WordPress is the most popular blogging platform in the world and this, unfortunately, means that it is a massive target for hackers and crackers.
The good news is that while security flaws in WordPress are found quite quickly by hackers, they are also patched very quickly. The free and open source nature of the system means that there are tens of thousands of people looking at the code and those people will do everything they can to improve the security of the blogging platform.
Even so, you cannot rely on other people to keep your site secure. There are a lot of things that you should be doing as a webmaster to try to make your site more robust.
Choose a Sensible Username
The most obvious attack vector for WordPress is brute force attacks. If your username is ‘admin’ and you have a simple password, then it is only matter of time before your site gets hacked. Change the username to something that is not easy to guess and use a password that you have never used on other websites.
Remove the Installation Folder
WordPress will alert you if you have forgotten to remove the installation folder. It is good practice to completely delete it from the server.
Update Your Plugins and the Site Itself
Whenever there is an update for WordPress, install it. Also, update plugins whenever updates are offered. This is particularly important for point releases – you may not want to make the leap to the absolute newest version of WordPress, but point releases tend to include a lot of important security updates so they are worth having.
If your host allows you to disable FTP when it is not needed, do so. Then log in to your hosting panel and re-enable it when you need to use the feature. This removes another popular attack vector and acts as a nice layer of additional security.
Use Security Plugins
There are a lot of useful security plugins that can make your WordPress site a little more robust and secure. iThemes Security is a good one, as is the All in One WP Security plugin. These work by restricting access to privileged features at the hosting level before WordPress even processes the requests.
Another useful ‘firewall’ for WordPress is WordFence. This is a firewall that will filter attacks while WordPress is loading, but before the site has had a chance to fully process attacks.
If you have access to the server itself then you may want to install a web firewall that will filter content before WordPress even tries to load. Mod_security is the most common way of filtering requests. Installing and configuring this can be challenging, however, so you should only try it if you are confident. It is very easy to set up rules that are too aggressive and legitimate visitors will be blocked from getting to your site.
Third Party Services
To protect your website from denial of service attacks, you should look at installing the free Cloudflare plugin and setting up an account with the CloudFlare CDN service. This will allow you to take advantage of their cloud-based content delivery network features, which include global caching, denial of service protection, and even the ability to load a cached version of your site if the main version is unreachable. This means that no matter where in the world a user is or how much traffic your site is getting, they will still get a smooth and enjoyable end-user experience and you will save bandwidth, too.
Keeping up with WordPress updates can be challenging but the ease of use is the trade-off. Make it a point to check your sites all the time and if you have cPanel, you want to check the files there and become familiar with what should be there so that you can see if any files have been added.
Jonathan Leger has been a successful Internet Marketer for over 11 years. He owns an SEO Tools suite at KeywordCanine.com