If you operate a WordPress blog, it is important to take steps to protect it from hackers and other online criminals. Unfortunately, in recent months we have heard more and more about hacked websites that were created with the popular CMS (Content Management System) WordPress. In this article, we will discuss some of the ways that you can protect your WordPress blog from intruders and misuse.
Unfortunately, in recent months we have heard more and more about hacked websites that were created with the CMS (Content Management System) WordPress. But what exactly does it mean for the operators and visitors if the website has been hacked? Strangers (hackers and script kiddies) have gained access to your website through various means in order to misuse it in various ways and harm others. This can range from suddenly advertising for potency-enhancing drugs under your domain to thousands of emails with questionable content. Furthermore, infected WordPress blogs are increasingly being used to carry out targeted attacks on third-party systems. In the end, this falls back on you, so it is important to think about the security aspect in advance.
There are a few simple but effective measures you can take to protect your WordPress blog:
- Use strong passwords for your WordPress account and user accounts. A password should be at least eight characters long and contain upper and lower case letters, numbers, and special characters.
- Keep your WordPress installation up to date. New versions of WordPress usually contain security fixes for vulnerabilities that have been discovered.
- Use a security plugin like Wordfence to scan your blog for malware and block malicious traffic.
- Use a reputable hosting provider that offers WordPress-specific security features like automatic malware scanning and removal.
By taking these simple steps, you can help protect your WordPress blog from hackers and other online criminals.
Now we want to dive a little bit deeper into this topic and I want to explain to you in detail how you can secure your WordPress website or your WordPress blog against hackers!
Use strong passwords & usernames
Please always use secure passwords and, if possible, secure user names. For example, it is not advisable to use “admin” as the user name, even if this is suggested during installation.
Why? Simply because most administrators use “admin”, the attacker already has 50% of the data they need to log into the administrator area. But if, for example, you use “Host-YourName-2022” as the user name and then ideally “my%pass&is!safe2022” as the password, you make it more difficult for the attacker to get to the data.
In general, don’t use any word as a password that appears in any dictionary in the world! The same also applies to FTP access or to databases.
The use of secure passwords is all the more important here. Please do not use the data given above, these are only intended to illustrate how to create a secure configuration!
Please use your own user names and passwords!
Keep your website up to date!
This applies not only to the editorial part but at least as much to the technical part. The developers release updates for this CMS at irregular intervals. These should be uploaded to your website in a timely manner since these updates close security gaps that have come to light in the course of operation. There are now several major versions of the popular WordPress CMS:
- WordPress 1.x (no more updates–version 1.5 was released on 02/17/2005)
- WordPress 2.x (no more updates–version 2.9 was released on 12/18/2009)
- WordPress 3.x (no more updates–version 3.9.27 was released on 03/13/2019)
- WordPress 4.x (is no longer supported, but still receives some security updates)
- WordPress 5.x (latest officially supported version)
As you can see from the listing above, versions 1 & 2 are no longer supported. This means that there will be no more updates for these versions. It is therefore important to switch to the latest version 5.x.
Unfortunately, as soon as there is an update, the potential attackers also find out about it and they then look for any new security gaps that may exist. So it’s really important here to check regularly for updates. In the WordPress backend, the menu bar shows you whether an update is available.
Now just click on the icon and you will be shown all available updates. In addition to the actual WordPress updates, the updates for the templates and the installed plugins are also displayed here.
Very important: Before performing the updates, make a backup of your blog. If something goes wrong with the update, you can restore the backup and not lose your entire blog! You can use the free program “UpDraftPlus“, which automatically creates regular backups of your WordPress blog or WordPress website.
UpdraftPlus
With this plugin, you can schedule backups and store them on your own computer or via FTP, Amazon SGL, Google Drive & Co. You can even have the backups emailed to you.
The best thing about it: The plugin is available for free in the WordPress Plugin Directory! There is a premium version of UpDraftPlus, but this is not necessary in most cases and the free version is sufficient to secure your website.
