Open source software is the greatest invention since slice bread. A group of highly skilled developers work to improve a script and share it universally. This level of collaboration often creates the most advanced scripts. WordPress is no different, and with its plugins, probably the best open source script available.
The problem with open source, is that hackers and crackers have complete access to all different versions of the script and can develop ways to infiltrate and hack. Many of these hackers are harmless and cause minor damage. Others wreak havoc, use your site to spam, and steal valuable information.
Many WordPress security experts look for reports of hacking and attempt to replicate the attack. Once they have discovered the attack, they develop a work around a new version of WordPress is released. If you do not update your site, more than likely, it is open to an attack.
If the file permissions on your server are set correctly, you can automatically upgrade within WordPress without having to FTP any files manually. Just click the “Upgrade Automatically” and watch the magic happen.
Hide your WordPress version
As WordPress security loopholes become more known, bots will start trolling the Internet looking for WordPress sites that are still running the insecure version. WordPress automatically puts the current version in the head section of the site. Fortunately, there is an easy way to remove this version number.
Just paste this code in the functions.php file in your Theme.
Don’t use the default admin login name
A brute force attack uses a script to attempt many different password variations based on a password dictionary. These WordPress hack attacks assume “admin” is the username because it is default.
Most users do not change their default admin user name when installing WordPress. Scriptacular and other install scripts that come embedded in our cPanels automatically installs WordPress and asks the user for the name to be used as Admin. Always use a nickname for your admin username. Alternatively, if you upload your script and walk through the WordPress installation, you can choose your username as well.
If you are already using admin as your login name, you can’t change it from within WordPress. So, you will have to do a little bit of MySQL editing.
Just open your phpMyAdmin panel and run this script:
UPDATE wp_users SET user_login = 'username' WHERE user_login = 'Admin';
Don’t use a your display name as the login information either. For example, I would not use “Jason” or “Capshaw” as my admin login name. I would use a nickname that would not be displayed on the blog.
Don’t use a WordPress generated password
This builds off of the last tip. Since WordPress is open source, the way that it builds its automatic passwords is available to any hacker who wants to dig into WordPress and find the function. Once the function is found by the hacker, he can then use the same function to generate passwords to use in a brute force attack.
Since he knows the format of the password, he can significantly reduce the number of password variations that may be used significantly increasing his chances of hacking your site. If you use a combination of the username “Admin” and a WordPress generated password, you can quickly find yourself in a world of hurt.
Create a random password using symbols, alpha and numeric characters. You can also use a password generator to create your next password. I like this generator because it provides you with the password plus a way to remember it with a sentence.