Securing your WordPress installation against hackers means you have to look at areas beyond your installation itself. Don’t leave other doors open.
If a hacker is absolutely determined to get into your site they’re probably going to succeed. But you can protect your WP installation from the mass bot hackers with a few common sense precautions.
Here are some steps you can take:
Firstly, make sure you keep your version of WordPress up to date.
In addition to that, I’ve changed my login name from admin to something else (long and complex), made sure my password is as strong as I can make it, I’ve put an extra layer of security around the wp-admin directory, created a blank index.html file to hid the plugins I’m using and a few other steps.
There are a number of good plugins that will carry out those steps and continuously monitor your blog for security vulnerabilities. I do recommend you install one of these – and keep it up to date!
The risk increases in line with the number of users to whom you give access rights. I don’t have guest bloggers, but if I did I’d ask them to send me their articles for posting, instead of giving them access rights. I also don’t ask people to register.
But there are some areas that people often overlook, and which allow hackers to get access to your WordPress installation via your FTP details.
If you’re not using SFTP (or Secure Shell Access if your hosting provider doesn’t support SFTP) then your FTP login details are being transmitted across the Internet in clear every time you log on and upload/download stuff. I back up my blog system files each week by copying everything back to my PC. Since this takes around an hour there’s plenty of opportunity for someone to intercept my FTP details.
Well, as I said above if a hacker really decides to hack your WordPress site he/she will probably succeed. Unfortunately there are a lot of bad people out there who are trying very hard to ruin your website by hacking it and attacking it. If by any chance you got hacked or you think that maybe your website is infected you should find clean hacked WordPress website services as soon as possible to clean up your website, and to finally properly secure your WordPress site.
Also, of course, you could have spyware on your machine which would pick up your FTP logins from there. (Along with all your other logins!).
Make sure you include your entire PC environment when you’re putting security in place – not just your WP installation.
In addition to all those WP specific precautions, make sure your PC is absolutely clean (use a good anti-spyware application and scan it regularly) and use SFTP or Secure Shell Access to upload/download stuff from your server.