wordpress security

Secure your WordPress website . Not the first thing you think of when you start creating your WordPress website yourself. However, it is necessary to do this. By properly securing your site you prevent uninvited guests; hackers who use your website to send SPAM, for example. You can read how to do this in this extensive article about securing WordPress websites .

Why do I need to secure my WordPress website?

This week, evil happened to one of our customers: his website has fallen victim to hackers. As always, we offer our customers to organize full security so that the customer can use his WordPress website without any worries. A frequently heard argument is: “Oh, my site attracts so few visitors. It is not of interest to hackers at all. ”

Hackers are not usually looking for websites with millions of visitors. They are often looking for websites that are not properly secured and from which they can easily send SPAM via your server.

When this happens, it is possible that Google puts the IP address of your server on a so-called “Black list”, so that your emails end up in the SPAM box of the recipient. A world disaster of course if you are actively engaged in email marketing!

The reason you need to properly secure your WordPress website is quite simple. WordPress is an open-source CMS. This means that developers can develop WordPress themes and plugins without any control, making WordPress one of the most popular content management systems in the world. Precisely because WordPress is so accessible and almost everyone with basic knowledge of the internet can build a website in this way, it often goes wrong. Experts estimate that about 70% of WordPress websites are not properly secured.

Where things often go wrong in the security of your WordPress website is shown in the following image of WP White security.

The first thing you notice is the high percentage of hacks that come from hosting; no less than 41% is due to unsafe hosting! Therefore, consciously choose a qualitative and reliable hosting partner when you start managing your WordPress website yourself. Then you already have that part of the security in order.

The 8% of hacks that come from weak passwords are not that exciting. It goes without saying that you protect your WordPress environment well by using a strong password. A handy tool to generate strong passwords is strongpasswordgenerator.com.

What is much more interesting in the image is the combined 51% of themes and plugins where things go wrong. More than half of all hacks are due to leaks in themes and plugins! Especially with inexperienced website builders and / or do-it-yourselfers, this is the spearhead of securing your WordPress website.

Secure your WordPress website

Now that we know why you need to properly secure your WordPress website and where it often goes wrong, we can more easily take action regarding the security of our websites. There are a number of things that make your website less susceptible to hackers, bots and other malware.

In no particular order the ways to secure your WordPress website.

1. Choose a strong password

Needs little explanation. Choose a fantastic password that you do not use for other accounts such as F a cebook , Twitter, etc. If you have trouble coming up with a password yourself, use the aforementioned password generator.

2. Work with a reliable hosting party

When looking for a good hosting partner, one tip is the golden tip: “Cheap is often expensive” . Those who want to sit in the front row for a dime should not be surprised if the hosting party does not take good measures to prevent hackers. Choose a renowned player on the market and do not save on costs!

3. Settings when installing WordPress

In our article about Installing WordPress manually, we already wrote that it is safer to install WordPress using FTP than installing WordPress automatically via, for example, the installer of the hosting party. This is partly due to the name of your database.

With an automatic installation, a standard database name such as’ wrdp1 ′ or ‘wp_’ will be chosen. Hackers are of course aware of this, which makes your site easier to crack. By giving your database a unique name, you prevent hackers from getting the name of your database as a gift.

Like the default database name, over 60% of website administrators choose the default ‘Admin’ mapping as the primary user (the administrator with all rights). This is also a gift that you just give away. A hacker now only needs to retrieve your password to enter. Choose a unique username and leave out the admin account.

Finally, in the settings we also have to deal with the wp-config.php file . This file contains information that improves the encryption of stored information. The code in the wp-config.php file looks like this:

define (‘AUTH_KEY’, ‘put your unique phrase here’);
define (‘SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define (‘LOGGED_IN_KEY’, ‘put your unique phrase here’);
define (‘NONCE_KEY’, ‘put your unique phrase here’);
define (‘AUTH_SALT’, ‘put your unique phrase here’);
define (‘SECURE_AUTH_SALT’, ‘put your unique phrase here’);
define (‘LOGGED_IN_SALT’, ‘put your unique phrase here’);
define (‘NONCE_SALT’, ‘put your unique phrase here’);

With the help of the WordPress “Salts and Keys generator” you can easily create a unique code that makes it easier for hackers to crack your password.

4. Use limit login

Various plugins can be downloaded from WordPress.org that ensure that you can only enter the wrong password a number of times before the account is temporarily blocked. Hackers use a “brute-force attack” to retrieve your password via a script. This script can enter thousands of usernames and password combinations per second, so there is a chance that the script will find the right combination at some point.

By using a plugin that only lets you enter the wrong password a few times, you prevent your WordPress Website from becoming a victim of a brute force attack.

