There is a myth among some of the internet users that WordPress is easily hackable compare to other CMS softwares. I always tend to disagree with them. If you are careless, not just WordPress even the Google.com can be hacked. Just like the Google and Microsoft as a webmaster you should take security measures to protect your hosting and WordPress installation. Also note that if the WordPress Security is that weak, then it won’t be powering up 25% of the websites online.
Update to Latest Version
Whenever the WordPress core update is released, make sure to update to the latest version. WordPress is not matured enough so don’t worry they won’t be releasing any half baked half tested build. The public release is always stable and future proof. With each release, WordPress fixes multiple security vulnerabilities. If you have the latest version of the WordPress then you are less prone to the WP hackers.
Same applies to your plugin and themes. Always update to the latest version. Usually the latest version provides robust security features.
Usually WordPress hackers look for the version of the WP installation you are using and they’ll use the method specific to the version of the WP installation.
We all love to have the username as Admin, but remember black hat hackers love to see you having the username as admin. When you install the WordPress make sure to use a username which is not admin. Change it to something unique that others can’t guess easily. Also create a backup admin user incase of emergency. This backup admin user will come in handy when your site slips from your control. To run the damage control it’s always good to have another admin user as backup.
Following sql query will help you to change the existing admin username to something else.
UPDATE wp_users SET user_login = 'Your New Username' WHERE user_login = 'admin';
It’s key to use a unique, hard to guess password for your WordPress installation. Also make sure that you never use your spouse or pet’s name as your WordPress username or password. If you are not sure about creating a password then try the online password generator tool.
Learn to hate the WP Pefix
If you are a fan of WordPress then you are tend to use the prefix WP with every installation of the WordPress you do. But it’s observed that, it’ll be easy for hackers to figure out the table name of your installation if you use the default WP. I’d strongly recommend you to change the prefix into something else other than “WP”.
Back up Daily
There are multiple services and plugins available for you to run the daily backup. As a webmaster you should take a back-up of your site. In my opinion, taking the db dumb and wp-content folder is enough. If your site comes under an attack, then having the back-up of your db and the wp-content folder is enough. Backupwordpress is my favorite plugin for this purpose. The premium version of this plugin allows even to backup your db and root folder into Google Drive or Dropbox.
Limit the Number of Login Attempts
If the hacker is trying to gain access to your WP dashboard via some automated method, then you should have a method prevent this. Again WordPress got a wonderful plugin for this. Install this plugin Limit Login Attempts and this plugin will take care of the rest.
Scan for Vulnerabilities
Sorry for suggesting number of plugins. Last but not least, you need to checkout the plugin “Acunetix WP Security“, this plugin scans your WordPress installation for vulnerabilities also it fixes some of the common flaws in the WP installation. You can read more about this plugin in their description and faq page.