In this article, we would like to give some important and interesting tips on how to build a WordPress website safely and how to put as many obstacles in the way of potential hackers as possible. 10 tips on how to maximize security, which also applies to our customer websites.
1. Use strong passwords
Directly at the beginning of the installation, you are asked to enter the database access data. Again, there are no passwords that are too strong. This also applies to any user accounts that are subsequently created. If you allow users to register later, plugins that only allow strong passwords (e.g. DF5kysdZS66) are advisable.
2. Change table prefix
WordPress allows adjusting the table prefix of MySQL database tables in the current versions. This should be used urgently. The standard prefix “wp_” is of course known to hackers. By adjusting the prefix e.g. in “wp45fkze_” you make it harder for potential intruders. In addition, this prefix only needs to be specified once. You don’t need to remember the prefix anyway.
3. Swap out upload folder
WordPress allows you to move the upload folder of the integrated media library. So you can choose any place and adjust the path in the WordPress backend under “Settings > Media library > Save uploads in the following folder”. Since the upload folder is a relatively unprotected folder (chmod 777 – readable and writable by everyone), it should be packed especially in cotton wool.
4. Move WordPress instance to a subfolder
The so-called core files of the system can, of course, be placed in the main folder, but even here you make it very easy for potential attackers since you retain the standard structure. WordPress allows to swap to a subfolder e.g. “wp_cms4538”. There you move the WordPress files integrally, but leave the “index.php” in the main folder. This file has to be adapted accordingly:
/** Loads the WordPress Environment and Template */ require('wp_cms4538/wp-blog-header.php');
Don’t forget to adjust the paths to the website or blog in the backend of the WordPress installation under Settings > General.
5. Do not use user “Admin
If you create a first user, you should name it more cryptic than “admin” or “administrator”. These names are very often used for this kind of user accounts and are therefore easy to guess. If you want to go one step further, you should also adjust the user ID in the database accordingly, since the first administrator is assigned “1” as the user ID, which also plays into the cards of a hacker regardless of the choice of name. This will also make sure to reject people that will use pirate proxy to change their IP
6. Do not create customer login as an administrator
If there are other users that need to be generated/created, you should only assign the administrator status in extreme cases. Here applies: Too many cooks spoil the broth and to all abundance, the security suffers likewise.
It is more advisable to assign the status of the “editor” to customers. The rights are more than sufficient for everyday use and the risks are severely limited. If the rights management within WordPress needs to be refined accordingly, plug-ins such as “Members” can be used to create their own roles with customized user rights.
7. Use HTACCESS to increase security
An Htaccess file is a very powerful instrument. Via “.htaccess”, numerous security settings can be made which restrict access to numerous important configuration files and backend areas.
We recommend the WP HTAControl plugin. By means of this plugin, numerous security settings can be activated with a few clicks:
- Securing the “wp-config.php” file against access from outside
- Securing the “comments.php” file from outside access
- Limitation of the upload limit (e.g. to 500kb)
- Deactivation of the “indexes” WHERE id = i.e. the automatic listing of a folder content with the direct call
- Deactivation of server signatures in case of error messages (in order not to give important server information to attackers)
- Own entries in the htaccess file
- Numerous settings that have a direct influence on the “spit out” URL.
… and much more
8. Lock WordPress backend “WP-Admin” via IP
If, for example, a so-called “fixed IP address” is used within a company, access can be restricted to exactly this address. If you access the backend of WordPress outside this IP address, you will receive an error message (“Forbidden”). This way, the administration area can be protected extremely effectively, but this requires that you always access the website via the same IP address. Private ADSL providers (access from home) rely on “dynamic IP addresses” which can change quickly. If in this case only certain IP access is granted, the bulkheads are sealed after 24 hours at the latest.
This restriction on the IP address is interesting, for example, for companies that host their website on their own in-house servers and therefore only need to have access from there for day-to-day maintenance.
To set up this IP block it is sufficient to put a ".htaccess" file in the wp-admin/ folder with the following content (whereby the corresponding IP address must of course be adapted): AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "WordPress Admin Access Control". AuthType Basic <LIMIT GET> order deny,allow deny from all # whitelist IP address allow from 22.214.171.124 </LIMIT>
9. Lock after X failed logins and suppression of error messages
In normal operation, the login mask of the WordPress admin area handles the spit-out information very generously. In addition, you can make “endless” attempts to crack the password or user name. In this case, the technical jargon also refers to “brute force attacks”.
In this case, we recommend a plugin (“Limit Login Attempts” – lock after a specified number of failed logins) and an adjustment in the “functions.php” of the used theme. Simply insert the following line of code into the “functions.php”:
add_filter('login_errors',create_function('$a', "return null;")));
Then all error messages are suppressed. Without this instruction WordPress, attackers would immediately tell if the “guessed” username really exists and if only the password is wrong.
10. Install WP-Security Scan by WebsiteDefender Plugin
In combination with a free account at www.websitedefender.com, the plugin “WP-Security-Scan” develops into an indispensable watchdog for every WordPress website. The tool not only points out relevant security settings that should be made but also actively scans the system for potential intruders. Provided you have created free access to www.websitedefender.com and linked it to the plugin.
11. Install WordPress updates (Bonus Tip)
WordPress is a very popular platform and enjoys ever-increasing popularity. This results in regular attacks on known security vulnerabilities. Fortunately, the WordPress community is trying to close these gaps as quickly as possible. Therefore, WordPress updates should be installed as quickly as possible. Provided you first have a complete backup and secondly make sure that all installed plugins work together correctly with the new WordPress version and are compatible. Alternatively, we recommend mirroring the entire WordPress page. Thus, one can install and test the update without hesitation, without endangering the live environment.