Save your upload directory
The most common type of malware infection is via uploaded PHP files. You can easily protect yourself against this, you only have to create a .htaccess with the following content in your wp-content/uploads directory:
php_flag engine off
This will disable the execution of PHP files in this directory. PHP files are a major vulnerability of WordPress, but it’s also not that easy to fix. PHP files are often used by attackers to inject malicious code onto your website.
How to create a .htaccess file
Open text editor
To create a .htaccess file (if supported by your own web hosting provider), first start a text editor that is able to save documents without meta information, such as the “Editor” found under “Accessories” under Windows.
Insert content
Now add the desired code to the file, which later determines how requests to the corresponding directory should be changed. Following this step-by-step guide on how to create a .htaccess file are some examples of redirects, rewrites, and password protection.
Create & save file as .htaccess
Save the file under the name “.htaccess” (without quotation marks) it is important to have the dot at the beginning and that the file is saved without any other file extension. If the text editor forces the use of a file extension, it is best to save the file as “.txt” and then remove the file extension in the file explorer.
Upload .htaccess file to the server
Now upload the file to the desired directory on your server using the FTP client (make sure that the FTP client does not make any changes when uploading the file, such as adding a file extension) and check in the browser whether the desired effect occurs.
With this little change, you can protect yourself very well against such attacks.
If you want to be really safe, you should also encrypt your backups before uploading them to an external service provider (e.g. Google Drive or Dropbox). This is the only way to be sure that no one else can access your data in case of a security breach.
There are many ways to encrypt your backups. You can use the free TrueCrypt program or a paid solution like Jetico BestCrypt.
Both programs work in a similar way:
You create an encrypted “container” with them, into which you then copy your backups. This container is then mounted as a virtual drive and can be used like any other drive. The advantage is that the data in the container is only accessible if you have the right password.
Data backup, data backup & data backup again!
Since many hosting companies do not perform their own backups of your WordPress website or blog, you have to take care of the regular backup yourself!
You should always have your own backup of your data (webspace, database) so that you can restore it yourself at any time. This saves you time and you are on the safe side. There are useful components for this, such as BackUpWordPress or UpDraftPlus. With this component, you can create backups at defined times – fully automatically.
Nothing is more annoying than a broken WordPress website. It’s even more annoying when you don’t have the option to repair your website.
Therefore, you should automate your backups to an external service (e.g. Dropbox, Google Drive, or Amazon SGL). This has the advantage that you can always restore your website from a backup, even if your entire webspace is lost!
Your WordPress blog should be regularly backed up by an external service provider. You can use the free UpDraftPlus plugin for this purpose.
The plugin offers you the possibility to create backups of your WordPress blog at defined times and to store them on your own computer or via FTP, Amazon SGL, Google Drive & Co.
Protect your administration area
Anyone who has ever dealt with WordPress knows how to access the admin panel. This can always be reached https://yourdomain.com/wp-admin and also at https://yourdomain.com/wp-login.php. This is also known to the attackers. A simple but effective way to protect yourself is to protect this area with access protection.
(An additional option is to change the login page so that the normal login path is no longer usable. There are many different plugins that allow you to create a custom login URL.)
Here you can work with a .htaccess file that prevents access to wp-login.php and the subdirectory /wp-admin. The .htaccess server file (usually used by WordPress to control the permalinks), which is already present in most cases, is expanded by 2 code blocks with minimal path adjustments. You also need a .htpasswd file with access data that also belongs in the main directory of your blog.
Note: Below is an example of such an htaccess file. Please note that this access protection does not apply in .htaccess if you use a WebPack M, since only permalink rules are executed here.
Instructions for access protection via .htaccess
- Please create an empty file named .htpasswd in the root of your blog.
- Please open the created file with an editor. We recommend notepad++ or PSPad.
