If you run a WordPress blog, you need to get serious about keeping it as secure as possible. WordPress is a very attractive target for hackers for several reasons that I’ll get to in a moment. To help you, I have put together my recommendations for the best ways to secure your site, and many of them won’t cost you much beyond your time to configure them properly. My concern for WordPress security isn’t general paranoia; my own website has been attacked on numerous occasions, including a series of DDoS attacks on Christmas day.
WordPress is a rich target
It is hard to keep up with the latest WordPress attacks. Last year, a brute force attack was composed of a botnet of infected WordPress servers leveraging the XML-RPC interface. Why is WordPress such a target?
WordPress runs PHP scripts, which have had their own problems over the years. IT managers should nip this issue in the bud by making sure their version of PHP is current. WordPress itself has provided this handy list of suggestions on how to check your version and how to upgrade it safely.
WordPress has a lot of moving parts. In addition to the underlying PHP engine, most WordPress sites run a variety of plug-in tools and use themes to enhance their appearance and add functionality. Ensuring that these plug-ins are free of infections or, worse yet, are stalking horses for malware, isn’t an easy task. A number of them have been exploited recently, such as Form Lightbox, Appointments, RegistrationMagic-Custom Registration Forms, WooCommerce, WP No External Links and Flickr Gallery.