If you are new to WordPress, then you're probably not even thinking about ways to secure your self-hosted WordPress site to prevent an attack. As you grow as a WordPress web admin, then understanding the need for focusing on site security and protecting your project from hackers and other malicious beasts will become a priority.
Unfortunately, the world we live in, WordPress become a bit more vulnerable simply because of how popular the project has become. Fortunately, since the community is continuously growing and sticks together in both good times and bad, many resources are now available to help secure - or often what we call harden - your WordPress install.
Here's a few steps that every WordPress beginner should take - at the very least - to secure their WordPress install.
1. Install and Active the Limit Login Attempts plugin.
One common way for attackers to get into your WordPress fortress is to simply continue to guess your username and password and walk in through the front door. Using the Limit Login Attempts plugin is a lot like your bank's website password security. If the wrong password combination is entered incorrectly, you will be kicked out for a certain period of time and the website admin (probably you) will receive an email notifying them of the potential breach. If you see a common pattern by a particular IP address(es), then block the IP addresses in your site's .htaccess file. [View Limit Login Attempts on WordPress.org]
2. Keep WordPress up-to-date.
So often, someone will come to me for WordPress help and we login to their site and they are still working on WordPress version 2.x. Please, Please, PLEASE! Keep your WordPress core software up-to-date. Oftentimes, when you see a new update, it contains security patches based on identified vulnerabilities. This is super important and typically only takes a few seconds to complete the update. Also, make sure you keep an eye on your themes and plugins for updates as well!
3. Limit the number of "administrator roles" to assigned to users.
If you have multiple users to your WordPress site, say a few people in your business, then only one or two of you should have "full admin rights". While politically, this might seem unfair for other co-workers, it will help keep things safe should someone's account in your organization get compromised. Also, enforce strong passwords as much as possible.
4. Backups are vital for recovery.
Having a fresh backup of your WordPress site can save a bunch of headache when recovering a compromised site. Here's some tips on a recent posts I wrote on backing up your WordPress site.
5. Deploy a firewall solution.
If your site has been compromised, you're welcome to contact me for help. Most likely, I will refer you to a company called Sucuri Security to clean up the mess. In addition to their reactive services (that has come in handy a few times for me), I also recommend their new proactive solution called CloudProxy Firewall. For a few bucks a month, this service not only protects your site from intruders, it speeds things up for ordinary visitors as well! Works with any type of hosting account as well. #peaceofmind!