WordPress is a very popular target for hackers, because as soon as there are countless installations in the world, their number is constantly increasing and security flaws are regularly caused by themes and plugins from third-party providers.
That’s why you should already consider some important points when setting up the system to make WordPress as secure as possible (even if it will hardly be one hundred percent secure).
This guide will explain the steps to follow and also introduce some plugins that make the installation more secure.
Installation: Secret keys, table prefix and password
During installation, the file wp-config-sample.php with the individual database settings must be adapted and renamed to wp-config.php. But this file can also contain the security keys for the new website or blog. Unfortunately, many people do not take this step, although it is implemented very quickly.
Under the database settings, there is a link (https://api.wordpress.org/secret-key/1.1/salt/) in the wp-config-sample.php file, which can be used to generate the necessary keys. These keys are then exchanged by copy and paste for the empty information behind the eight definition lines.
Another important step for more security is to change the standard prefix of WordPress tables, which is normally wp_. This prefix can also be changed in the wp-config file (located under the security key). If the prefix is changed, the database tables will no longer start with wp_, but with the letters or numbers or the name you have chosen.
The third crucial point for more security is the WordPress backend connection data, which you must define during the installation. Please do not choose a common username like demo, admin, test123 or something like that. In case of automatic attacks on your blog (so-called brute force), these default usernames will be selected repeatedly, if the password is not secure either, the site will be hacked quickly.
You should also note that your username will not appear anywhere in your blog in an archive like the author’s or in the blog posts, because this is something that is not optimal in WordPress, the display of the username in the author’s URL, which looks like this: http://deinewebsite.com/author/benutzername. This is because if the username is easily accessible, for example because it can be seen by every user in the blog posts or elsewhere, hackers get closer to the illegal connection. Under this link you will find a way to hide your author name.
Another way to hide your admin username is to blog with a different user role, upload images and post more content. To do this, create a user with the role “editor”. By default, this user does not have access to sensitive areas of the WordPress installation like plugins, settings, themes, etc. Thus, even hackers would have limited options to change anything on the site.
As a password, you should create one that gives WordPress the “Strong” security level, which means at least 7-8 digits and should contain special characters except for upper and lower case letters and numbers.
If necessary: remove the license.txt and readme.html files from the WordPress root directory, the latter two contain the WordPress version, which not everyone needs to know.
With these steps, your WordPress installation is already more secure than many others on the web. But there are other things you should be aware of to make it as difficult as possible for hackers to crack your site.
Limit login attempts: Limit incorrect login attempts
Until you install this plugin, you won’t know how often attempts are made to attack your site via the login page. With Limit Login Attempts, you can make these attempts visible.
In the plugin management area you can define after how many login attempts the login page will be blocked for the IP that made the login attempt. In addition, you can be notified by email if an unauthorized connection attempt has been made. If a brute force attack occurs, where different combinations of usernames and passwords are automatically tried, it can happen that several hundred blocked login attempts occur in one day. This has happened to me several times with this blog.
Beware of quality
WordPress themes and plugins from third-party providers often cause crucial security holes that hackers can use to invade us. So don’t install too many plugins on your blog just because they might be cool, but they should be useful for your website. The more plugins you have installed, the more likely it is that some plugins will “get in the way” and reduce site speed and produce errors and failures.
Only use plugins that are also listed in the official WordPress directory. Because this is where every plugin developer must register to provide a plugin to the WordPress community. If a plugin has bugs, the community will report it to the plugin developer by asking different users to comment and rate it.
That’s why you should also pay attention to the ratings and number of downloads when you download a new free plugin. The advantage of paid plugins and themes that you can buy from different platforms like Themeforest is that the developers provide support where you can report bugs or other problems. In addition, these programmers have a good reputation, so in most cases they make the greatest effort to provide high-quality products.