In this article, I’ve explained how you can secure WordPress and protect it from hacker attacks in such a way that your grandma would understand it too. At least if she has a computer and knows that Google is not a vacuum cleaner. Making WordPress safe is not magic. I will explain exactly that to you – the essential points that really matter.
At the same time, I will also clear up all the rumors that are floating around in the blog-sphere regarding WordPress security. In fact, many recommendations are simply wrong or distract you from the essentials. And the most popular WordPress security plugin Wordfence does almost more damage than it does. I even fell for some half-truths that are spread on other blogs. But I’ll tell you more about that later…
Table of Contents
Secure WordPress With Updates
Regular updates offer the most effective protection against hackers.
The most common WordPress security tips revolve around securing your login. But the fact is that most attackers don’t come through the front door. Just like most burglars in the real world, they prefer to enter a house where it is easiest to get in.
I will also recommend that you choose a secure password for your login. But the most important thing is that you regularly update all plugins, themes and the WordPress core and keep them up to date.
To do this, click on DASHBOARD>UPDATES in the WordPress admin interface. There you can update WordPress and all plugins and themes if there is a newer version.
Before each update, you should definitely create a WordPress backup. Because if an error occurs during the update, you can quickly and easily reset everything. Please do not skip this step! Because it can save you a lot of time and nerves. Trust me on this one…
Only Use Current Plugins that are being further developed
If the development of a plugin is stopped, then no security gaps are closed. Apart from that, problems with new WordPress versions can also arise if the developers no longer keep a plugin up to date.
In the WordPress Dashboard you can display all installed under PLUGINS. And with a click on VIEW DETAILS you can find out when the last update was published. If this was several months or even years ago, then deactivate and delete this plugin and look for an alternative.
The same goes for the theme you are using, of course.
Delete Unnecessary Plugins And Themes
If you don’t use a plugin or theme, delete it. And only install plugins that you really need. Less is clearly more here. Because every plugin means a certain security risk. Apart from that, each plugin also potentially increases the loading time of your website. So only use what you really need.
To delete a theme that you are not using, simply click on the image of the redundant design template under DESIGN>THEMES. Then you can click on DELETE at the bottom right and remove the theme.
Plugins must first be deactivated. Then the link to delete appears. If you don’t really need a plugin, then you’d better not use it. The performance of your website will thank you…
Choose a Secure Login Password
I’ve already mentioned that most hackers don’t come through the front door. But of course, that doesn’t mean that you should leave your front door open by using a standard password for your login.
Please do not assume that your website is small and insignificant and therefore no hacker is interested in it anyway. Most attacks originate from bot programs that automatically search for security holes. If you use a password that is too simple, they will visit you. And if they come in, they may even use your website to hack other WordPress websites. Or they will send spam emails with your website. On the internet, you should lock your front door with a good password. You do this by using a password that is at least 11 characters long and should be a mixture of letters, numbers and special characters.
How to Change Your Password?
Simply click on USERS in the dashboard to display the users that are currently created. Then click on the username and at the bottom of the following page on GENERATE PASSWORD.
Passwords that are not in any dictionary, have as many characters as possible and also contain numbers or even special characters provide increased security.
The Myth With the Default Username
It is often recommended that the default user name be changed. This recommendation makes sense in theory, because if the username is unknown, then it is not possible to crack the login by trying all possible passwords.
In practice, however, the user name can be read out very easily with WordPress. In this respect, changing the standard user name does not offer any real protection. And there is a risk that someone will feel safe because they do not use a standard user name like “admin”.
How Do I Find a Secure Password That I Can Easily Remember?
Make up a sentence that you can remember well. For example, “Today is the most beautiful day in my life”. Then you simply take the first letter of this sentence as your password and add a combination of numbers and a special character. The password from this example would be: “TitmbDimL1968#”.
It is also important that you do not use the same password everywhere on the Internet. Because if someone knows your password, they could log in anywhere on the Internet where you are registered. For example, if you register on a forum, the administrator of that forum can often access your password. If you then use the same email address and password on Facebook or other services, they would already have access to your private information.
With the Google Authenticator plugin, you can increase the security of your login even further. It sets up a so-called “two-factor authentication” for your smartphone using the Google authentication app. WordPress is no longer only protected by a password, but the login must also be confirmed by a smartphone.
Two-factor authentication is particularly useful because it reduces the server load by blocking hackers who systematically try to log in with all possible password combinations.
Enable Automatic Backups
WordPress will never be 100% secure. Therefore, in addition to regular updates and a secure password, you should also take out pension insurance. And you do that with automatic backups. Because if your website is hacked despite all the precautions, you can restore your website with one click.
As with insurance, you may think that you don’t need this protection. But just in case, you will be infinitely grateful if you have made backups.
Automatic Backups with ManageWP
ManageWP is a tool for managing WordPress websites. You can connect all your WordPress websites with just a few clicks and then, among other things, update all your WordPress sites from one platform.
With the WPScan Vulnerability Database, MangeWP even informs you if your website is at risk due to a known security vulnerability.
And you can also set up automatic backups very easily. One automatic backup per month is free and you pay $2/month for daily automatic backups.
