Simple WordPress steps to avoid getting hacked.
WordPress powers 20% of all self-hosted websites. Since 70% of websites don’t use a CMS at all, it is apparent that WordPress power’s a very very high percentage of CMS systems. Just like Microsoft in the 90’s, with great popularity comes great responsibility. I don’t know why WordPress continues to have lax security settings in it’s default installation which contributes to the overwhelming number of hacked sites using WordPress. There are however a few simple things you can do to make your WordPress site much less chance to be a victim.
Always keep WordPress and plugins up-to-date
Most hosts these days will do automatic updates for minor releases. That will take the edge off getting the important security updates in immediately when security holes are announced.
Force strong passwords on all users with limited login attempts
A bot can attempt a few thousand passwords in a matter of seconds. Many WordPress sites are hacked simply because the password for the admin account is simple enough to be included in the many password databases that can be easily obtained
Change the login url from the default to custom url and lockout 404 attempts
If a bot can’t find your login, then they can’t even begin to attempt passwords. I once setup a BRAND NEW WordPress site and within 20 minutes bots were hitting the default login page and attempting username’s such as “admin”. If you change the login URL and lockout repeated 404 attempts, you stop most all bots in their tracks before they’ve hit a single page on your site.
Force a different display name for user’s than username
I don’t know why WordPress does a lot of this stuff by default if a user’s username is displayed anywhere on the site, you have just given bots a list of usernames to attempt on the login screen.
Disable PHP in the uploads directory
Many hacks are all about getting a php file into the uploaded content directory. Unless you have a very specific reason to allow PHP here, disable it – again, I don’t know why WordPress doesn’t do all this by default.
Double check file permissions on .htaccess and wp-config.php
These important files should be set to 644 permissions – be sure to double check as missing this can mitigate all other security measures.
Luckily, there are several security plugins that can accomplish these tasks and more for you in one easy package. The one I prefer to use is iThemes Security