30 minutes to a secure WordPress blog

26. June 2017

WordPress is still the tool of choice, especially for newbies, to quickly create a respectable website.
All nice KlickiBunti, so without expertise 😉

Unfortunately, #InfoSec almost always falls by the wayside and the “admins” wonder about the new Russian language packs and additional AdminAccounts.

Securing a WordPress website is not rocket science, so in the following I will explain how to take the fun out of attackers in 30 minutes 😉

#1 Updates

Not a quarter goes by without an update for WordPress being released. In addition to performance and usability, security gaps are also patched. If you miss an important update, as many admins did in February 2017, you quickly have uninvited guests in the backend.

#2 Theme and plugin choice (updates)

If possible installed plugins and themes only directly from the WP backend, from the so-called repository. Similar to the Google, Microsoft or Apple Store, these are checked superficially. If you install software from other sources, there is always a risk of installing additional “features”.
Also pay attention to the update cycle of the desired theme or plugin. If a plugin doesn’t get any updates for 3 years, better leave it alone (see #1)

To do this, first identify a theme that you like and search for it on WordPress.

Then check the details for download numbers and timeliness. The more users a theme has, the more likely security vulnerabilities will be detected, reported, and fixed.

The same should be controlled for plugins.

#3 Security plugin

There are numerous security plugins for WordPress. I have chosen “iThemes Security”. All the operations that these plugins perform could also be done manually. However, the target audience of this post will be happy that we don’t start via putty and vi now 😉

After installing the plugin, important security settings are already set by default. Please enter a valid e-mail address here and activate the BruteForce protection so that you will be informed about possible security events in a timely manner.

Additional settings that can be activated without hesitation and increase the security of your blog:

  1. 404 detection
    Makes it harder for attackers to use automated tools.
  2. Absence mode
    If you are asleep (and other states are just starting), your backend does not need to be accessible.
  3. File change detection!
    If an attacker does successfully modify or add a file to your site, you will be notified immediately.
  4. Hide backend!
    Security tools first scan for default settings and search for “/wp-login.php”, for example, to find your login. With this setting it will be more difficult to find your login. Before you can activate these settings, you have to select in your WordPress settings (right under “Tools”) under Permalinks e.g. Post name. Then this function can be activated in iThemes.
  5. further optimizationSystem optimization:
    1. Non-English characters
    2. Long URL strings
    3. Suspicious query strings
    4. Search directories
    5. System filesWordPress optimization

    WordPress Optimization:

    1. Comment spam
    2. XML-RPC (usually deactivate according to the note)
    3. Login error messages
    4. Disable extra user archives

#4 Backups

Make backups after your first setup or after major changes. That means WordPress AND database.
This backup can save our lives in two situations.

  1. An update or incorrect configuration work destroy the site.
  2. An attacker has entered.

#5 The password

The most secure system won’t help if the credentials are bad (admin:password01?). Either you use a password manager (post to follow ) or you use my password help😉

#6 https

Invest the 20 euros a year for an SSL/TLS certificate. This has several advantages

  1. If your access data is not sent over the network in clear text.
  2. Does Google rank https pages better
  3. Does this look more professional to customers

At this point, any number of other measures and especially ServerSite security could be listed. However, these should be selected depending on a risk analysis. However, with the explained steps you can protect your blog from 90% of automated attacks or make life more difficult for attackers 😉 If you need further protection, if you use a lot of dynamic content or another or no CMS, don’t hesitate to contact me!

Have fun curing!



Similar posts

The best security measures are useless if weak credentials are chosen. This raises two essential questions, which I would like [...]

26. June 2017

We are safe because we have a virus scanner and a firewall! This statement is often the first to fall [...]

11. July 2017

Almost every day, users become victims of so-called phishing emails. Therefore, in this short post, I would like to point [...]

14. July 2017

Every day, millions of people become victims of cybercrime. These are usually not targeted by professional hackers, but fall victim [...]

3. October 2017