WordPress, whilst a secure platform in general, is only as safe as you make it, and these best practices will help you keep it protected as best as possible.
A whopping one-third of all websites are powered by WordPress, and with that popularity comes a lot of unwanted attention. Spammers and hackers target WordPress in particular because, due to it’s open-source nature, many of them are familiar with the ins-and-outs and typical file structure of websites based on the platform.
That doesn’t mean that WordPress is unsafe, though. In fact, the latest stable version of WordPress is very safe right out of the box. But falling out of the habit of keeping your installation up to date, combined with other factors, can make WordPress vulnerable. Many of these vulnerabilities can stem from third-party plugins and themes, which can get out of hand if not managed correctly.
No system is 100% secure, all of the time. WordPress has regular security updates that help to keep the platform secure, and their installation is easy. As a matter of course you should turn on automatic security updates. Updating core WordPress versions, however, can take a little bit more time, as you need to ensure that your plugins and themes are compatible. Likewise, you should update your themes and plugins as soon as new versions are available.
Open Source Platform
WordPress benefits from an open source community, meaning that security flaws are often spotted quickly by users and subsequently patched by developers. However, this can also mean that malicious hackers are notified of vulnerabilities, and can be used to scan websites for any matching versions of code that can be exploited.
Use Secure Passwords
It can be difficult to remember strong passwords, we know that! But these days even combinations of numbers and letters aren’t safe enough. You need long passwords that are good strength, and not something that is easy to guess. You can use a third-party password manager to generate and store your passwords for you.
If you have access to your hosting control panel, or secure FTP, you can alter file and folder permissions to lock down critical files. There are a few files that should never be accessed except by the PHP process running WordPress. You can change file permissions and edit the .htaccess file to further lock these files down.
Most SFTP clients will give you the ability to edit file permissions, or you may have to use shell access.
XSS and SQL injection
Common attacks, not just limited to WordPress, are cross-site scripting (XSS) and SQL injection. You can prevent these types of attacks usually with .htaccess query string rewrite rules. If you know how to use rewrites, redirect or block query string signatures for attacks you read about or see in your logs.
If you aren’t overly confident in editing your .htaccess file or using rewrites, you can find security plugins that will do most of the work for you.
Additional Security Plugins
Much like an anti-virus or firewall on your desktop computer, security plugins on WordPress can scan your installation to look for signs of compromise. An excellent choice for this is WordFence, particular their premium offering.
Many of these security plugins can block access to your website entirely, based on IP address activity, and can run a scheduled scan of your files to ensure it remains as clean as possible.