- Call up the htaccess generator under the following link at www.htaccesstools.com/htpasswd-generator/ and enter the desired user name and a secure password in the input fields – this combination of user name and password is the access for the .htaccess query. The string generated by the htpasswd generator is inserted into the opened .htpasswd file and saved.
- Open the .htaccess file in the editor and add the code below. Please note that the path to .htpasswd must be adjusted so that the server can also find and load this file. If you don’t know the correct path, put a PHP file with the following content on your package:
<?php
echo dirname(__FILE__);
?>
- Save changes and check the result.
Access protection + internal protection for system files (htaccess code)
<Files wp-login.php>
AuthName “admin area”
AuthType Basic
AuthUserFile /is/htdocs/wp#######_Q2RCLODP87/www/pfad/zur/.htpasswd
Require valid user
</Files>
<FilesMatch “(\.htaccess|\.htpasswd|wp-config\.php|readme\.html|readme\.html)”>
Require all denied
</FilesMatch>
The path to htpasswd must then be entered correctly in the file.
There are many other options to protect the backend from access, from URL extensions to WordPress Firewall, etc. However, since this is all generated via plugins and you can never be sure whether these plugins will ultimately lead to a security problem, we concentrate here on the simple ways, which are usually the best and most effective.
Secure your extensions with Captcha queries
If you operate forms, guest books, or forums under WordPress, it is important that you secure them accordingly. Various Captcha plugins are available here. It is advisable to research in advance whether there are any recommendations for the plugins used. Sometimes captchas are already integrated or prepared in the plugin. A small overview of proven captchas for WordPress blogs can be found here:
Also, check whether you are actually using all installed plugins and modules on your website. You often test different extensions during the creation of the website, but ultimately do not use them at all. These extensions are usually not maintained either, thus providing easy ways for strangers to infect your website. Please uninstall these unused extensions via the backend.
Adjust, optimize and secure WordPress file permissions
Many users set the file permissions very high because this way you can prevent problems with your WordPress blog or the installed components, modules, or plugins. While this is understandable, it doesn’t make sense because you also allow attackers to abuse these rights. We, therefore, recommend the following assignment of rights:
- User: ftpXXXXX
- Group: wpXXXXX
- all directories get the rights 750
- all files get the rights 640
The following directories require the rights 770 so that WordPress can work correctly:
/wp-admin/
/wp-content/
/wp-content/plugins
/wp-content/upgrade
/wp-content/uploads
/wp-content/cache
./wp-cache-config.ph
/wp-content/backup/
For these directories, please set the permissions recursively (this means that these permissions apply to the directory and all subdirectories):
/wp-admin/
/wp-includes/
/wp-content/themes/
/wp-content/
In the following screenshot you can see where you can see the listed rights and what values they are assigned by default:
It is very important that the individual directories and files have the correct access rights. Sometimes it can happen that various plugins change the rights. You should therefore check the access rights from time to time and correct them if necessary.
Incorrect access rights allow attackers to access important files and change these files or WordPress directories.
Check for vulnerable plugins and themes
As with all other software, there are often security gaps in WordPress plugins or themes that allow attackers to access your website. These so-called vulnerabilities arise mainly because the developers do not keep their plugins or themes up to date. It is therefore important that you always use the latest versions of WordPress, plugins, and themes.
Conclusion
By following the simple steps above, you can significantly increase the security of your WordPress blog and protect it from attack. If you have any questions about WordPress security, our expert support team will be happy to help you.
- Make sure to update WordPress, plugins, and themes regularly
- Use a strong password for the WordPress backend
- Install a security plugin like Wordfence
- Use only trusted themes and plugins from reputable sources
- Adjust file permissions properly
- Check for vulnerable plugins and themes regularly
If you follow these simple steps, you can protect your WordPress blog from attack and keep it secure. If you have any questions about WordPress security, our expert support team will be happy to help you. Just contact us!