WordPress is the most popular blog software and the most popular content management system. No wonder that therefore many attackers try to randomly attack and hack WordPress installations and servers. Against this, one can and must defend oneself, alone because on Google various instructions exist on how security holes can be exploited.
WordPress Security Scan
Are you unsure if your WordPress website or blog is vulnerable to hacker attacks and whether it needs extra protection? Then run the Security Scan (external site, free). The scan checks, among other things, the version of WordPress, which should be up-to-date. Furthermore, all recognized plugins are checked against a database of dangerous plugins. If everything goes well, the test result looks like this:
The scan also checks the names of the admin users used. If possible, this should not be named admin nor like the website itself.
Another scanner named Nikto checks your website and server in general for security vulnerabilities (you have to register for this or download the offline version).
General measures
It is absolutely essential to use a strong password for your WordPress admin user, this way you can secure WordPress with little effort and protect against attacks. Furthermore, never reuse the same password, neither within a WordPress installation for multiple users nor identical passwords for different services and applications!
Among the simplest security measures is deleting the standard user with identity number 1 and username "admin". Because the name of the author with index 1 can be easily retrieved by calling the following URL.
www.yourblog.com/?author=1
The admin area on your server should also be protected with a directory protection. Otherwise, you can simply call up the login screen as follows:
www.yourblog.com/wp-admin
To create a directory protection for the admin area:
A password file outside of the protected directory and outside of the main directory place, named_.htpasswd_ and having the following structure:
username:passworthash
For username you choose an arbitrary username that preferably does not match your WordPress username. passworthash is the hash value of the password with which you want to authenticate directory protection. You can most easily generate the contents of this file using a htpasswd generator. Be sure to use secure passwords, which should go without saying!
After that create a file named .htaccess in the directory wp-admin of your WordPress installation with the following content:
AuthType Basic AuthName "Passwortgeschuetzter Bereich" AuthUserFile /pfad/zur/Datei/.htpasswd AuthGroupFile /dev/null require valid-user
This ensures a multi-factor authentication, also referred to as MFA. A media break would be even better, but that would probably go too far on information websites most of the time. It might be different with online banking.
Also block external access to the file wp-config.php in the WordPress path, as it contains all important access information such as the database user and password. In the same directory as wp-config.php, there is a htaccess file. At the end of this file, add the following lines:
\# Zugriff auf wp-config.php von außen verbieten <files wp-config.php> Order deny,allow deny from all </files>
These measures should bring noticeably more security, with which you can already effectively secure WordPress against hackers!
Update plugins and WordPress itself regularly
The dashboard reports when an update is available. Often updates contain security measures or code to close security holes. For those who find manual updating too tedious, you can add the following line in the wp-config.php file to enable automatic update:
// Enable all automatic updates define( 'WP_AUTO_UPDATE_CORE', true );
Noch mehr Security-Tipps
Here is the translated text: To prevent attackers or hackers from directly reading the WordPress version, it's best to add the following line of code automatically at the end of the file functions.php: (Note: I kept the "" as is, since you requested that):
remove\_action('wp\_head','wp\_generator');
You can edit the file through the Admin Panel, Design → Editor.
If you'd like to further secure WordPress, add the following line at the end of the file wp-config.php:
define('DISALLOW\_FILE\_EDIT', true);
This prevents editing of PHP- and CSS files through the WP editor in the Admin panel by hackers. However, changes to these files should only be forbidden if you don't want to change them yourself (for comfort reasons) often using the editor in the panel. However, you can still edit all these files directly on the web server, for example via FTP or Shell.
If your WordPress site does not support HTTPS or SSL, you should never access your installation as an admin via WLAN from public locations, because then attackers can read your password in plain text! And this path is one you certainly don't want to take! In some cases, you may also have to accept legal consequences if you broadcast security holes over wireless networks. SSL can only be used with a certificate that is usually cost-effective, so it's mostly companies that have the opportunity to do so.
Two-factor authentication
With the help of a plugin, two-factor authentication can be provided at login. For this, you need an additional Google App. In addition to the actual WordPress login, you must therefore authenticate via smartphone. The plugin is called Google Authenticator – Two Factor Authentication (2FA). Thanks to Ralf for the great hint in the comments on this post!
Limit login attempts
Unbelievable, but true: By default anyone can make any number of login attempts
My name is Klaus Meffert. I have a doctorate in computer science and have been working professionally and practically with information technology for over 30 years. I also work as an expert in IT & data protection. I achieve my results by looking at technology and law. This seems absolutely essential to me when it comes to digital data protection. My company, IT Logic GmbH, also offers consulting and development of optimized and secure AI solutions.
