Secure WordPress

WordPress is the most popular blog software and the most popular content management system. No wonder that therefore many attackers try to randomly attack and hack WordPress installations and servers. Against this, one can and must defend oneself, alone because on Google various instructions exist on how security holes can be exploited.

WordPress Security Scan

Are you unsure if your WordPress website or blog is vulnerable to hacker attacks and whether it needs extra protection? Then run the Security Scan (external site, free). The scan checks, among other things, the version of WordPress, which should be up-to-date. Furthermore, all recognized plugins are checked against a database of dangerous plugins. If everything goes well, the test result looks like this:

The scan also checks the names of the admin users used. If possible, this should not be named admin nor like the website itself.

Another scanner named Nikto checks your website and server in general for security vulnerabilities (you have to register for this or download the offline version).

General measures

It is absolutely essential to use a strong password for your WordPress admin user, this way you can secure WordPress with little effort and protect against attacks. Furthermore, never reuse the same password, neither within a WordPress installation for multiple users nor identical passwords for different services and applications!

Among the simplest security measures is deleting the standard user with identity number 1 and username "admin". Because the name of the author with index 1 can be easily retrieved by calling the following URL.

www.yourblog.com/?author=1

The admin area on your server should also be protected with a directory protection. Otherwise, you can simply call up the login screen as follows:

www.yourblog.com/wp-admin

To create a directory protection for the admin area:

A password file outside of the protected directory and outside of the main directory place, named_.htpasswd_ and having the following structure:

username:passworthash

For username you choose an arbitrary username that preferably does not match your WordPress username. passworthash is the hash value of the password with which you want to authenticate directory protection. You can most easily generate the contents of this file using a htpasswd generator. Be sure to use secure passwords, which should go without saying!

After that create a file named .htaccess in the directory wp-admin of your WordPress installation with the following content:

AuthType Basic
AuthName "Passwortgeschuetzter Bereich"
AuthUserFile /pfad/zur/Datei/.htpasswd
AuthGroupFile /dev/null
require valid-user

This ensures a multi-factor authentication, also referred to as MFA. A media break would be even better, but that would probably go too far on information websites most of the time. It might be different with online banking.

Also block external access to the file wp-config.php in the WordPress path, as it contains all important access information such as the database user and password. In the same directory as wp-config.php, there is a htaccess file. At the end of this file, add the following lines:

\# Zugriff auf wp-config.php von außen verbieten
<files wp-config.php>
Order deny,allow
deny from all
</files>

These measures should bring noticeably more security, with which you can already effectively secure WordPress against hackers!

Update plugins and WordPress itself regularly

The dashboard reports when an update is available. Often updates contain security measures or code to close security holes. For those who find manual updating too tedious, you can add the following line in the wp-config.php file to enable automatic update:

// Enable all automatic updates define( 'WP_AUTO_UPDATE_CORE', true );

Noch mehr Security-Tipps

Here is the translated text: To prevent attackers or hackers from directly reading the WordPress version, it's best to add the following line of code automatically at the end of the file functions.php: (Note: I kept the "" as is, since you requested that):

remove\_action('wp\_head','wp\_generator');

You can edit the file through the Admin Panel, Design → Editor.

If you'd like to further secure WordPress, add the following line at the end of the file wp-config.php:

define('DISALLOW\_FILE\_EDIT', true);

This prevents editing of PHP- and CSS files through the WP editor in the Admin panel by hackers. However, changes to these files should only be forbidden if you don't want to change them yourself (for comfort reasons) often using the editor in the panel. However, you can still edit all these files directly on the web server, for example via FTP or Shell.

If your WordPress site does not support HTTPS or SSL, you should never access your installation as an admin via WLAN from public locations, because then attackers can read your password in plain text! And this path is one you certainly don't want to take! In some cases, you may also have to accept legal consequences if you broadcast security holes over wireless networks. SSL can only be used with a certificate that is usually cost-effective, so it's mostly companies that have the opportunity to do so.

Two-factor authentication

With the help of a plugin, two-factor authentication can be provided at login. For this, you need an additional Google App. In addition to the actual WordPress login, you must therefore authenticate via smartphone. The plugin is called Google Authenticator – Two Factor Authentication (2FA). Thanks to Ralf for the great hint in the comments on this post!

Limit login attempts

Unbelievable, but true: By default anyone can make any number of login attempts in your admin area! In the name of WordPress Security you should install a plugin like Login Lockdown to set up a limit. After installation you will find the options of the plugin under Settings -> Login Lockdown. There you can especially set how often someone can try to log in one after another, i.e., how many failed attempts they have. After these attempts are reached, a login from the same IP address is not possible for 5 minutes anymore. This time you can also configure. Now villains will have to make more effort if they want to hack in!

It's also very useful to set up Mask Login Errors. You should set it to Yes. Then, the attacker won't get any information about why their login failed. Otherwise, it will be reported whether the username was known but the password was wrong or if the username itself was already wrong.

Change Table Prefix

Normally every table starts with the prefix wp. This makes it easy for successful SQL Injection attempts to read or manipulate database contents. Before installation, you can change this prefix by editing the _wp-config.php file. If the installation has already been done, then the plugin Change DB Prefix helps.

We recently received a spam comment that contained a clumsy SQL injection attempt and reveals the path of the hackers:

That was probably a Russian fellow who can't even write English or SQL properly. Because the SQL statement contains syntax errors and leads to no action on the database. You'd have to be pretty dumb not to think of that, but it's hard to come up with something dumber if this attack had been successful!

Protect or delete Readme and License files

The files readme.html and license.txt are located in the main directory of the installation and contain information about the WordPress version. They provide attackers with a good starting point to evaluate their target. Either delete these two files, as they are not needed for operation. Or extend the htaccess file, which is located in the root directory, by adding the following lines:

# Protect readme.html File
<Files readme.html>
order allow,deny
deny from all
</Files>

# Protect license.txt file
<Files license.txt>
order allow,deny
deny from all
</Files>

Use Security Plugins

With a plugin like Bullet Proof Security, which is widely used and enjoys great popularity among admins in numerous installations, you get a free and comprehensive solution for closing potential security gaps and entry points.

The plugin defends against various attacks, for example it protects the htaccess file, sets up a firewall around the entire installation, limits the maximum number of allowed login attempts, checks passwords and offers effective protection for the database.

This security plugin is very easy to use and can be installed and configured with just a few clicks, definitely worth trying!

Further information

Of course, you should regularly perform a Backup of your WordPress installations, which can be done by copying the installation directory to a local drive. Under no circumstances should you upload the backup to the same server where WordPress is installed or via FTP! The aforementioned plugin, by the way, creates a backup of your database! One-time measures like adjusting htaccess for securing installations and other security settings mentioned above will at least protect against being hacked. Very important are the updates offered for plugins and themes. Always read the Change Log and install them if security holes have been closed.

If you create your own themes or modify existing templates yourself, be sure to avoid security holes when designing for the web. Inform yourself best before using external JavaScript libraries, whether they are considered safe.

WordPress itself maintains an archive with security-related reports.

Website checks

Security and data protection go hand in hand. Whoever secures their WordPress website should not only be looking out for hackers but also data protection laws. With the online website check, you'll find out directly how your homepage is set up.

The website check works quite simply:

1. Enter website address
2. Press start
3. Wait just a few seconds, view result directly in browser