10 things to know about WordPress security.
1.) Hide WordPress files
Don’t allow hackers to find your WordPress, hide them. Here’s a simple trick to help hide WordPress files to the public: http://ox.no/posts/hiding-wordpress-installation-files
2.) Excellent password practices
It’s important to use secure passwords for your WordPress sites (this includes your database password when installing WordPress). Here’s a great site for creating passwords: http://www.safepasswd.com
Even the most secure passwords can sometimes be found. It’s good to update your passwords regularly. Make it a habit to add a monthly reminder into your calendar to update your site’s password.
If you’re going to use a password management tool, I highly recommend LastPass for its YubiKey support. Like most password management tools, all your passwords are protecting under 1 master password. If that one password is found all of your sites maybe compromised. LastPass offers a 2 step authentication which requires a USB key along side your master password to access your vault. To see more: https://lastpass.com/support_screencasts.php?feature=yubikey1
3.) Change your default login link
By default, to login to WordPress you can just put ‘/wp-admin’ at the end of a WordPress powered site to get to the login page. Use the Stealth Login plugin to change the login URL to something like ‘domain.com/mylogin’.
4.) Prevent too many login attempts
To protect yourself from brute force login attempts, make it harder by limiting the number of login attempts to your site with this plugin: Limit Login Attempts
5.) Monitor your WordPress installation
If someone does happen to somehow compromise your site by adding, deleting, or changing a file get a email immediately with this plugin: WordPress File Monitor
6.) Upgrade WordPress to the latest version
WordPress is constantly being updated, many times to fix vulnerabilities. It’s best to have the latest version. See: Updating WordPress
7.) Scan your install after making admin changes
Its possible that plugins, themes, and even posts can open up vulnerabilities in your install. So if you’ve recently done some changes to your WordPress install, you may want to run a security scan before walking away. Here’s a plugin to do so: WP Security Scan
8.) See installing WordPress above
To reiterate, don’t use ‘admin’ as your username, don’t user ‘wp_’ as your database prefix, and don’t create the ‘wp-config.php’ file manually.
9.) Backup your database regularly
Even the most secure site can get hacked. It’s good practice to backup your sites database. If all other security measures fail, you can retrieve your database (posts, pages, comments, plugin/theme configurations) from a backup. Use a plugin to get database backups emailed to you regularly: WP-DB-Backup
10.) I’ve been hacked, what do I do?