How do I protect my WordPress website

Improve the security of your WordPress site

WordPress is the most widely used CMS in the world. Currently around 25% of all websites are based on WordPress. However, due to its popularity, it is also very popular with hackers. We therefore recommend that you improve the security of your WordPress website in order to minimize the risk of being hacked.

Always update
Remove unused plugins and themes
Protect your wp-admin folder with a password
Create a custom admin username
Disable running PHP code in your upload directory

Always update

Some of the updates for WordPress are security solutions that could otherwise be exploited by hackers. So it is very important to update it ASAP. You can update it directly in your WordPress administration. If you don't have access to it, you can update it manually.

Why you should always keep WordPress up to date
Update WordPress manually

It is also important that you check for updates for all of your installed plugins and themes. Remove all plugins and themes that you are not using, you can reinstall them later.

Tip: If it is too much effort for you to update everything manually, you can install the so-called Easy Updates Manager plugin, which manages all your WordPress updates for you.

Remove unused plugins and themes

Any plugin and theme that you use can pose a potential security risk. So the less you have of it, the better.

We advise you to delete all unused themes, with the exception of the standard themes (2017, 2018, etc.). The same applies to plugins that are not required.

Make sure that you remove any old WordPress installations that you may have on your web space, perhaps for testing or as a backup. These are prone to hacks.

Tip: Only install plugins and themes from trustworthy sources. When you find a free version of a theme that you normally have to pay for, it often comes with "free" malware.

Protect your wp-admin folder with a password

Another alternative to ward off hackers is to protect your wp-admin folder with a password. How to add another level of security to your WordPress administration.

Take a look at our instructions on how to protect your website with a .htaccess file. Make sure, however, that you only protect the wp-admin folder and not your entire site, otherwise your website will not be accessible.

How can I protect my website with a password?
Note: If you already have a .htaccess file in your wp-admin folder, simply paste the code you created into the existing file. But please do not replace them.

Create a custom admin username

Hackers often try to gain access to your WordPress administration through so-called brute force attacks. Robots try to log in with millions of different username and password combinations. To make it as difficult as possible to guess your login information, we recommend that you create a unique username.

You can change your admin username in phpMyAdmin, in the wp_users table. Please have a look at our instructions on how to access the database.

How do I access the database with phpMyAdmin?

As soon as you are logged in:

  1. Find the table by the name wp_users (this can also be called 0_users)
  2. Find the admin username and click Edit.
  3. Under user login enter a new username in the field below Value a.
  4. click Go to save this.
Tip: There are also some plugins that can help you increase your security. We recommend Wordfence Security or iThemes Security.

Disable running PHP code in your upload directory

If you have installed WordPress manually, we recommend that you disable the execution of PHP code in your upload directory. If you've used our 1-click installer, this is disabled by default.

PHP back doors can usually be found in the upload directory. From there, the malware is spread to other areas of your site. You cannot prevent this backdoor from being uploaded to your web space, but by disabling the execution of PHP code you will prevent the malware from spreading on your site.

# Block executables deny from all # Block javascript except for visualcomposer (VC) plugin RewriteEngine On RewriteCond% {REQUEST_URI}! ^. * Wp-content / uploads / visualcomposer-assets /.* \. Js $ RewriteRule ^ (. * \. Js) $ - [F, L]
Note: If you already have a .htaccess file on your web space, you don't need to create a new one. Instead, you can edit the existing file.

Related articles:

Change your WordPress password in the database
Which SiteLock package should I choose?