Free Automatic Backups with UpdraftPlus
With the plugin UpdraftPlus, you can even set up automatic backups completely free of charge. The website data is then automatically saved to Dropbox or other file hosts and can be completely restored with just a few clicks. UpdraftPlus is the most popular backup plugin for WordPress and is currently used on over a million websites. And the average rating of 4.9 stars speaks for itself.
Manual Backups With All in One WP Migration
With the All in One WP Migration Plugin, you can create a complete backup of your WordPress website with one click. This is how you can save a backup copy on your computer before performing updates. And if something goes wrong, you can restore your original website with just a few clicks. By the way, with the plugin, you can also move to another server using WordPress.
WordPress Security Plugins
The most popular WordPress security plugin is called Wordfence. It is currently used on over 2 million websites and rated 5 stars in the WordPress plugin library. In practice, however, it hurts almost more than it does.
The biggest problem with security plugins like Wordfence is, above all, that beginners feel safe with them and do not think they need to make regular updates since they have installed a security plugin.
In practice, this can be very dangerous. Because Wordfence can only ward off the simplest attacks and actually promises much more than it can keep. Security plugins often even contain security gaps that can be exploited by hackers. And they take up a lot of computing capacity, which can lead to a slower loading website.
1. Ninja Firewall – The Most Effective Security Plugin
To set up the Ninja Firewall correctly and efficiently, you have to know what you are doing. If you want to protect your website from possible attacks, it is best to hire a security expert.
2. Protection Against Comment Spam
If WordPress is installed by default and comments are activated, it won’t take long for a flood of spam comments to arrive. This is also due to automated bots that automatically leave comments with advertisements on the Internet on all possible websites.
The easiest way to do this is to install the Antispam Bee plugin. It detects suspicious comments and automatically marks them as spam. This can save you a lot of work and hassle and allows you to focus on the honest comments of your visitors.
3. Protect Your Email Address From Spam
Spambots are programs that automatically search the entire Internet for email addresses. If a spambot finds your email address, for example on your contact page or on your imprint page, it automatically saves it and resells it to companies with the other email addresses that it has collected, which then sends spam emails to you with annoying advertisements.
The Email Address Encoder plugin blocks such spambots by encrypting your email address in the source code.
Safety Tips for Advanced Users
This is how you can make WordPress even more secure.
Set up an SSL certificate
You can also secure WordPress by installing an SSL certificate. If you activate SSL certificates on your website, all connections to your website will be encrypted. Therefore, for example, your password can no longer be intercepted when you log in to WordPress in a public WiFi network.
SSL connections also increase WordPress security because many bots cannot yet handle it.
Websites with SSL connections are also rated better by Google and preferred. For this reason alone, it is worth investing in an SSL certificate.
Implementation of Secure File Rights
Another method that makes WordPress more secure is to disable PHP’s write permissions. This method is for advanced users because it also blocks automatic updates and requires the input of the FTP access data when new plugins and themes are installed or updates are to be carried out.
At least for certain folders of caching plugins, write permissions must remain activated so that they function properly. I also recommend activating write permissions in the “upload”, “wp-content” and for sitemap files.
Protection of Sensitive Areas with .htaccess
It is possible to block the login and the admin-ajax.php file via .htaccess. In practice, deactivating the Ajax function in particular can lead to various plugins not working properly. And deactivating the login is not exactly user-friendly.
The best protection for logging in is simply a secure password. If the server is loaded due to frequent bot attacks, I think it makes more sense to set up a two-factor authentication than to block the login with .htaccess. Because this also blocks these attacks.
Disable PHP in the Uploads Folder
The Uploads folder is particularly vulnerable to attacks since all files are uploaded from WordPress here. So it makes sense to deactivate the execution of PHP files in this folder. Simply add the following code to the .htaccess file in the upload folder:
Deny from All
The most important safety tips at a glance. The really essentials in a nutshell:
Regular updates are the most effective protection against hacker attacks. And also the exclusive use of current WordPress plugins and themes, which are updated regularly and come from reputable developers. If you are a beginner, you should above all stick to it and your website is already sufficiently protected.
2. Use a Secure Password
The most common WordPress security tips revolve around securing your login. But using a secure password is simply enough. Focus on what’s really important – regular updates. Because the most common security problems arise from outdated plugins and WordPress versions that have not been updated for a long time.
3. Install Automatic Backups
I can also only recommend that you set up automatic backups. Because you can always restore the original state of your website with one click. With MangeWP you can set up automatic backups very quickly and easily and even update several WordPress websites at the same time with just one click.
Even if you ignore everything else, these 3 points are a must-have. In my opinion, you are already sufficiently protected and hacking your website is only possible with a lot of effort. As already mentioned, there will never be 100% protection – with no content management system. But if the effort and costs are significantly higher than the benefits, you are always on the safe side.
The best thing about WordPress, in my opinion, is the brilliant community that supports each other and pushes to develop even better solutions. And this article has also benefited from this community spirit.
If you have any suggestions for improving WordPress security, please leave a comment. And even if this article has helped you, please let us know. Any feedback is valuable, even if it should be negative.
Otherwise I wish you a lot of fun and success in securing WordPress.