WordPress: How to protect your website from attackers?

WordPress is considered the most popular content management system in the world: Started in 2003 as a small blog tool, now one in four websites is powered by WordPress. Above all, this popularity can be explained by the fact that the CMS is also extremely easy to use by lay people and at the same time offers a lot of scope for their own creativity. In addition, WordPress as an open-source solution is available to every user for free download and use. However, a system that is so prevalent is always an attractive target for attackers. To protect its Web site, every operator of a WordPress-based homepage should address the basic security aspects of the CMS.

Observe safety directly during installation

Already during the installation process of WordPress, there are a few factors that play a major role in the security of the website. Here’s a quick overview of some of the things you can do to help set up WordPress security:

SSL certificates

Implementing a Secure Socket Layer (SSL) certificate is a smart step in securing the admin area. SSL ensures secure data transfer between users’ browsers and the server, making it difficult for attackers to disconnect or corrupt your data.

Change admin username

During the installation of WordPress, you will be asked to enter a username. By default, “admin” is suggested as the user name for the Admin Account. An easy-to-guess username is easily accessible to hackers. If the attacker already knows the username, he has to “just” crack the password. So use a username you invented here.

Change WordPress DB Prefix

If you’ve ever installed WordPress, then you’re familiar with the wp table prefix used by the WordPress database. We recommend that you turn it into something unique.

Using the default prefix makes your WordPress database vulnerable to SQL injection attacks. Such attacks can be prevented by converting wp- into another term. For example, you can do it avakwp or nepalwp or table prefix by your own choice.

Use secure login password

Use as strong a password as possible when installing WordPress. The name of the cat, date of birth or spouse’s name should definitely not be used here. Instead, you should improve the password strength by using uppercase and lowercase letters, numbers, and special characters.

Use a secure password for the database

The same applies to the database for the login area: Use the most secure password possible. A strong password for the main database user is a must, as WordPress uses this password to access the database.
As always, use capital letters, lowercase letters, numbers, and special characters for the password.

Two factor authentication (2FA)

Using a 2-factor authentication module (2FA) on the login page is another good security measure. In this case, the user specifies the credentials for two different components. The owner of the website decides what these two are. It can be a normal password, followed by a secret question, a secret code, a series of characters, or even more popular, the Google Authenticator app that sends a secret code to your phone. The Google Authenticator can be conveniently used with various WordPress plugins.

Remove WordPress version number

Why should the version number be removed? Simple: If attackers know which version of WordPress you’re using, it’s easier to exploit potential security holes.
Most security plugins inherently offer to remove the version number. If you do not want to use such plugin, you can hide the version number yourself with a short entry in functions.php. The following lines of code must be inserted into the functions.php:

If you own a WordPress blog or a multi-author blog, you’ll need to engage with multiple users who access your admin panel. This can make your website more vulnerable to security threats.
Here also applies: Use a secure password for each user and in the best case also a difficult to guess user name.

Regular WordPress updates increase security

The latest updates for WordPress, plugins and themes should always be recorded as soon as possible. To avoid security vulnerabilities, it is also recommended for operators of WordPress-based websites to continuously track the security-related WordPress news and / or subscribe to an RSS feed on the topic. Furthermore, it is advisable to create backups of the WordPress installation at regular intervals in order to be able to quickly roll back potential problems after an update. Installed plugins that are not updated over a long period of time should preferably not be used.

Which security plugins for WordPress are recommended?

In addition to these basic tips on website security, there are special plugins that help protect the WordPress website from attacks even more reliably. The security plugins are also very easy to use for inexperienced users and offer a profit of security out-of-the-box. For example, the plugins offer functions to generate a secure password, to block insecure IP addresses or to fend off direct attacks with the help of firewalls. To get an overview of the huge amount of helpful plugins, let’s take a look at our top 3 most popular security plugins for WordPress:

Wordfence Security

Wordfence is a quite extensive plugin, which already covers the most important security areas with its features even in the free version. In addition to the double-authentication tool, Wordfence protects against brute-force attacks. Vulnerabilities are detected by scanning the site and can then be resolved. Furthermore, Wordfence collects data about (failed) login attempts and gives an overview of changes to the file system. In order for WordPress beginners to be able to cope with the plugin, Wordfence offers a list of the most important features in text form. Thus, Wordfence is despite various tools a very clear plugin, with which any website operator can handle.

iThemes Security

IThemes Security is also very easy to use. With this security plug-in, websites can be examined with a few clicks on security gaps. iThemes protects against brute-force attacks, attacks on the backend, code injections and unauthorized PHP executions. Furthermore, there is the possibility to change the WordPress login directory, which also makes it more difficult for attackers to gain access to the backend. The Pro version also allows two-factor authentication. Per App a code is generated, which must be entered after successful entry of the admin password. Only after successful entry of the numerical code one gains access to the WordPress backend.

BBQ: block bad queries

The security plug-in block Bad Queries, abbreviated to BBQ, is based on a 6G firewall, which has proven itself for security. BBQ controls “strange” injections of code into URLs, databases and files, so potential attackers can be detected and blocked early. This defense has a nice side effect: Thanks to the significantly lower number of accesses, the server is relieved and thus increases the performance of the website.

Conclusion

When using such a popular content management system as WordPress, it is advisable to take some precautions to protect your website. Accordingly, care should be taken during the installation that, for example, the admin area and the databases are backed up by strong passwords. In addition, it is important to carry out regular updates and to keep up to date with the latest WordPress news. Lastly, web site owners should work with security plugins such as Wordfence Security, iThemes Security or Block Bad Queries to block even the most stubborn attackers.