How to secure WordPress against hacker attacks – WordPress Security Tips
The content management system WordPress is becoming increasingly popular – partly because it’s simple. It’s easy to create a website with it. It’s easy to update content and post it online. And it’s easy to hack it.
And it is precisely because of its widespread use that WordPress is increasingly becoming a target for attackers.
WordPress is a fairly secure system in its default installation—that is, without third-party plugins and themes. However, the more components you have, the more complex their coordination becomes, which can lead to gaping security holes.
However, discussions about compatibility and updates often overlook the supposedly most important topic:
How do I optimize the security of my website completely and consistently?
Simple steps to secure WordPress – WordPress Security Basics
1. ALWAYS keep your WordPress version up to date!
2. Never modify the WordPress core.
3. Make sure all plugins are up to date.
4. Remove any inactive or unused plugins.
5. Make sure all WordPress themes stay up to date.
6. Install themes, plugins, and scripts ONLY from their official source.
7. Choose a secure WordPress hosting service.
8. Make sure your site is running the latest PHP version.
9. Create .htpasswd and .htaccess directory protection files for the administrator area.
10. Use the Google Authenticator app.
11. Change the admin username.
12. Always use strong passwords.
13. Do not reuse passwords you have already used.
14. Protect passwords by preventing the password from being transmitted in plain text.
15. Only update your website through a trusted network. An internet café on vacation isn’t the place for that 🙂
16. Use a local anti-virus on your local computer.
17. Activate Google Search Console.
18. Secure WordPress with a security tool, e.g., BulletProof Security PlugIn.
19. Always restore data using previously created backups.
Improved WordPress security – WordPress Security for more security
1. Limit the number of login attempts to a maximum of 5.
2. Enable two-factor authentication.
3. Make sure the access rights are correct.
4. Change the default table prefix.
5. Make sure you have set up WordPress Secret Authentication Keys.
6. SALT passwords.
7. Restrict PHP execution.
8. Separate databases (one database for each installation)
9. Restrict user rights for databases.
10. Disable file editing.
11. Back up your wp-config.php file and store it in a safe place.
12. Disable XML-RPC if you are not using it.
13. Disable debugging and PHP error reporting.
14. Install a firewall.
15. Use a filter for data delivery from content delivery networks.
16. Monitor the log files of your WordPress security tool
Our Top 10 Security Plugins for WordPress
1. Wordfence Security Plugin
With a selection of security features, Wordfence ensures greater security on WordPress sites.
The plugin scans core files to detect potentially malicious influences and blocks known malicious networks and attacks in real time.
Having your own firewall reduces other known security risks.
The Falcon engine also ensures increased site performance.
2. Sucuri Security
The web monitoring service scans freely definable pages for malicious code at freely definable times.
This involves using databases of known vulnerabilities and reported problems from major blacklisting authorities such as Google, McAfee, or Phish Tank.
You also have the option of generating a free API key.
3. All In One WP Security Plugin
This popular extension is aimed more at beginners who want to improve the security of their site without having to know complex rules for creating an .htaccess file.
The optimization process can be tracked using a speedometer – the higher the score, the better WordPress has been optimized for security.
Otherwise, the All In One WP Security Plugin, as the name suggests, works as a collection of useful codes that improve security.
This includes a small firewall, tweaks against brute-force attacks, the ability to change the data prefix and create user management, as well as numerous other security features.
4. iThemes Security (formerly called Better WP Security)
Instead of overwhelming you with text, iThemes Security literally takes you by the hand and shows you, with understandable, well-thought-out tips, exactly what you can do to make your website more secure.
The fairly comprehensive plugin includes, among other things, a malware scanner, database logs, two-factor authentication, 404 protection, and protection against brute force attacks by limiting login attempts.
5. Fail2ban
The plugin works as a filter that monitors logins and blocks IP addresses if anything unusual is detected, without having a massive impact on WordPress speed.
Filter settings and actions can be stored in a jail file.
Originally developed for all POSIX systems, Fail2ban is now also available as a WordPress plugin with simplified usage.
6. Bad Behavior
The PHP-based plugin acts as a bouncer, preventing spammers from spreading their garbage and even reading the page.
Bad Behavior tries to block before there is an opportunity to use the system.
To achieve this, the blog reader’s software and the method they use to submit data are analyzed. Potential spammers are then denied access with an Apache 403 message.
7. Security Ninja
This plugin allows you to detect the vulnerabilities of a website by performing numerous security tests with just a click of the mouse.
In addition, it can be used to simulate and evaluate attacks and to define preventive measures.
Updates that implement new vulnerability tests are worthwhile.
8. ThreeWP Activity Monitor
The plugin informs the site operator in real time about user activity on their site.
These include, for example, new registrations, successful and failed login attempts, comments, created pages and posts, deleted users, and changed passwords.
9. User Role Editor
With a simple interface, the permissions of different user groups can be edited quickly and easily.
10. WP Update Notifier
This plugin informs the site operator via email about upcoming updates – not only for WordPress itself, but for all used plugins and themes.
This makes the WP Update Notifier suitable for anyone who does not regularly log in to the backend as an admin to keep the system up to date and minimize security gaps.