WordPress has the reputation of not necessarily being the most secure system. However, this is not primarily due to the system itself, but to its massive distribution. WordPress is by far the most used CMS worldwide. This is combined with a huge ecosystem of plug-ins, i.e. additional modules that extend the CMS. It is open source and anyone can write a plug-in and publish it. Unfortunately, the plug-ins are sometimes written in an unclean way, but usually a careless website owner simply does not pay attention to regularly applying security updates for the basic system and for the plug-ins.
For hackers, it is therefore worth the effort to always research vulnerabilities and scan them specifically.
- First and foremost, the simplest thing, but one that should be done regularly: Backup WordPress, all media, plug-ins and themes. Be sure to test the whole thing beforehand.
We have had very good experiences with Updraft here, but there are also a lot of free backup plug-ins for WordPress. But be sure to try out restoring as well! In case of damage, you don't want to be stuck with a backup that is of no use at all because the restore doesn't work. - Assign the read and write access to the files on the server according to the following security level:
wp-config: 600,
other files: 644,
Directories: 755
A good overview of recommended read and write permissions on web servers. - The WordPress Security Keys
(AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY)
reassigned.
You can have them recreated on this website:
https://api.wordpress.org/secret-key/1.1/salt/
Then use it to replace the values in your wp-config.php in the root directory of your WordPress installation.
Further safeguards:
- Prohibit reading of directories and sensitive files via web browser.
- Prohibit the execution of PHP files in the wp-includes directory.
- Prohibit the execution of PHP files in the wp-upload directory.
- Securing the wp-config file
- Disable pingbacks
- Deactivate unused script languages
- Prohibit the execution of PHP files in cache directories
- Deactivate author scans
- Redirect standard login page to a "secret" page
- Prohibit login attempts with user name "admin
- Block suspicious IPs