WordPress.org is the most popular kid on the self-hosted CMS/blogging playground, around 20% of all websites run on WordPress. There are so many websites running WordPress that every person in South Africa could be given one and we would still have some 30 million websites to hand out!
The unfortunate part about WordPress being so popular is that it has become a target for hackers the world over. Searching for WordPress Security Tips will give you thousands of answers, and you can just as easily find tips on how to hack WordPress sites. The problem with the anonymity granted to people by the internet is that they are more than willing to try to make a quick buck from hacking your e-commerce website, or maybe even just hacking your site for the fun of it. If you want to see how selfish and stupid anonymity grants people just read through a couple of comments on a YouTube video.
Fortunately, most hackers attempt the simple automated ways to get into your site, so with a few simple tricks you can somewhat secure your site, and be better off than the majority of other people out there.
Use strong passwords
I cannot emphasize this enough. Not just for your WordPress site, but everything you have that may be a target. There’s no use having a secure password for your website, if you have a weak one for your emails. A hacker can simply get into your emails and request a password reset from your site.
There are plenty of password generators out there, but an even easier way is to simply come up with an extremely complicated passphrase that only means anything to you, then just make a subtle difference for each site you use. Easy to remember, yet varied between sites, and hard to crack.
Remove the “admin” username
“Admin” is one of the most common usernames out there. Bots attacking you site often attempt to guess the password of the “admin” user. Best to delete this user and assign your posts to a new account.
Even if you just follow these two WordPress security tips your websites security will be drastically improved.
Only use reputable premium themes and plugins
If you get your themes or plugins from sites like themeforest you should be ok. It is important to check whether the theme/plugin is still currently being supported, i.e. it has been updated recently. Any theme/plugin could potentially have vulnerabilities, the difference is that with a premium supported theme/plugin, the author will keep it up to date and patched so all known vulnerabilities are fixed.
Worst of all, DON’T download “free” premium themes and plugins from a site other than the authors site. Getting something for free is great, but why would someone go through all the effort to steal something, just to post it online and not earn any profit from it? Even if you scan this with an anti virus its not going to pick up any problems with it. Maybe they’ve just added 2 lines of code, one to create a new user account, and the second to email the account and password to the hackers email account.
Update update update
Update everything, out of date software is vulnerable software. As I said above, authors of premium software are always checking for vulnerabilities and patching them, if its out of date, it means that these they can be exploited. So make sure WordPress, your plugins and your theme are up to date.
Install Anti-Virus software on your device
This is often overlooked, but very important. You can have the best security on your website, even if its completely secure, one keylogger on your pc can be used to get access to your whole website. The hacker can then change or edit anything that you as the administrator could edit. Anti-virus programs will pick up anything questionable and make sure your pc is secure.
Current antivirus programs are put to the test by avtest.org. You can check out their results here
Create a second user with less privileges
If, for example, you are running a blogging website, you could create a second user with the role of Author. This means that that user has limited access, it can’t access your plugins or your themes, it can’t edit your pages, but it can edit a publish posts. So if you log in to your site from another computer, and it turns out that computer was infected and some hacker now has your password, it limits the damage they can do to your site.
Run scheduled offsite backups
If you have backups, then any malicious change to your website can always be reversed when you revert your site back to the backups state. It is important to make sure the backups are off-site, since if they are stored on-site they can obviously be hacked as well.
That wraps up our WordPress Security Tips & Tricks 2015
If you follow these tips, you’ve already secured your site for many common vulnerabilities. If you have any of your own WordPress security tips & tricks that you feel we have left out, please leave a comment below.