I’m not going to give away all of my techniques, but I have a few things that make a WordPress site a little harder to hack, at least for the script-kiddies. Click on the photo to the left for a more comprehensive book on the subject.
A script-kiddie is someone who doesn’t really have any in-depth knowledge of hacking, but has purchased a script from some black-hat source which uses one or more of the ‘bot networks available to try to hack into someone else’s website — which will probably deliver a payload which was planted by by the black-hat source in addition to whatever the clueless script kiddie is after. Generally, those scripts exploit known security holes. WordPress is usually a bit more secure than most of the other blogging/CMS frameworks, but occasionally, somebody will find (and sell an exploit script for) a hole in it. There’s not a lot of protection against that sort of thing (other than keeping current with updates in WP, themes, and plugins), but most (and most successful) attacks on sites use social engineering, which can be defeated in a fairly straightforward way.
For starters, never install a free theme or plugin from any source other than WordPress.com. Unless, of course, you know how to find and work around encrypted code, in which case you probably already know how to write you own themes and plugins, anyway. Paid themes and plugins are usually less risky, but you should be skeptical of those, too. Next thing you should do is put in an admin account with some name other than “admin,” and give it a strong password.
One of the things I do along that line for all of my blogs is to deliberately set up an account named “admin” with a 40+ character randomly-generated password (which I don’t even bother to save anywhere), and use Google authenticator on it, which means that you have to use a two-factor login. In my experience, that by itself reduces the number of attacks, although I still see brute-force attempts that come in waves from ‘bot-nets. The “admin” account has no role at all assigned, so it if is hacked, the script kiddie won’t be able to actually do anything. The real admin account is named something entirely different, although a knowledgeable hacker can still find it.
Then I put in the “Limit Login Attempts” plugin and set the timeout to 8000 hours. That plugin also give some interesting information on the frequency of attacks. Whenever I see a sudden increase in attacks, I will check the site to see if I’m behind on any updates, and I usually change both the real and fake admin account passwords while I’m there.
Another tactic, which I have not yet implemented (but plan to fairly soon) is to remove all of the references to WordPress. These are used to find WordPress sites so that the script kiddies can narrow the attacks to known WordPress security holes. A similar tactic is commonly advised for Joomla sites (an “unhardened” Joomla site is typically easier to hack than an “unhardened” WP site). It might be fun to put in the various tags and folder names typically used by Joomla, so that the script kiddies will be lulled into using the wrong attacks. That, and the ones specifically searching for my WP sites simply won’t find them.
The comments facility is another common target. I haven’t really decided what to do about that for this blog, but since I don’t really care (for now) about comments, I have some barriers that the typical spammer will not want to climb. If you would like to be a subscriber (so that you can leave comments) to this blog (although I’m not sure why anyone would want to at this point), you will have to use the contact form to request it.