Working at the Orion Group I get a lot of questions on how you can make your WordPress site more secure. WordPress itself is inherently pretty secure, but there are a few things that you can do to make it better. I am just going to cover a few of the basics here but they should help give you peace of mind.
USE A STRONG PASSWORD
I really cannot stress this enough. Your password is the key to the kingdom and if you pick a weak password you only have yourself to blame when your site gets brute-force attacked. It sounds harsh, but this is a very real threat and is easily avoidable. Since WordPress 3.7 there is a password strength meter, use this as a guide to determine if you need to change your password or not. You can also use a service like LastPass. It is easy to setup, and requires you to only have to remember one password. LastPass also has a nice generate secure password feature that will create a strong and difficult to guess password for any sites you visit. LastPass integrates directly into your web-browser and is compatible with almost all major browsers.
UPDATE UPDATE UPDATE!
Another simple step is to make sure to keep your WordPress and plugin versions up to date. These updates not only add new functionality but also provide important security and bug fixes. There are a lot of automated security scanners lurking the interwebs looking for outdated versions of software to exploit, don’t tempt them! WordPress 3.7 has implemented an automatic update for security fixes and other minor updates to help keep your WordPress installation update. This automatic update feature is not for major releases so you will still need to manually update to 3.8, which was released yesterday. That is your cue to go update your site 😉
Plugins are another target for attackers. Make sure to update these as often as you can. Outdated and poorly written plugins are one of the biggest reasons that a site can be compromised. Keep them up-to-date and pick your plugins wisely. Look for plugins from trusted sources and check the changelogs. If a plugin gets pretty regular updates you can usually assume that it is going to be safer than a plugin that hasn’t been updated in over 2 years.
Check your theme for updates as well, especially if you did not have one custom built for you. An outdated theme can be just as dangerous as an outdated plugin. I would be leery of downloading free themes from the internet as well. There are often times poorly written code, and even have exploits built right in! Your best bet would be to use a firm like SunAnt Interactive, and have them build you a custom theme for your site.
ManageWP is a great tool to help you manage multiple WordPress sites all from inside of one dashboard. You can bulk upgrade WordPress and Plugins, do remote backups, scan your site for malware, get site statistics, and save a TON of time doing it. You can still manage sites on an individual basis from inside the ManageWP dashboard, or within WordPress itself too. The idea of having to manually update hundreds of sites every time a new release comes out gives me nightmares, with manageWP that is one less thing to worry about.
CloudFlare is another great tool that you should be adding to your arsenal. CloudFlare is a CDN that enhances your site’s performance and security. They offer several different plans, including a free version that adds you to their CDN, provides content caching, and helps mitigate a number of threats. I recommend going with their Pro plan if you really want to start unlocking the power of this service. Not only do you get better performance, you get access to a Web Application Firewall (WAF) to help mitigate more serious threats, as well as SSL support.
There are a number of plugins that you can install on your site but one of my personal favorites is BruteProtect. It not only challenges bots by adding a CAPTCHA to your Admin login page, but it protects against Distributed Brute-Force attacks like Fort Disco, by blocking blacklisted IP addresses from even accessing your login page. BruteProtect updates their database of ‘bots’ everytime a website with their plugin installed detects a brute-force attack. This information is then sent to all other sites with the plugin effectively blocking an attack before it ever even happens. It’s like having a crowd-sourced bouncer guarding your front door! BruteProtect recently added a ‘Whitelist’ option so you can add IP addresses that you do not want accidentally blocked, ensuring that you do not lock yourself out of your own site.
In all honesty, this is just the tip of the iceberg in what you can do to better secure your WordPress site, but utilizing these few guidelines will definitely get you headed in the right direction. If this is something that you are interested in learning more about come check out this Meetup on January 9th, 2014 in Sussex, WI.