I tend to obsess over WP security. But what should I really worry about? There are two main ways WP sites get hacked:
- By far the most common attempted WP hack is malicious login, in which a bot or bots attempt(s) to login using lists of common admin usernames and passwords.
- By far the most common successful WP hacks use vulnerabilities in outdated plugins, themes, or WP core.
Update 2019-11-15: There is now a third main way that WP sites get hacked. Site admins are installing the malware on their own sites! See Free Professional Themes and Plugins.
Those are the two biggies, followed distantly by things like hosting vulnerabilities, file permissions, password theft, and phishing.
I want to protect my site against all threats, but I should pay proportionate attention to the two titans.
To protect against malicious logins, I should …
- Use a non-obvious admin username, especially not ‘admin’. Other admin usernames to avoid: ‘account’, ‘administrator’, ‘guest’, ‘letmein’, ‘login’, ‘name’, ‘netadmin’, ‘qwerty’, ‘root’, ‘rootuser’, ‘sysadmin’, ‘test’, ‘user’, ‘username’, ‘webadmin’, ‘webmaster’.
- Use a very strong password
- Limit login attempts
That should do it. Pretty much everyone agrees on those three best practices. If I am still a bit paranoid – which I am – I can also implement one or more of …
- Hide the login url
- Cloudflare page rule
- Captcha
- Security question(s)
- Second user name and password
- Two factor authentication
I’m a fan of the first two.
To protect against the other biggie … I gotta keep WP, plugins, and themes up to date. I’m a fan of automatic updates. I would rather deal with a rare ‘oops the update broke my site’ than a malicious hack. The alternative is frequent – at least weekly – manual check and update.
