WordPress is extremely popular with hackers. Evaluations show that WordPress sites were hit the most by cyber attacks at over 74 percent. Joomla follows with about 17 percent and Magento with about 6 percent. Time to act and, above all, to optimally protect your WordPress site. These six tips will help you.
1. Always keep web applications up to date
Many WordPress installations are outdated. An easy way for hackers to exploit security gaps. Since version 3.7, WordPress users no longer have to import manual updates but can run the automatism in the background. If you want, you can deactivate the automatic update, but you should then regularly check for the current status manually.
2. Don’t forget to update the plugins
WordPress has many plugin options. They are helpful on the one hand, but some of them pose real security risks. There was an enormous security gap in WordPress version 1.4.2 because adjustments could be made to the CM settings. They should serve as preparation for hackers to upload scripts via the plugin. A short time later, there was a hacker attack, but WordPress reacted quickly and made another update available to close the security gap.
Once hackers have successfully gained access to the website, they can access valuable information via the interfaces with email and other programs. In order not only to ensure maximum protection for your website but also for your visitors, you can intervene with advanced protection mechanisms. Office 365 Email Security, for example, offers complete protection for Microsoft cloud services. This means that not only is the information stored there backed up. Also, with the help of the many additional features, malware and other chat programs can be detected, or individual filters can be set (e.g., for the subject or the sender address).
3. Back up databases and system files regularly
Once the WordPress website has been hacked, the look often changes. Restoring the previously designed template is only possible with great effort. In addition to an Office 365 email backup, the data, system files, and databases should also be backed up regularly. Thanks to intelligent storage tools, this is also possible automatically at intervals defined by the customer. WordPress offers its plugin for this, which is equipped with essential functions. If you want more storage convenience, individually adaptable tools are recommended. (Ask your hoster whether and which backups they provide for you).
4. At least eight characters: The password should never be a weak point
Almost every WordPress site owner who knows a password should have at least eight characters paired with special characters. However, the use of upper and lower case letters still needs to be addressed when creating them. The more difficult it is for cybercriminals to crack the password, the more secure your WordPress homepage is.
A sentence peppered with letters and special characters is ideal. For example, you can use several words about your pet or lines from your favorite song as a password. If you have a dog named Akyra, a safe entry phrase might be 1AkyraPlaysInTheSunAndHasFun!
5. Security also for guest books and forms
Hackers especially like to access contact forms or guest books on WordPress sites. To do this, they launch automated attacks, for example, to bring the server to its knees with the numerous requests executed quickly.
You can also protect yourself against this and work with Captcha queries. Several Captcha plugins are available for WordPress, which can be quickly integrated. For example, reCaptcha is a free plugin that has blocked spam for years.
6. Consciously assign rights
As the developer of the WordPress site, you have administrator rights. Set this extremely precisely to ensure access protection. As soon as several people work on your website, individual access management is required to prevent unwanted changes or chat programs from being smuggled in. Optimizing rights assignments for directories (prevention of PHP file execution in relevant directories is recommended) and files are essential for optimal protection. You will save the time you take with these settings later if you do not have to repair damage caused by hacker attacks.
Why a regular WordPress backup is so important
There is probably a lot of work going on on your WordPress website. Unfortunately, hackers, server problems, or incompatible plugins and themes can undo this work in a few seconds. This is why you should make regular backups of your WordPress website. Then, in an emergency case, you can reset your project to normal within a short period of time.
What exactly does a WordPress backup include?
A complete backup of the WordPress site or your WordPress webshop includes the database on the one hand and all files that belong to the actual project on the other hand and can be easily backed up via FTP, for example.
In an emergency, you can restore both the database backup and all saved files to the server – and your website will look as if nothing had ever happened.
Create WordPress backup manually.
For the manual backup of your WordPress project, you need the right tool for administering the connected databases, such as phpMyAdmin, for relational systems, such as MySQL. On the other hand, an FTP client like FileZilla is required to access the files on your web space and back them up.
Since the WordPress files can be backed up the quickest and easiest way via the FTP client, you will need your FTP access data – which can be found in the contract documents or your provider’s online account.
