WordPress is a popular CMS, making it an attractive target for attackers. Before releasing a website, security measures should be implemented to protect against vulnerabilities and hacker attacks. The main steps are outlined below.

1. Update WordPress and Plugins

• Keep WordPress, themes, and plugins updated.
• Remove unused or outdated plugins and themes.
• Use only verified plugins from the official repository.

2. Restrict Access to wp-admin and wp-login.php beschränken

wp-admin and wp-login.php rename

The default login pages (/wp-admin and /wp-login.php) make the site vulnerable to brute-force attacks.

How to Change the Login Page URL?

• Using a Plugin (WPS Hide Login)
  • Install the plugin and set a new URL (e.g. /secure-login).

• Using .htaccess (for Apache)

RewriteEngine On
RewriteCond %{REQUEST_URI} ^/wp-login.php$ [NC]
RewriteRule ^(.*)$ /secure-login [R=301,L]

• Protect wp-login.php with Basic Authentication

<FilesMatch "wp-login.php">
   AuthType Basic
   AuthName "Restricted Access"
   AuthUserFile /etc/apache2/.htpasswd
   Require valid-user
</FilesMatch>

Restrict Access to wp-admin for Specific IPs

To allow only certain IP addresses to access wp-admin, add the following code to .htaccess hinzufügen:

<Directory "/var/www/html/wp-admin">
    Order Deny,Allow
    Deny from all
    Allow from 192.168.1.100 203.0.113.5
</Directory>

Replace 192.168.1.100 and 203.0.113.5 with your actual IP addresses.

3. xmlrpc.php disable

The xmlrpc.php file is used for remote management but is often targeted in attacks.

How to Disable It?

• Using .htaccess

<Files xmlrpc.php>
   Order Deny,Allow
   Deny from all
</Files>

• Using a Plugin
  • Install Disable XML-RPC and activate it

4. wp-content/uploads/ protection

The directory wp-content/uploads/ contains uploaded files and should not execute scripts.

Block PHP Execution in uploads directory

Create or edit .htaccess in uploads

<FilesMatch ".*\.php$">
    Order Deny,Allow
    Deny from all
</FilesMatch>

Check File Accessibility PHP files in uploads will no longer execute.

5. admin- Change the Username

The default admin user is a common target for attacks.

How to Change It?

1. Create a New Admin User (Users → Add New).
2. Log Out and Log in with the New Account..
3. Delete admin (Reassign Posts to Another User Before Deleting).

6. Limit Login Attempts

Install the Limit Login Attempts Reloaded plugin to limit failed login attempts.

7. Enforce HTTPS

Ensure the website runs over HTTPS by installing an SSL certificate.

8. Use Cloudflare WAF

Enable Cloudflare Web Application Firewall (WAF) to prevent attacks such as SQL injections and XSS.

Conclusion

Implementing these steps will significantly improve WordPress security before release.