Secure your WordPress website from hostile attacks
WordPress is the most popular CMS (Content Management System) worldwide. I have put together a lot of information on how you can protect your CMS from hostile attacks. According to statistics from W3Techs as of December 2022, WordPress is used on over 39 percent of all websites worldwide. If you only look at the websites that are managed with the help of a CMS (Content Management System), this results in a market share of almost 64 percent.
That’s very intresting, right? Yes it is very intresting not only for us but attackers as well. According to Google, thousands of websites are compromised or hacked every day. If Google detects the hacked website, it will be removed from the search index including all web pages, it’s contents and placed on a black list.
In addition, the security measures of the web browser show you an additional warning message before you call up the website. So that we have put a lots of information together for you in this article to protect your CMS from hostile attacks.
Change the name of the administrator account
Many hackers try to take over a WordPress website using scripts. Attempts to login with a common administrator user such as admin or administrator appear almost daily in the website. Various simple standard passwords are tried out. You should therefore consider various aspects when creating your users: Always use different users for writing blog articles and for administering the website. The username of an author is always displayed as information on an article in the standard system.
If this person also has the role of administrator, the attacker only has to search for the password. If this is also the case for you, the first thing to do is to separate the roles. To do this, create different users and do not use a standard name for the administrator.
For user administration, log in to your WordPress installation and switch to the User menu. Create a user with a meaningful name, using your first name, for example. Assign it the role of administrator and login with it.
Revoke permissions from your original administrator. You don’t necessarily have to delete it, a less central role, such as Subscriber, is also sufficient. When creating a new user, always ensure that you have a strong password. This doesn’t always have to be cryptic. A password of sufficient length also ensures sufficient security. WordPress shows you how secure the chosen password is.
Limit the number of login attempts
Even if you have chosen a secure password, it still makes sense to limit the number of login attempts. In this way you prevent brute force attacks. There is an Plugin name Limit Login Attempts Reloaded with good reviews. After adding or installing and activating the Plugin you will find the configuration menu in the Dashboard > Settings > Limit Login Attempts.
Here you can specify the number of allowed login attempts and the duration of the lockout. You can define further details for this, such as extending the lockout time or resetting the lock. With this plugin you make it a little more difficult for the attackers.
Always keep the installation up to date
After you have secured the user administration, the next step is to ensure that your WordPress installation, the Plugins used and the PHP version are up to date.
All of these are required activities, which is why I recommend that you check regularly, ideally every one to two weeks, whether there are any update avalivable or not. You can see the relevant information directly via the menu item Updates.
WordPress recommends that you always make a complete backup of your installation and your data before an update. In the next section, I will also show you how to perform regular backups using a backup plugin.
Another important point regarding the security of your WordPress installation is the underlying PHP version. Version 7.4 is currently recommended, but there is downward compatibility up to 5.6.20. You can see the PHP version you are currently using via Dashboard > Tools > Site Health > Info > Server.
If you are using a version older than 7.4 at this point, you should consider an update for security reasons. The new PHP version must, however, be supported by all of the Plugins you use so that your website continues to function properly even after the update.
Once you have checked everything, make a full data backup and start the update.
Carry out Regular Data Backups
Data backup is not only useful in the case of updates, but also as a point of recovery after an attack. A regular backup should be much more recomended and if possible the best thing is to make an automated backup, otherwise you can quickly or simply forget it. It is best to save your data either on another server or on cloud storage such as OneDrive or Dropbox.
We can also use the free UpdraftPlus Plugin to automate data backup. With this extension, you not only create a backup manually but also automatically using a schedule. Various storage locations are available to you, but most of them require an additional package that is subject to a fee. You can only use Google Drive and FTP at no additional cost.
To configure the Plugin, Install and activate it then call up the UpdraftPlus Backups menu via Settings in Dashboard. For a manual backup, select the Backup Now on the Backup/Restore tab. For the first backup, you still need to specify the storage location.
Automated backup: With the UpdraftPlus app, you can automatically schedule a data backup and save it directly to the cloud. If you want to automate the backup of your WordPress installation, use the Settings tab. On this you can change the backup plans for files and databases from manual to the desired interval.
On this tab you also select the location of the backup. This can either be cloud storage or a physical server. Various protocols are available for access, but most of them are chargeable.
Secure basic Installation
After you have brought your website up to date and back it up regularly, the next step is to get an idea of the basic configuration. Security isn’t always the focus of WordPress. I, therefore, recommend that you make corrections at various points. An important file is .htaccess, which you will find in the root directory of your installation.
In the beginning, this is still empty or only consists of a few comment lines. The first step is to secure external access to the wp-config.php file. This file contains the access data to your database and other sensitive information. So add the following lines in the .htaccess file:
Order allow,deny
Deny from all
Also, stop browsing the directories on your website. For example, if you enter the URL <my-website> / wp-includes /, you will see all installed includes and their subdirectories. This allows an attacker to get an initial overview of the structure of your website. You can prevent this simply by adding the following line at the end of the .htaccess file:
Options -Indexes
This prevents the content from being displayed and only a forbidden message from your browser appears when you try to access it.
Upstream password query
Another possibility to protect your administration area is via an upstream login page. You first have to enter a correct user and password in order to get to the login dialog. With this upstream function, you keep out scripts or bots that attempt to use brute force attacks to test different combinations of user and password. The solution shown requires an Apache server as a web server. However, this is the case with most hosting providers.
For the password query you need an additional file in which you save the user and the password. This is called .htpasswd. Create a separate directory (folder) for this under wp-admin, for example with the name passwd, and inside this passwd folder create a file .htpasswd. The best way to encrypt the password is to use an online generator, such as the website htpasswd-Generator.
Enter the user and the desired password in the corresponding fields and select MD5 as the encryption method. Copy the generated string into your .htpasswd file and save it.
Now you should create new .htaccess file in the higher-level directory, i.e. inside wp-admin folder, and storing the following code in it:
AuthName “Admins Only”
AuthUserFile
AuthType basic
require user yourusername
After restarting your web server, the password query is active. Once entered, your browser saves the password in the cache.
Because of this additional precautionary measure, there are sometimes problems with plugins that require AJAX (admin-ajax.php) and otherwise no longer work properly. In these cases, add the following lines to your newly created .htaccess file:
Order allow,deny
Allow from all
Satisfy any
If everything still works, as usual, you do not need this extension of the .htaccess file.
Before Installing Check Plugins
With WordPress, there is always a particular danger from the extensions used. If a vulnerability is discovered, it does not take long for it to be used for attacks. Before you add a new function to your installation, check the history, the number of downloads and the ratings of the plugin.
Therefore only download a new plugin from the official WordPress directory. There you can see the number of reviews and the last update. With user feedback in particular, you can see how well and quickly the developers react to problems. Well-managed Plugins also have an integrated support forum where questions can be answered and problems can be addressed.
Wow, You read to the end. Great! Was this article helpful? Your comments and suggestions are most welcome.