How to make your wordpress site secure

Lukas Dörr      Wordpress Hosting

We have already pointed out in some newsletters that some webspaces with wordpress installations have been hacked. Normally, the infection is detected within 12 hours (during the routine check of our anti-malware software) and the site is blocked. Your site will then be offline, but will not be able to cause any further damage!

But also hackers are getting more and more resourceful and always find new ways to attack a Wordpress site - even if it is the simplest trick "Brute Force".

Here are some points, that won't make your site 100% safe - but can increase the security of your site drastically:


1. Use the Wordpress Toolkit with Plesk Hosting

With the Wordpress Toolkit you not only get a 1-click installation of your own Wordpress site, but also automatic updates and a "Security Advisor" that is able to secure your site for attacks like XSS, File Poisoning and Brute Force. To do this, log into your Plesk account and select "Wordpress" under your subscription. Click "Install Wordpress" and in a few moments your site should be ready.


2. Use Plesk WP security features

Actually this is item 1.1, but since we wanted to make a small list, and actually don't have that many items, it is now item 2.
If you have installed Wordpress via WP Toolkit, you can activate various measures under the "Security" item, which will make it extremely difficult for an attacker to attack the site. Our recommendation: Activate all suggested points!


3. Use the Limit Login Attempts plugin

Unfortunately, Wordpress does not provide a login limiter from scratch. This can make it extremely easy to figure out the password by guessing. This is called a brute force attack. The attacker tries to try as many passwords as possible when logging in. We talk about "brute force" when the attacker tries to enter a password hundreds to thousands of times per minute using a bot network. With the plugin you can set how many times a user can try until his IP address is blocked. Our recommendation: Max. 3 attempts and then block for 1 year or longer.


4. Change the username and password from time to time.

We have already seen cases where the attacker found out the username from the wordpress site. Thus, he had the opportunity to spam the owner with a password reset. Therefore, you should always change your username and of course the password.


5. Activate automatic backups in Plesk

We backup your site half day, 2 times a day - however, you can (For your peace of mind) set up an automatic backup in Plesk under "Backup Manager". We recommend that you can jump back at least 2-3 weeks, so that you can (Maybe after a vacation) just jump back to the last working state.


6. Use 2FA in Dashboard, Plesk and Wordpress

We can't say it enough, but sometimes even username and password as a combination is not enough. If the attacker has this info, it's easy to take over a wordpress site or your customer account. Therefore, 2 factor authentication can help to put another hurdle. If the attacker does not have the 2FA code generator (e.g. Google Authenticator), he will not get access to your account. Therefore, our recommendation is to use 2FA wherever possible! For Wordpress you can use e.g. Jetpack.


There are many ways to secure your site from attacks - just be clear: There will never be a 100% secure method. We do our best by keeping our servers up to date, encrypting user data, using 2FA for everything, and of course backing up to multiple locations. But still, you must always remember: whoever has the motivation to attack you will try everything to succeed. If you have any questions, feel free to contact us!