Here’s a compilation of some of our best practices for WordPress security. These are good measures you can take as an average user without either coding expertise or server administration experience. We believe they drastically decrease the odds of a Wordpress site getting hacked, and we’ve been able to observe them effectively protecting our own websites and some of our customers’.
You’ll see me recommend the free plugin All-in-One WordPress Security several times in this post. In addition to many, many things this plugin can do, All-in-One WordPress Security makes all of the following suggestions very easy. I personally don’t turn on all of its features, because there are a lot, and some cover the same bases as other features, but in addition to using its login lockdown, database prefix, and failed login records features, it can help with everything below. However, this plugin is not at all required for any of these suggestions, and much of what it does is above and beyond these top-five suggestions.
Let me tell you, learning to keep your WordPress site secure because it’s already been hacked is not the way you want to do it. Once hackers get in, you have to take drastic measures to get them out and keep them out. We’ve scrubbed a few hacked client sites lately and it’s tedious, grubby work. The minor inconvenience of applying security measures in advance is vastly preferable to the major inconvenience of cleaning up a hacked WordPress site–and most of these suggestions are easy. Continue Reading →