WordPress has become tremendous success. It is a very good for building websites, especially for beginners, and it is free. The huge number of WordPress sites on the Internet has also made it an interesting target for attacks. If you administer a WordPress site, you need to know about WordPress security, otherwise your site could become a victim of an attack.
The number of attacks on WordPress sites has increased enormously lately. The main reason for this is most likely that software that automatically attacks WordPress sites has become available. This means that it is very important to make sure that your sites are well protected.
Unfortunately, it is impossible to guarantee that a WordPress site, or any other site for that matter, is completely secure against all possible attacks. But that said, you can make sure that your site has a high level of security. Most of the attacks are either brute-force password attacks or looking for sites that have not closed well known security holes. If you make sure that your site is safe against such attacks more than 99% of all attacks will not be able to penetrate your site.
First of all, make sure that you don’t use the standard admin account. Virtually all brute-force attacks are trying to guess the password of the admin user. Always change the administrator user account to another username and delete the admin user. There is no good way of hiding usernames from a sophisticated attacker but simple brute-force programs don’t investigate, they always attack the admin username. So by simply changing the username of the administrator account you have managed to protect yourself against most of the attacks.
But you should make sure that all usernames have strong passwords. If the only account is the administrator account, then this is easy. If you have several user accounts, you can use a plugin that forces the users to use strong passwords.
Even with strong passwords and no admin user, you should not let attackers try thousands of login attempts on your site. Install a plugin that limits the number of login attempts from the same IP-address. Such plugins will block additional login attempts after for example three failed logins from an IP-address for a specified amount of time. Just be careful that you don’t set the limits to strict so that you block yourself out for several hours just because you typed the password wrong once. Also be aware that by using proxies an attacker can easily change his IP-address.
It is also possible to limit access to the login page, and all administration pages, but that is only useful if you are always working from the same IP-address. There are also ways of hiding the WordPress login page.
You need also to make sure that your plugins are up-to-date. Fortunately WordPress will automatically check new versions of your plugins, themes and WordPress itself. Also be careful with having a lot of active plugins, this can slow down your site and there is always a risk that a plugin has a security hole.
Given that it is impossible to guarantee that a site, WordPress or not, is hundred percent secure, you should back up your WordPress sites regularly. Also for this you can install a plugin which backups up the site and lets you download the backup to your local machine.