But that's not the end of it. WordPress users (ie, you) have to do their part too to keep their WP installations secure. For example, when a new security release is available it's up to users to make sure they update the WP version on their sites. Why? Because as soon as a new version is available hackers will target sites which don't update.
You can make your life easier by making sure your WP auto-updates. This includes Plugins and Themes. You can set each of these to self-update. But make sure your hosting account has enough space to perform the updates. Typically you need around 80MB of quota to allow an update to take place.
WordPress comes with a rich variety of Plugins and Themes that you can choose from, giving you a wide choice of look, feel and functionality for your site. But be cautious. Check to see if what you are installing is actively supported. When was it last updated? Is it compatible with the latest WP version. Are there any reported problems with the software?
The first Plugins you should consider are security plugins. We recommend the WordFence and iThemes Security plugins. These give a combination of active (ie looking for malicious activity) and passive (recommend changes to your settings) ways of increasing the security of your WordPress installation.
Our 'Top Tips' of setting changes you can employ are:
- Disable directory browsing - don't allow hackers to see what you've installed
- Disable XML-RPC - this is a way into WordPress used by some tools, but should be blocked if you don't need it (which is the case with most users)
- Don't use 'admin' as your administrator username
- Use unique and strong passwords - don't use the same password everyone, as once it's compromised all your logins are vulnerable
- Limit failed login attempts - block users after, say, three failed login attempts
- Hide important files, eg wp-config.php and .htaccess by adding code into your .htaccess file