The most important thing you can do to keep your WordPress site secure is to make sure it is up to date. There are many hackers that target older versions of WordPress and plugins that have known security vulnerabilities. Security updates are released frequently so you want to update both WordPress and your plugins frequently. Keeping your site up to date will prevent it from being hacked through the most common known vulnerabilities.
Use a Strong Password
If someone gets your WordPress password, they can log into your site and modify anything they want. Having a weak password is the equivalent of keeping your door unlocked.
You should use a strong password for you login. Be sure to use both upper and lowercase letters as well as numbers and characters if possible.
Don’t Use a Default Username
The default username for WordPress before version 3.0 was simply ‘admin’. Many hackers looking to brute force your password will attempt with the ‘admin’ username. If you use something other than ‘admin’ then you are already stopping these attempts from succeeding.
If you are still using admin as your login, you can create a new administrator account and then delete the old one assigning all posts to your new account.
Use a security plugin
iThemes Security and Wordfence are the most popular plugins that provide basic security for WordPress sites. These plugins are useful for automating some of the functionality that keeps your site secure.
Some of the things they do include:
- Scanning your site to tell where vulnerabilities lie
- Scanning the site’s code for malicious modifications
- Monitoring and blocking brute force login attempts
- Banning troublesome bots and users
Scan Your Site for Malware
Regular external scanning of your site for malware lets you know if your site has been infected by anything. By using a service such as Securi offers automatic scanning of your site as well as repairs to your site if it does become infected.
You can check the WordPress Codex on backing up your site to see suggestions on how you can do this.
Disable File Editing
In WordPress you can edit any of the theme files right in the ‘Admin’ under Appearance -> Editor. This is insecure because if a hacker obtained access to an admin login they can edit any theme file from here. This allows the potential hacker to execute any code they would like and can do whatever they want with your web server.
To protect yourself from this, you can disable file editing by adding
define( ‘DISALLOW_FILE_EDIT’, true ); to your wp-config.php file.
Turn Off Visitor Registration
If you don’t need users to create an account to access anything on your site, it’s a good idea to turn off registration. When an attacker cannot create an account, you have one more layer of security that they’ll have to go through to attack your site.
Backup Your Site
Your site can not be 100% secure as you never know when something unexpected could happen. It is extremely important to make regular backups of your site so you can restore it if/when something does go wrong.
You can learn more about improving the security of your WordPress site from the WordPress Codex on Hardening WordPress.