After the connection has been successfully established, copy all the files from your website to a folder (ideally with a unique name such as “WP-Backup”) on your local hard drive, an external storage medium (USB stick/hard drive, DVD/CD, etc.) or in the cloud. In this way, you also automatically create a backup of the plugins of your WordPress project (the same applies to themes, uploads, etc.).
Even backing up the databases is done in just a few steps. Typically, you will find an export function in the program of your choice that allows you to export the data set in a wide variety of formats.
Place this file in the appropriate place, like the project’s webspace data, to complete your WordPress backup.
Restoring your website: importing the WordPress backup
The same applies to the recovery: Both the data records of the database and the general project files are required.
The usual administration tools offer import functions specifically for restoring the database.
All you have to do is specify the previously exported database file on your hard drive (or on another storage medium) to start the import, which usually only takes a few seconds.
Upload the WordPress files and directories using the FTP client. Then, simply copy this back into the web space and thus onto your web server. Be careful not to change the directory structure.
Your WordPress website is now restored.
WordPress plugins for backups
WordPress backup plugins give you the ability to automate backups so you can sit back and relax after configuration. You can choose from various backup plugins for WordPress.
A popular and easy-to-use extension is BackWPup, for example, which you can easily install in your WordPress backend at any time using the Install Plugins function. The further way with this practical WordPress backup helper is as follows:
After installation, go to the overview of your plugins and activate BackWPup.
A new menu item with the name of the WordPress backup plugin will now appear in your backend.
We recommend to improve your WordPress security from the start
If you are in the process of creating a WordPress website, you should already pay attention to security during installation:
Design the admin account and the associated password individually. Do not let the username indicate that it is a user account with administrator rights. Hackers like to target the obvious admin account as it is particularly attractive due to the unrestricted access rights.
You should also change the prefixes of the database. By default, the prefix is ”wp_”; later, it becomes something like “wp_posts.” For example, replace “wp” with the project name or your own name. This makes your website’s database harder for hackers to pin down.
Limit the number of incorrect login attempts
Everyone makes a typo or forgets their password. In such a case, it sometimes takes several attempts to log in. However, don’t give hackers the chance to perform a brute force attack. Tools randomly try all possible combinations of username and password one after the other until the hackers can gain access.
Set a limit on login attempts with a plugin to prevent brute-force attacks. After a number of login attempts specified by you, a new attempt is only possible after a waiting period. Most hackers hate waiting and prefer to try elsewhere in the meantime.
Always keep WordPress up to date
There is hardly any software that is bug-free, and neither is WordPress. New vulnerabilities are often discovered, but the vulnerabilities found are always closed.
To benefit from these bug fixes and eliminate the WordPress security gaps as quickly as possible, you should regularly install the latest version of WordPress and the plugins and themes used. You will be notified in the backend when a new update is available.
WordPress update: Here’s how you can do it
Don’t know which WordPress version you’re currently using? If you click on Dashboard in the backend and then on Home, you will find a box in the left column labeled “At a glance”. There you will find the current WordPress version as well as the number of pages, posts, and comments on your site. If you don’t see the box, click Customize View on the far right of the Dashboard tab. A button then appears on which you can flexibly select or hide the individual components of the page. Check the At a glance box, so you always have an overview of your current WordPress version.
Automatic WordPress updates
WordPress has been running automatic updates since version 3.7 – at least when it comes to so-called minor versions. In this way, the software operators can react more flexibly to any security gaps – even retrospectively for older versions if they were already affected by the problem. It is, therefore, important for the WordPress security and functionality of your website that the automatic update of your WordPress version works smoothly. Otherwise, there is a risk of annoying bugs or security gaps that can lead to the loss of your data.
However, sometimes an automatic WordPress update cannot be carried out. This is the case, for example, if the corresponding setting or version control is deactivated or the server does not allow secure communication with WordPress. So be sure to check the settings made in the backend.
We hope that this article was helpful to you and that you now understand how to secure your WordPress site as well as possible. Now all you have to do is apply the above tips to your website and increase security.
Feel free to check the rest of our articles on our blog or watch Kubio tutorials on Youtube.