5. Think carefully about what you decide to download

WordPress has acquired its charm thanks to the open character we described earlier in this article, but there is also the pitfall. It has already become clear that more than half of the hacks are caused by leaks in plugins and themes. To rule out any risk in its entirety, you can keep this rule to yourself:

DO NOT download anything from torrent websites or other websites that are not and / or appear to be legitimate.

The themes and / or plugins often contain (intentional) leaks in the code that give hackers access to your WordPress website. It is also true that not every developer is equally good in his field. Sometimes a script contains certain weaknesses that the creator did not intentionally make, but that this arose purely from ignorance. The chance that this is the case with themes or plugins of the ‘big boys’ is a lot smaller.

The official WordPress website, wordpress.org, is the place to go if you want to download any kind of reliable plugins. Whenever you decide to download, look for reviews from others and any updates.

Updates to plugins, themes and WordPress themselves often have to do with security issues. A theme or plugin that is regularly updated is of course better protected against external attacks, although regular updating does not of course give a 100% guarantee of optimal security of your WordPress website.

You should always keep in mind that, even on WordPress.org, the code does not actually check for security measures or any leaks.

6. File permissions

If you are logged in via FTP or DirectAdmin you can often give certain folders and files ‘permissions’. The file permissions that can be given are read, write and execute. The code 777 pretty much stands for ‘free access for everyone’ . When this code is given to a file or folder, every handy ‘user’ can do what he wants with the file.

For file permissions, use the values ​​that WordPress provides itself:

Folders and directories: 755 or 750
Files: 644 or 640
WP-config.php: 600
Don’t you understand what’s above? Please contact your hosting party to check what applies to you here.

7. The .htaccess file

With the .htaccess file you can protect your WordPress website even better. For example, you can deny access to the wp-config.php by placing the following code in the file:

<files wp-config.php>
order allow, deny
deny from all
</ files>

You can also choose to restrict access to the wp-admin to only one IP address by entering the following code in the file:

order deny, allow
allow from 123.456.7.8
deny from all

Of course you replace 123.456.7.8 with your own IP address.

8. Two-step verification

Those who use internet banking and / or digital services from government agencies (DigiD) are already familiar with this ‘new’ way of security. With ‘two step authentication’ you not only secure your login in the WordPress environment with a username and password, but you also receive a unique code via SMS. This sounds a bit cumbersome (every time you want to log in you will need to have your phone at hand), but this way your WordPress website is protected in one of the better ways against uninvited guests.

The must-have plugin can be found on WordPress.org: Google Authenticator.

9. Hide your WordPress version number

By hiding your WordPress version number, hackers do not know exactly which version of WordPress you are using and therefore do not really know where the weaknesses are. The version number can usually be found in about 3 to 4 places: ‘generator tag’ (part), Query strings (script or CSS files that show the version is also in thepart), in the automatic RSS feeds of WordPress (generator tag) and in the readme.html file.

The readme.html file is best removed via FTP. Keep in mind that with every update this file will be placed on your server again, so you will have to delete it every time.

To hide all other version numbers, the easiest solution is to put a piece of code in the functions.php file .

The code to put in the file is the following:

/ * Hide WP version strings from scripts and styles
* @return {string} $ src
* @filter script_loader_src
* @filter style_loader_src
* /
function fjarrett_remove_wp_version_strings ($ src) {
global $ wp_version;
parse_str (parse_url ($ src, PHP_URL_QUERY), $ query);
if (! empty ($ query [‘ver’]) && $ query [‘ver’] === $ wp_version) {
$ src = remove_query_arg (‘ver’, $ src);
return $ src;
add_filter (‘script_loader_src’, ‘fjarrett_remove_wp_version_strings’);
add_filter (‘style_loader_src’, ‘fjarrett_remove_wp_version_strings’);

/ * Hide WP version strings from generator meta tag * /
function wpmudev_remove_version () {
return ”;
add_filter (‘the_generator’, ‘wpmudev_remove_version’);

Adding this code to the functions.php file will hide the version numbers in all places within your website. Check this of course!

Additional tips

You should now know how to best protect your WordPress website against hackers, bots and other malware. The above ways to secure your WordPress website are all substantive tips, of course there are a number of things that make your website less susceptible to attacks from the outside.

With a little common sense, you will of course also understand that:

you should NEVER give your password to this-or-that
your computer should ALWAYS be well protected against viruses etc.
you NEVER have to log in to your WP environment from an unsecured network
you need to make regular backups
it is better not to e-mail your passwords, but for example to text better
if everything above is abracadabra for you, you better get the help of an expert