2. Before installing a WordPress theme or plugin, make a little bit of research about it. For example before installing a plugin, check how popular it is from the plugin ratings and what people say about it on the WordPress support forums. Check how frequently it is updated etc.
3. Always update your WordPress installation, plugins and themes. By using the latest version of a particular software you ensure that you are using the most secure and stable version. This does not just apply to WordPress, but to any type of software you use.
4. Trust no one. Before disclosing your WordPress password to a freelancer, make sure you verify who you are speaking to. If need be, ask for a telephone number so you can speak to the person. Before hiring a freelancer, ask your fellow bloggers to see if they can recommend someone.
What smaller measures might you take as additional precautions if you wanted to be ultra careful?
Apart from the above suggestions which apply to everything you do on the internet and not just to WordPress, then there are some other WordPress specifics you can to beef up the security of your WordPress blog or website.
To start off with, change the default “admin” WordPress username if you are still using it. By doing so you are automatically excluding your WordPress from the most common brute force attacks.
I would also recommend to set up HTTPS for the WordPress dashboard (wp-admin) directory. By accessing the dashboard over https (encrypted HTTP connection) you are ruling out the possibilities that a malicious user captures your connection and logs in to your WordPress.
Use WordPress user roles. If you have guest writers who write blog posts but do not publish them, give them a contributor role.
Use a WordPress audit plugin to monitor the activity of WordPress itself and the WordPress users, such as WP Security Audit Log and a WordPress plugin like Old Core Files to delete redundant files from WordPress.
Of course there are many other tweaks you can apply to your WordPress installation to improve its security and ensure you do not fall a victim of a malicious hacker attack. But most probably you would be better off if you talk to a WordPress Security Professional because every WordPress installation is different and everyone has different needs.
What popularly suggested measures that you see promoted on the web are of little or no help? Similarly, what suggested measures are blown way out of proportion in terms of their supposed benefits?
I’ve never seen any suggested WordPress security measures that are of little or no help. Every little bit helps. In fact when we make a WordPress security hardening, we do not just implement solutions and tweak to keep WordPress safe from malicious attacks. We also think of when a website is hacked and apply changes to try and limit the damage a malicious hacker can do once he or she hacks the WordPress blog or website.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.