A few years ago, I wrote an article on securing your WP blog by deleting the original admin account. The default “admin” allowed an easier way for hackers to find a way in to your blog and wreak havoc. During that time, there were also a number of other vulnerabilities in the WP core.
WP addressed these on the road to 3.0, closing the primary known vulnerabilities and changing the install process from having a default “admin” as the admin user (you now choose your own). That being said, there is still quite a bit of activity showing that there are users still having issues.
The sheer volume of comments on this post indicates that security among WordPress users remains an important topic. In my experience, the users that leave security holes open are generally the same users that tend not to create regular site backups to roll back to.
If you are running a self-hosted version of WordPress (and there are many good reasons for doing so), you are taking your security into your own hands. It pays to be informed.
Start with the Basics
It is always a good idea to go to the source for best practices. If you haven’t read the Hardening WordPress article at the WordPress Codex, you should. Don’t wait – do it now.
Also a good article on WordPress.org by the man himself (Matt Mullenweg for the uninitiated) is How to Keep WordPress Secure. It’s slightly dated, but the point still applies – keep up to date with updates.
Security Begins At Installation
If you follow the installation steps in 20 Steps to a Flexible and Secure WordPress Installation, you’ll be getting started on the right foot. This is an easy to follow, step-by-step article that even a non-technical blogger can follow in order to set up a properly secured install of WordPress.
Do Regular Backups
Keeping backups won’t prevent you from being hacked. Only following standard security procedures can do that. But no security measure is foolproof. If you do get hacked, you will find it easier to recover if you have done regular backups.
Again, the Codex is the original source to begin a thorough study. And this article at SitePoint covers not only how to backup your site, but also how to recover your site from a backup. (What good is a backup if you don’t know how to recover from being hacked?)
Remember, it’s easier to secure your site BEFORE you get hacked. I am certain that anyone who has had their WordPress installation hacked will testify to the fact that they wished they had followed certain protocols before. If they had, many would have saved themselves many hours of frustration.