WordPress security is definitely important, if you are running commercial websites!
The best way to begin securing your WordPress installation is to be aware of known security issues and best practises to fix them. The first step would be to look at the WP Codex for security tips.
How to secure WordPress
From my experience, I can say that brute force attacks are very common. Brute force means that someone tries to access your admin dashboard by guessing your login credentials. Most of the times this is done by scripts that can make hundreds or even thousand guesses a second. So never use easy passwords and never use «admin» as your username! A good way to get to secure passwords is using the random.org password generator.
If you want to delete the default user admin, simply add a new admin user with a strong passwort and a special username. Then delete the default admin user and transfer all posts to your new user.
Next you should limit the login attempts. Brute force is very successful when there is no limitation of trials. There is a very handy plugin that helps you limit the login attempts.
Secure WordPress by hardening 3rd party scripts
A known vulnerability is TimThumb.php. This issue is already known for years (see sucuri’s blog) but as a lot of plugins use that script, chances are that the version of timthumb is outdated. You can easily check, if you use an outdated version of timthumb by using this vulnerability scanner.
Monitor your system and check your WordPress security regularly
Of course you should care about backups. But you should also monitor changes in your file system. This way you can find out, what backup is be safe. A recommended plugin for monitoring (if you don’t use git or other version control tools) is Better WP Security. But be careful when setting up this plugin. Some security settings might no be compatible with other plugin requirements.
Conclusion for securing WordPress
Be aware that no website is 100% secure. But if you use WordPress, like 15% of the world’s websites do, then it’s a good idea to be more secure than most of them. Brute force is really a problem these days and if you use WordPress for any commercial reason, you should have backups and file monitoring implemented. Another good idea is to install WordPress manually and not by your hoster’s script like Fantastico Deluxe or something similar. Always use new salt keys for new WordPress installations (the link is inside your wp-config.php file) and never ever use «admin» or «administrator» as your default admin username.
I hope that these quick tips on how to secure WordPress help you becoming aware that there are real security issues. Most issues are regularly fixed by the WordPress core developer team, so update both WordPress core and plugins and think of the tips above.
(Picture Courtesy of Yuri Samoilov)
Hi Nick/Alexander,
Thought I’d share a follow up for your post: https://hostingfacts.com/how-to-secure-wordpress/
Might be helpful/useful for people who want to start hardening their WordPress blogs/sites right away.
Cheers,
John