First, let me say I am no WordPress expert. I can set it up and make my way around it to do the things I want to do, like this blog and my other blog playingwithpython.com. Being a network/systems guy, I’m always worried about security. With WordPress there are a few concerns I had that are nicely addressed by a couple plugins that I think everyone should have.
1. Many sites are used to spread malware without even knowing it. To protect against this, you can use WordPress File Monitor Plus. This plugin scans your site for changed files and alerts you when something has been altered. You can then clear the alert if it is OK, or take action to correct your site. Another plugin Wordfence keeps a copy of every WordPress version and every theme on their servers, and they scan your installation comparing it against their database to see if any files have been changed or tampered with. If you alter a file, you can tell it to ignore that change until it changes again. They also scan for many of the known malware.
2. Unlimited login attempts. By default, WordPress allows unlimited login attempts, so anyone can sit there and pluck away trying to get into your site. Hopefully, you have a strong password, but if you have multiple users, do you know for sure everyone does? Also, if there are no limits on logins, it might not matter how good your password is if a hacker has unlimited attempts to figure it out. To address this, you can load the plugin Limit Login Attempts or Wordfence. Both have settings where you can specify how many bad attempts are made before an account is locked. Both have minor differences in the options, but both are much better than allowing someone to keep trying to get into your site.
3. Lastly, it’s probably worth changing the default wp-admin login page. This may not seem like a big issue, but it’s just another layer to avoid someone possibly login into your site. I found a few pages showing how to do this by editing .htaccess, wp-config.php, etc, but that seems like a bit much for something that should be fairly simple, not to mention I couldn’t get it to work (wawawawa). Instead I opted for the plugin, Stealth Login Page. This plugin lets you mask your wp-admin login page. You specify a url to redirect users who attempt to access http://yoursite/wp-admin. For instance, you can redirect them back to your main page. After that, you specify a question and an answer. This will make up the url you will use to actually get to the login page. For example, if your question is “whoami” and the answer is “nobody”, you’re login page would be http://yoursite/wp-login.php?whoami=nobody.
As you can see these are just a few low hanging fruits in the security picture, but I think they’d help secure your site fairly well. Wordfence does a lot more than what is mentioned here, including scanning your site for various vulnerabilities. By using number 2 and 3 together, you not only force someone to guess your password, but they’d also have to guess your question and answer.
If you have any other solutions or WordPress security concerns, I’d be interested in hearing them in the comments.