Anyone who has had their site hacked or blacklisted knows how important it is to stay on top of WordPress Security.
Yes, you should use the lastest versions of WordPress core and for the most part the latest version of plugins. But of course incompatibilities arise so be careful when updating.
The #1 security measure I suggest is to remove “admin” user – many robots will assume you have a “admin” user and try to guess the password. By keeping this default user name you are giving away half of the username+password puzzle that is the barrier between your site getting hacked and your site staying safe.
Another concept is that some plugins change the way WordPress works so it’s more secure while others focus on malware scanning to see if anything has been hacked. Sucuri is a great plugin that scans for hacks – you can do the same free scan from their website. You can also pay them to actively scan and they will actually fix any issues that come up. Code Garage does backups as well as malware monitoring so that’s a good option to explore also.
Plugins that do many security tasks
- WordFence: This is a great new plugin I’m testing out that offers a complete solution for free with an optional paid upgrade that actively scans your site from the outside to make sure it has not been hacked. So it combines security edits with malware monitoring.
- Better WP Security: I’ve been using this one for a while and it’s great. It has a “one-click” feature that will harden a number of security features very quickly.
- A good handful of features: Secure WP
- WP Security Scan
- Login LockDown an older simple plugin that works well but has not been updated recently. Getting the many emails it sent help me learn how many bots were randomly attacking my sites.
- Login Lock: like the above with with a few extra useful features like a button to force logout for anyone logged in. This plugin is no longer supported. another replacement option: Login Security Solution
- Limit Login Attempts: yup, another plugin with similar features.
- The name says it all: the Replace WP-Version plugin
- Updated SSL Plugin: forces ssl anywhere passwords are asked for
- Timthumb vulnerability scanner: does a bit more than just check for that one giant security issue…
WordPress Ecommerce folks at instinct.co.nz have a great checklist for how to secure WordPress