Securing WordPress Hosting

In the last article WordPress Hosting, we introduced the popular content management system and discussed the technical requirements for WordPress hosting as well as the installation process. This article now focuses on the subsequent question of how to effectively protect your own WordPress hosting from unauthorized access.

WordPress is the most widely used content management system worldwide. However, due to its high prevalence, WordPress is also a particularly popular target for hackers seeking unauthorized access to data and spreading malware. Especially as the visibility of your website increases, disgruntled competitors or troublemakers can pose an increasing threat to data security. Attackers typically attempt to gain access to the administration area in order to install malware. They search for vulnerabilities in the core installation or in additional plugins. Many users are not aware of this or do not want to seriously engage with the topic of WordPress and security, leading to important areas being inadequately protected, the use of simple passwords, or the entire system not being kept up to date. All these factors make it easy for attackers to compromise the system.

We have compiled the 6 most important points for you on how to protect your WordPress hosting from unauthorized access:

1. Keeping WordPress Hosting Up to Date

The WordPress software is regularly updated, with a new version released almost every month. These updates not only bring new features and bug fixes but also patch known security vulnerabilities. Users of WordPress typically do not just use the basic standard installation but also extend it with a custom theme and various plugins. The same applies to these extensions as it does for WordPress itself. To minimize the attack surface for hackers and bots, the entire system should always be kept up to date. Available updates are clearly displayed in the administration area and can be applied directly from there by logging in. For those managing a large number of websites and not logging into each installation regularly, tools like the WP Updates Notifier plugin can be used. The plugin automatically sends an email notification to the administrator when new updates are available.

2. Unique Username and Secure Password

One very simple yet extremely effective method to protect against attacks is to choose an individual username and set a secure password. By default, login usernames for administration interfaces are usually Administrator, Admin, or Root. Hackers take advantage of this fact by attempting to gain access to the system through so-called brute force attacks. They use known usernames and simply try different passwords based on dictionary lists. By using an individual username instead, not only does the password need to be cracked, but also all possible combinations of usernames need to be tried. In this context, it should be emphasised how important a secure password is. A large number of users prefer easy-to-remember character combinations, often simply using 123456 or their own first name as a password. Such character strings can be quickly discovered and cracked using dictionary lists. A truly secure password should be at least 12 characters long and consist of numbers, letters, and special characters.

3. Change WordPress Table Prefix

Some attacks target vulnerabilities in the database directly, known as SQL injections. Hackers attempt to gain access to the database in order to inject their own commands that can cause damage. WordPress uses the default table prefix wp_ in the database, making attacks particularly focused on this table prefix. Renaming it to an individual name like up2uwp_ can enhance security. The easiest way to make this change is during the installation of WordPress; afterwards, changing the table prefix can only be done painstakingly via the wp-config.php file.

4. Use Encrypted Connections

Data, including the WordPress installation, is uploaded to the webspace via FTP connection. It is crucial to ensure encrypted transmission. Web hosting providers generally allow secure connections via the SFTP protocol. Some web hosting plans also offer the option to use FTP over SSH. Especially for those working in public Wi-Fi networks, protecting access credentials in this way from unauthorized access is important. It is also recommended to use an SSL certificate for the entire webspace. This encrypts every connection between the browser and WordPress, including access to the admin login, ensuring secure transmission.

5. Activate Password Protection via .htaccess

Most web hosts use an Apache web server on their servers. This supports the use of .htaccess configuration files, allowing for the implementation of custom functions such as measures to protect access to directories. For example, public access to the administration area of a WordPress installation can be completely blocked. To achieve this, simply enable the function in the .htaccess file and place a corresponding .htpasswd file with a password and username in the directory. For specific questions about implementation, your own web hosting provider can assist, and often this setting can also be conveniently adjusted through the web space management interface.

6. Be cautious with WordPress Plugins

Due to the ease with which WordPress functionality can be extended using plugins, many users install numerous plugins for various functions. However, the more extensions in use, the more surface area is exposed to hackers. Since anyone with programming knowledge can develop and publish their own WordPress add-ons, it cannot be ruled out that errors in the code may introduce security vulnerabilities. Especially users without technical knowledge may not understand what the plugins actually do in the background. Therefore, it is important to firstly check if the extension comes from a trusted source before using it. This can be done, for example, by verifying if a well-known programmer is behind the plugin and if experienced users have reviewed the source code and published a rating. Secondly, only essential plugins should be used. Just like with a personal computer, there are numerous plugins available for WordPress that promise increased security or faster access times, but often do more harm than good. Only a few plugins have proven to be truly helpful. These include, for example, Limit Login Attempts, for limiting failed login attempts, or WP Anti Virus as a website antivirus scanner.