23.08.2021, Website maintenance

WordPress security. Which measures are secure and pragmatic

Symbol image Wordpress security - Wordpress logo with bicycle lock

WordPress has the reputation of not necessarily being the most secure system. However, this is not primarily due to the system itself, but to its massive distribution. WordPress is by far the most widely used CMS in the world. This is combined with a huge ecosystem of plug-ins, i.e. additional modules that extend the CMS. It is open source and anyone can write a plug-in and publish it. Unfortunately, the plug-ins are sometimes poorly written but usually a careless website owner simply does not pay attention to regularly installing security updates for the basic system and for the plug-ins.

It is therefore worth the effort for hackers to always search for vulnerabilities and scan them specifically.

  • First and foremost, the simplest thing that should be done regularly: Backup WordPress, all media, plug-ins and themes. Be sure to test the whole thing beforehand.
    We have had very good experiences with Updraft, but there are also a lot of free backup plug-ins for WordPress. Make sure you also try restoring! In the event of damage, you don't want to be stuck with a backup that is of no use to you at all because restoring it doesn't work.
  • The read/write permissions of the files on the server are assigned according to the following security level:
    wp-config: 600,
    other files: 644,
    Directories: 755
    A good overview of recommended read and write permissions on web servers.
  • The WordPress security keys
    (AUTH_KEY, SECURE_AUTH_KEY, LOGGED_IN_KEY and NONCE_KEY)
    newly awarded.
    You can have them recreated on this website:
    https://api.wordpress.org/secret-key/1.1/salt/
    Then use it to replace the values in your wp-config.php in the main directory of your WordPress installation.

Further safeguards:

  • Prohibit reading of directories and sensitive files via web browser.
  • Prohibit the execution of PHP files in the wp-includes directory.
  • Prohibit the execution of PHP files in the wp-upload directory.
  • Securing the wp-config file
  • Deactivate pingbacks
  • Deactivate unused script languages
  • Prohibit the execution of PHP files in cache directories
  • Deactivate author scans
  • Redirect standard login page to a "secret" page
  • Prohibit login attempts with user name "admin"
  • Block suspicious IPs

See also