WordPress is used as a content management system for over 25% of the websites in the world [Source]. There's good reason — it's simple enough for bloggers to share family recipes while also being robust enough for developers to build complex business websites.
But because WordPress is so popular, it give hackers a big pool to play in. Don't take it personally. They don't know you or your business. They just send out bots to find vulnerabilities on a platform that is used by the masses, and take advantage of the fact that most WordPress sites are out of date and not secure enough.
You wouldn't go into a shopping center with your car unlocked and your valuables in plain site, would you? Sure, even with a locked door, a thieves can smash your window, but they are more likely to move onto an easier target. Same goes for website hackers.
8 Basic Steps to Securing your WP Site
If you proactively and regularly manage your own WordPress website, here are 8 essential steps you should take to improve your site security:
- Do not use ‘admin' or ‘administrator' for your login name and don't give admin privileges to anyone who doesn't absolutely need it
- Use strong passwords. Seriously, this is the easiest step of all, but the one thing that people are really, really bad at doing. Check out How strong is my password to see how yours stacks up.
- Always run the latest version of WordPress. This is best done offsite to test and make sure nothing breaks, but at the very least make sure you have a back up before updating.
- Use only high quality plugins, and keep them updated. Always back up before making updates, especially if your site is dependent on plugins to work properly.
- Remove themes and plugins that are not needed.
- Schedule regular backups. At the very least make sure you have a monthly backup scheduled. Some sites should be updated weekly or daily, depending on how often content changes.
- Install security software and monitor your site. Security software can protect your site from brute force attacks, notify you of changes to your files, enforce strong passwords and provide customized settings to protect your site.
- Disallow comments unless you need them — in which case, only allow them on Posts.
These steps will not protect you entirely, but they provide a first line of defense against hackers who are going for easy targets. There are many, many more things you can do to really lock down your website, but these 8 items are those that you can manage from the WordPress dashboard. Read Hardening WordPress at wordpress.org for more information about securing a WP website.
Oh yikes, I don't have time for that!
Many of these action items need to be taken care of on a regular basis, not just once and done. If you don't have time or inclination to do so, your website is at risk for getting hacked. I'll tell you from personal experience that it's a lot easier to keep a site updated, backed up and secure than it is to repair a site infected with malware. If you don't yet have a backup/security management plan for your website, I highly recommend you get one in place either with me or another expert.