WordPress Security for Experts
Firewall Block Bad Queries (BBQ)
BBQ is a super-fast firewall that automatically protects WordPress from attempts to execute malicious code via URL calls. The plugin is easy to install and does not require any further settings in the basic installation. By the way, it is also DSGVO compliant.
WordPress plugins and themes: Quality first
Plugins and WordPress themes from third-party vendors often have security holes if they are not up-to-date. This, of course, opens the door to hackers. Basically, only plugins that are useful and absolutely necessary should be installed. The more plugins are integrated in the WordPress installation, the greater the risk that compatibility problems will occur and that system failures will be inevitable.
Only plugins that are listed in the official WordPress directory should be used. With this you can be relatively sure that the registered plugin developers provide error-free plugins.
For WordPress themes it is also important to make sure that they are listed in the official WordPress theme directory: https://wordpress.org/themes/. This is especially true for free themes.
With paid themes and plugins (e.g. on Themeforest etc.) you can be pretty sure that you get quality products for your money. In most cases the developers also offer support.
Update WordPress Software
For a secure WordPress website the up-to-dateness of the installed WP software is a decisive factor. The update periods for the WordPress software are quite short. Several updates are offered per year. With most plugins and themes, these cycles are even shorter, so that over the year a large number of updates must be made in the WordPress installation.
The updates are particularly important because they usually close security gaps. Especially before larger updates a complete backup of the entire system should be made (files and database). In an emergency, the original data can always be accessed and the original installation can be restored.
In the dashboard of WordPress, updates are always displayed with a small hint. So you know immediately which plugin is ready for an update.
If your website is secured at shorter intervals, this is a good protection against hacker attacks. In this way, the website can be restored after infection or destruction by an emergency attack. For websites that are constantly updated, a daily backup should be performed. If the website is only occasionally updated with new content, then weekly or monthly backups are sufficient.
Backups can be performed manually. The data can be downloaded from the web server to the local computer via the FTP client (e.g. FileZilla). The database is saved via PHPMyAdmin in the customer account of the provider and also stored on the own computer.
Automatic backup with plugin
With a suitable backup plug-in such as BackWPup or UpdraftPlus, both the data and the database can be backed up in various formats and then saved locally on your own PC. However, it is also possible to save the download of the backups to your own dropbox or Google Cloud account.
Security of the admin area
What is especially important is that the admin area should be protected from hackers. With WordPress the login link is always: www.ihrewebsite.com/wp-admin or …/wp-login.php.
To rename the login URL, you can use the plugin “Rename wp-login.php”. This will completely isolate the login page.
There is another plugin for two-way authentication: “Google Authenticator”. This secures the login area in the form that in addition to the normal access data another code must be entered in the login form. However, you need an app for your smartphone which generates a new login code each time.
backup via .htaccess
Another security measure is the server-side protection of the “wp-login.php”. A .htaccess and .htpasswd file must be created here, provided you are hosting on an Apache web server.
Unfortunately, the use of most security plugins is no longer DSGVO compliant, as they record user data. Therefore we do not list these plugins here any more. In individual cases, however, it can also be checked whether the conformity still exists.
With the mentioned measures the own WordPress installation can be secured very well against hacker attacks. However, there is no 100% security. If your own website is really hacked, you have the current backup of your website always at hand and can thus put your website online again.
If you do not want to do these things yourself, we will be happy to help you implement these measures.