I think it’s important to say that WordPress has done an excellent job of hardening its security over the last few years. Like any CMS with powerful functionality, it requires maintenance in order to keep it useful and safe. The developers who work on the WordPress core do a good job of addressing security concerns with each and every release, but it’s important to take some extra steps to help your website stand up to a security attack.
This is a no-brainer plugin that does a good job of blocking spam from affecting your comments and forms. Sign-up for a free API key through the plugin’s settings page.
This plugin helps to prevent a fairly common strategy for hacking into WordPress sites called brute force entry. A computer will try again and again to guess your password until they find the right one. With Limit Login Attempts, a user (or computer trying to break into your site) will be locked out after a set number of incorrect password attempts. You can configure the number of incorrect attempts allowed and the amount of time that someone is locked out for.
Not exactly security, but kind of. If you already have a system for backing up your site, then you’re good to go. If not, this plugin could be a good choice. It automatically backs up your database and site files to a dropbox account on a schedule that you choose (daily, weekly, etc) which means your data won’t be lost in the event of a security breach.
This plugin isn’t necessary for most sites, but if you’re running a membership site, a site with lots of traffic or valuable content, this plugin might be worthwhile. It monitors your site for malware and will alert you if it recognizes an attempt to hack your website. If your site is already affected or becomes affected by malware, it will clean things up.
Note that you can use their free site scanning tool to check for malware: http://sitecheck.sucuri.net/
I know you are an incredibly diligent website owner and update your website every single time a new version of WordPress comes out. For those of us who are a little slower, it’s important to remove the version of WordPress that is placed into your site’s header automatically. If there is a known security flaw for a specific version of WP, hackers can search your site to see if you are running that version. Removing this information makes their job more difficult. There are plugins that will remove the WP version for you, but it only takes a few lines of code. Place the following in your functions.php file or ask your developer to do it for you.
Plugins can only take us so far. Here are some other best practices that will decrease the chances of your site getting hacked into.
Like I mentioned earlier, the core developers do a good job of addressing security concerns with each release.
If you already are using “admin” as a username, create a new user with admin rights, login as this new user, then delete “admin”.
Uppercase, lowercase, symbols, you name it.
Poorly written plugins can be gateways to your website for hackers. Only use plugins that are necessary, well-written, and updated frequently.
Same concept here.
Some hosting companies aren’t that
If you are creating a new WordPress installation, consider changing the database prefix from “wp_” to something unique. Do NOT do this on your current live site. Talk to your developer if this is gibberish to you.
If you have any must-have WordPress security plugins, please let us know in the comments.