What is Wordpress?#
As always, I like to start with what the product is.
Wordpress is the most popular website builder on the market, easily half of all websites are made with Wordpress. It is comparable to Wix or Squarespace, which are also very popular but proprietary, Wordpress on the other hand is an open source solution.
This makes Wordpress very modular and therefore has many plugins to extend its functionality. So all in all not a bad product.
The only problem is that some people don’t know how to secure a website. Most set it up and forget absolutely basic security measures.
Security measures#
Updates#
This is really very basic but update your Wordpress instance and also your plugins. Updates are not always just changes to a program but also security patches. Especially these are important to fix vulnerabilities on the website.
However, you should create a backup before every update. It is always possible that there is a faulty update or that a plugin no longer works after an update.
Secure admin panel credentials#
Name#
When you create a Wordpress User. Please dont name your Admin user Admin, Administrator, root or something like that, it doesn’t matter how you call it. As long as it’s nothing obvious.
Hackers know that the default administrator is often called admin and then try to bruteforce it with bots. This way you can bypass bots but you are still not safe from targeted attacks.
My recommendation would be to make the administrator names cryptic. So don’t even use the names of the admins in the company as this can be found out via the website if you make the names and positions public.
After you have created your user. You should remove the default admin user from Wordpress.
Password#
The password should be as secure as possible. However, this should not be evaluated by a human but by a computer.
Password security is measured in entropy. This should ideally be as high as possible.
If you want to learn something about passwords, here is an article from Kicksecure.
https://www.kicksecure.com/wiki/Passwords
A secure password should have an entropy value of at least 250 bits to ensure that it has post-quantum resistance. For the creation of a password here is also an article from CISA.
https://www.cisa.gov/secure-our-world/use-strong-passwords
In short, your password should be as random as possible. This can be achieved with passwords or passphrases. Which are created via a password manager.
I recommend KeepassXC or Bitwarden. Bitwarden should be self-hosted for security reasons. Never use a Cloud based Password manager. Lastpass is the best Example why.
https://duckduckgo.com/?t=ffab&q=Lastpass+scandal&ia=web
Wordpress themes#
It should be obvious but themes can contain malware. Since anyone can upload themes, take a close look at whether the uploader is reputable or not.
WAF (Web Application Firewall)#
Use a WAF (Web Application Firewall) this ensures that the data traffic is checked and filtered from layer 1 to 7 and not just up to layer 3.
If you use a hosting provider such as Hostinger, it already has one installed. Alternatively, you can also use Cloudflare if you have the web server set up locally.
Or use ZenArmor in combination with OpenSence. If you prefer a local WAF. However, this will not protect you from DDOS attacks.
In the end you decide what you use.
Use an SSL or TLS certificate#
HTTPS is not encrypted just like that. It requires an SSL or TLS certificate for the encryption to work. This can be issued with LetsEncrypt or purchased from your domain provider.
Further protective measures#
We now have basic security but I still have tips so that a hacker has almost no chance of gaining access.
2FA MFA (Multi Factor Authentifikation)#
Nowadays it is normal to use multifactor authentication. Even if many people still don’t use it.
The simplest form is the so-called TOTP (Time-based one-time password)
This is used by Mobile authenticator software. Popular solutions are Google Authenticator or Microsoft Authenticator. I don’t think much of either of them because such software does nothing special. I recommend Aegis Authenticator as it is an open source solution and is not linked to an account.
An MFA plugin i recommend for Wordpress is Wordfence.
https://wordpress.org/plugins/wordfence-login-security/
Limit Login Attempts#
You should set up that people are automatically banned after multiple authentication failures. A good plugin is this one.
https://wordpress.org/plugins/limit-login-attempts-reloaded/
Change the WordPress Login Page URL#
The default login page for the admin panel is /wp-admin. This is known to hackers and bots automatically try to hack these pages. If this is changed, bots can no longer find it and bruteforce it. The login page can of course still be found by scanning for the admin page. But very few people do this and it keeps script kids away who don’t know how to do it.
This is a good plugin to quickly change the admin panel page.
https://wordpress.org/plugins/wps-hide-login/
Log Idle Users Out Automatically#
Users who are inactive should be logged out automatically. They are currently not on the PC and therefore pose a security problem. Here is another plugin to manage this.
https://wordpress.org/plugins/inactive-logout/
Summary#
I could go on like this forever. But these are the basic things I would do to protect my site. Security is not a product but an endless battle where you have to protect yourself from new things again and again.
So you have to keep learning how to protect your IT infrastructure.
Support me#
I hope this guide has helped you a lot. I would be very happy if you would join my Patreon or donate with Paypal. I am grateful for any support.
Thank you very much for reading and for your time.
If you like to share this artikel click the icons below.