Back to Blog
WordPress December 15, 2024 2 min

Securing WordPress: Essential Steps

Practical tips for hardening WordPress installations against common attacks.

WordPress Security – A Practical Guide

WordPress is the world's most popular CMS – and therefore a popular target for attackers. Here are the most important steps to secure your installation.

1. Updates, Updates, Updates

The most important point: Keep WordPress, themes and plugins up to date. Most successful attacks exploit known vulnerabilities in outdated software.

  • Enable automatic updates for minor versions
  • Regularly check plugins and delete unused ones
  • Remove themes that are not active

2. Strong Credentials

  • Don't use the username admin
  • Strong passwords with at least 16 characters
  • Enable Two-Factor Authentication (2FA)
  • Limit login attempts

3. File Permissions

Set correct permissions on the server:

BASH
# Directories: 755
find /var/www/html -type d -exec chmod 755 {} \;

Files: 644

find /var/www/html -type f -exec chmod 644 {} \;

wp-config.php: extra protection

chmod 600 wp-config.php

4. Secure wp-config.php

Important settings in wp-config.php:

PHP
// Disable file editor in admin
define('DISALLOW_FILE_EDIT', true);

// Disable debug mode on production
define('WP_DEBUG', false);


// Regularly regenerate security keys
// https://api.wordpress.org/secret-key/1.1/salt/

5. HTTP Security Headers

Important headers in .htaccess or server configuration:

APACHE
Header set X-Content-Type-Options "nosniff"
Header set X-Frame-Options "SAMEORIGIN"
Header set X-XSS-Protection "1; mode=block"
Header set Referrer-Policy "strict-origin-when-cross-origin"
Header set Permissions-Policy "camera=(), microphone=(), geolocation=()"

6. Regular Backups

No security concept is complete without backups:

  • Daily database backups
  • Weekly full backups
  • Store backups at an external location
  • Regularly test the recovery process

7. Disable XML-RPC

If not needed, disable XML-RPC completely:

APACHE
# .htaccess
<Files xmlrpc.php>
    Order Deny,Allow
    Deny from all
</Files>

Conclusion

WordPress security is not a one-time project but an ongoing process. The measures listed here form a solid foundation. For business-critical sites, I additionally recommend regular security audits.

Share:
Back to Blog