Increase WordPress security
WordPress is already very secure by nature – we explain why and how the website can be secured to the maximum.
We will show you which services, tools and plugins you can actually use to increase WordPress security – and which snake oil you should better avoid.
How to Secure WordPress Against Hacking
Automatically install security updates
WordPress is safer than the competition. This is also due to the fact that security updates are installed fully automatically.
You can also enable this for individual plugins. Plugins in particular are regularly affected by security gaps – automatic updates usually effectively prevent zero-day attacks.
At the same time, it can be dangerous to install plugin updates fully automatically on a live website without prior testing.
While an update of WordPress itself has usually been extensively tested, the stability varies depending on the plugin. Here you need to weigh the stability of the website against this security feature.
If necessary, only enable those plugins for automatic updates that are particularly stable for you and exclude those that have had problems with updates in the past.
Create backups automatically
We recommend to do without WordPress backup plugins – in our experience, these repeatedly lead to critical problems and bloated WordPress installations. According to the Separation of Concerns approach, a system should not create backups for itself.
Use external tools, we recommend the possibilities of the server software Plesk. Ideally, set up the backup plan to create daily, incremental backups.
Many web hosts also offer their own backups on dedicated backup servers, sometimes at an additional cost. That is good and sensible. However, backups should always be redundant to have an additional layer of security. You should be able to create and restore backups yourself – even parts of them, i.e. individual directories, files or databases.
For our web hosting customers, we therefore combine the backups at the server level and the individual ones at the customer level by default.
Access rights & Co.
Many servers are configured in such a way that as many software as possible works on them. This often results in non-optimal security settings for WordPress systems.
Therefore, optimize file access rights and classic attack vectors at the server level.
With Plesk’s WordPress tools, you can easily secure your WordPress installation, otherwise ask your technical service provider to check access rights.
Monitor file changes
Detect and limit hacking
Once the child has fallen into the well, it is important to act quickly. If your WordPress website has been hacked, two areas can be affected: the database or the files on the server.
Changes in the database could be, for example, changed posts and pages with which hackers can distribute malicious code or play out advertisements. Changes are more difficult to reliably record here, so we recommend that you simply install an intact backup of the database after a successful hacking attack.
File changes, on the other hand, are easier to monitor. Above all, modified .php or .htaccess files – without an update being installed – are a strong warning signal for a hacking attack.
For some customers, we therefore use a script that regularly monitors the WordPress directory for file changes – for example every 15 minutes.
If changes are detected, an e-mail with a list of changed files is sent. In this way, the number and time of the affected files can be effectively limited.
This significantly reduces the effort required to analyze, fix, and restore the site after a successful hack.
All in One Security Plugins
Fire & Forget or Snake Oil?
Firewall and virus scanner plugins have a fundamental problem: they are part of the system to be protected.
Even if the previously published or known vulnerability in NinjaFirewall was not critical, this shows that these plugins themselves can bring security gaps into the system.
In addition, these plugins also have an effect on the performance of the system and it is another plugin that must be taken into account in the WordPress updates.
Similar to antivirus programs for Windows, the actual protection of All in One Security Plugins is difficult to assess, useless or harmful. We recommend a better alternative in the next chapter.
Firewall & CDN
Rarely has a security tool been as much fun for us as Cloudflare. The setup effort is intuitive and manageable for technicians.
The biggest advantage is that Cloudflare already protects the website at the DNS level. Attacks are therefore already fended off before they reach the WordPress server. Cloudflare not only fends off potential attack attempts, but also malicious bots and DDOS attacks.
Best of all, the basic version for Cloudflare is free of charge and already offers very good protection. We recommend booking the Pro variant for $20 a month for the convenient PageSpeed accelerations and advanced bot detection.
Hide WP admin directory
useless and dangerous
The popular plugin Hide my WP allows you to hide the /wp-admin/ directory. We cannot recommend the use.
For hackers, hiding the WP admin directory is not a big hurdle. The changed directory can still be found. It is often argued that this is only one of many building blocks to make attacks more difficult overall.
Unfortunately, every additional plugin in WordPress is another attack vector for hackers and potentially brings its own security vulnerabilities. The plugin Hide my WP last had a critical security vulnerability in November 2021, the plugin WPS Hide Login already several (1) (2).
Instead of increasing website security, a door is opened for hackers.
Avoid insecure passwords
Secure passwords are fundamental to increasing the security of a website. But the requirements should also be implemented.
To enforce this, a Password Policy Plugin is recommended. Secure passwords are as long as possible and you do not even try to remember them yourself – just use a password manager.
No matter whether the password was too simple or it was otherwise tapped: Thanks to the 2-factor authentication, effective protection against unauthorized access is possible.
In addition to the normal login data, a token is requested, which is retrieved via a separate smartphone app – similar to the technology of online banking.
We recommend the free provider 2FAS.
Limit login attempts
Limit attack attempts
Automated scripts can try out thousands of login combinations per second. You can effectively prevent this by limiting the number of login attempts.
For example, use the free plugin WPS Limit Login.
Better Safe than Sorry
WordPress websites are real targets for hacking attacks. No system is perfectly secured, every system offers known and unknown security vulnerabilities.
With the measures we have outlined, you can combat and complicate multiple attack vectors: DDOS attacks, phishing, brute force and many more.
Setting up the various tools and services is now easy and not a major challenge for technicians. Perhaps even more importantly, the website remains easily accessible and operable for users, as the measures are specifically effective against classic attack patterns by hackers.
Take the time to gain effective security while refraining from ineffective measures.