to­mi­ze and assign this pre­fix indi­vi­du­al­ly during the instal­la­ti­on of Word­Press.

The­r­e­fo­re, the easie­st way is to chan­ge the pre­fix direct­ly during instal­la­ti­on. But it can also be done after­wards. For this, both the data­ba­se and the wp-config.php would have to be adjus­ted.

Sin­ce chan­ging the pre­fix can dama­ge the page, you should only do this if you have expe­ri­ence with data­ba­ses and pro­gramming. Other­wi­se, you should hire a pro­fes­sio­nal.

Disable Directory Indexing and Directory Browsing

Atta­ckers usual­ly brow­se direc­to­ries on your ser­ver to find pos­si­ble tar­gets and vul­nerabi­li­ties. Alt­hough many web hosts now disable direc­to­ry index­ing and direc­to­ry brow­sing by default, the­re are still some exo­tic ones.

Just test if direc­to­ry index­ing is enab­led on your Word­Press web­site by cal­ling the path: /wp-includes/

If you now get a view like the one below, you should defi­ni­te­ly read on.

So that poten­ti­al atta­ckers can not see this, you sim­ply open the .htac­cess file in the main direc­to­ry of Word­Press (the­re is also the wp-config.php file).

Add the fol­lo­wing line to disable direc­to­ry index­ing and direc­to­ry brow­sing:

Options -Indexes

Test the URL again after saving and uploa­ding. Now you should see a 403 error (For­bidden) ins­tead of the direc­to­ry.

Disable XML-RPC interface

The XML-RPC inter­face is enab­led by default, but is hard­ly used nowa­days. In the mean­ti­me, it has been repla­ced by the REST API intro­du­ced on Word­Press.

Mean­while, it is most­ly used to per­form bru­te force attacks, and DDoS attacks.

You should the­r­e­fo­re check whe­ther the inter­face is still acti­va­ted. The best way to do this is to use the Word­Press XML-RPC Vali­da­ti­on Ser­vice.

Just add the link to your web­site to the address and com­ple­te it with xmlrpc.php.

If you have XML-RPC acti­ve, you will get the fol­lo­wing mes­sa­ge:

Now you should take action. To disable XML-RPC, you have seve­ral opti­ons.

Disable XML-RPC via a filter

To do this, open Functions.php from your child the­me and add the fol­lo­wing line:

add_filter( 'xmlrpc_enabled', '__return_false' );

Disable XML-RPC via .htaccess

Open the .htac­cess file which is loca­ted in the root direc­to­ry of Word­Press. The­re you add the fol­lo­wing lines:

<Files xmlrpc.php> 
Order Allow,Deny 
Deny from all 
</Files>

This will pro­hi­bit access to the file.

Regular backups of the website and database

You should regu­lar­ly back up your web­site and data­ba­se to an exter­nal ser­ver.

A back­up on your own ser­ver is often not enough. Espe­ci­al­ly if you use exis­ting plug­ins, bots know whe­re back­ups are stored. It often hap­pens that the back­ups are dele­ted or infec­ted as well.

An exter­nal back­up is the­r­e­fo­re indis­pensable for essen­ti­al are­as. For this you can use for exam­p­le the Updraft­Plus Word­Press back­up plug­in.

From the dash­board, you can then start your first back­up of your files and data­ba­se direct­ly with Back up now.

In addi­ti­on, you can also spe­ci­fy other set­tings.

In addi­ti­on to the fre­quen­cy of back­ups and the reten­ti­on of back­ups, you can also con­fi­gu­re an online sto­rage whe­re the data will be saved.

So if you don’t want to keep down­loa­ding back­ups manu­al­ly, you should con­fi­gu­re an online sto­rage.

You can also sign a main­ten­an­ce con­tract for your Word­Press web­site direct­ly with us. In addi­ti­on to back­ups and main­ten­an­ce, we also take care of updating your web­site and ensu­re secu­ri­ty.

Disable debug mode

Debug mode should be enab­led only when the­re is a pro­blem with your web­site. As soon as it is acti­va­ted, addi­tio­nal infor­ma­ti­on is dis­play­ed for deve­lo­pers. This may include sen­si­ti­ve data. The­se can then be tap­ped by poten­ti­al atta­ckers in order to find secu­ri­ty vul­nerabi­li­ties.

To disable the debug mods, you need to modi­fy the fol­lo­wing line of code in your wp-config.php file:

define('WP_DEBUG', false);

Regularly update WordPress, themes and plugins

Ano­ther way to impro­ve your Word­Press secu­ri­ty is to regu­lar­ly update plug­ins, the­mes and Word­Press its­elf.

Secu­ri­ty enhance­ments and bug fixes are also often added during the update pro­cess.

Unfort­u­na­te­ly, I have to see again and again that many cus­to­mers come to us with out­da­ted Word­Press ver­si­ons. Most­ly with simp­le reasons like “then the site no lon­ger runs” or “our chan­ges in Word­Press are then gone”.

In doing so, chan­ges should never be made to Word­Press, plug­ins or the­mes. This is what hooks and child the­mes are for.

In addi­ti­on, Word­Press updates usual­ly con­tain indis­pensable secu­ri­ty patches.

Note: You should always back up your web­site and data­ba­se befo­re updating.

How to update WordPress

As soon as an update is available for Word­Press, you will be noti­fied via the dash­board.

Alter­na­tively, you can down­load Word­Press manu­al­ly and upload it to your ser­ver using SFTP. Important: Over­wri­ting files or fol­ders, if not done cor­rect­ly, can dama­ge your web­site.

How to update WordPress plugins

Word­Press plug­ins are also easy to update. Click on the update icon on the dash­board and then sel­ect the plug­ins you want to update. Con­firm the pro­cess by cli­cking the Update Plug­ins but­ton.

If you have purcha­sed pre­mi­um plug­ins via a third par­ty pro­vi­der, it may not be pos­si­ble to update them via Word­Press. You should the­r­e­fo­re always check the plug­ins manu­al­ly for an update.

To do this, you can usual­ly down­load the files manu­al­ly from the ven­dor and upload them manu­al­ly to your ser­ver using SFTP. The files for the plug­ins are loca­ted in /wp-con­­ten­­t/­­plu­g­ins.

To increase the secu­ri­ty of your Word­Press web­site, you should always check when choo­sing plug­ins when they were last updated. Plug­ins that are not updated regu­lar­ly or have not been updated for a long time should be avo­ided.

Security through obscurity (Security through obscurity)

Also known as secu­ri­ty through obscu­ri­ty. An attempt is made to increase secu­ri­ty by kee­ping infor­ma­ti­on secret. Whe­ther the use is useful or not is con­tro­ver­si­al. Nevert­hel­ess, the prin­ci­ple can also be appli­ed to Word­Press.

Hide the WordPress version

The less the per­son knows about your sys­tem, the bet­ter. The­r­e­fo­re, you should hide the Word­Press ver­si­on you are using.

This can be done wit­hout any plug­in at all. Just add the fol­lo­wing to the functions.php file of your child the­me (wp-content/themes/child-theme/functions.php):

function removeWordPressVersion() { 
   return ''; 
} 
add_filter('the_generator', 'removeWordPressVersion');

That was it alre­a­dy. Now the Word­Press ver­si­on should no lon­ger be dis­play­ed.

Change WordPress Login URL

Ano­ther way to incor­po­ra­te the prin­ci­ple of obscu­ri­ty into Word­Press is to obfus­ca­te the log­in URL.

All bots, hackers and poten­ti­al atta­ckers know the path to the Word­Press log­in file. By means of bru­te force attacks, they then try to log in. Of cour­se, chan­ging the URL is not a solu­ti­on, but a litt­le trick. Once the atta­ckers know that your log­in URL has been chan­ged, they will adjust it.

To chan­ge the path to your log­in page, you can use the WPS Hide Log­in plug­in.

Summary #

As you can see, Word­Press can be opti­mi­zed with litt­le effort to increase secu­ri­ty. By choo­sing alter­na­ti­ve user­na­mes, secu­re pass­words and per­forming regu­lar updates, you can ensu­re that your web­site stays up and run­ning.

Did we for­get any­thing or do you have the ulti­ma­te tip on how to secu­re your Word­Press web­site? Then let us know in the comm­ents.