Full disclosure: I'm a big fan of WordPress. It's easy-to-use, incredibly flexible, and the price point is right where I like it. (That would be "Free.") Those attributes have made WordPress tremendously popular as a platform, but all that traffic is like a magnet for hackers, thieves, and other malcontents.
One of the big dings on WordPress was security. An old joke was, "You're running WordPress? Congratulations. You've been hacked." The good news is that the WordPress core is actually quite secure. The bad news is that there are still plenty of ways that your site and data can be exposed. The better news is that there are plenty of things you can do to reduce your vulnerability.
1. Update, update, update.
The WordPress core is continually getting updates. These updates add features and functionality, but they also patch security flaws. Of course, you have to actually install the update to enjoy its protection. If there's a new version of Wordpress available, it will appear in the upper left, under the eponymous "Updates" Menu item. You can even configure WordPress to automatically apply updates to the core.
2. Change your name.
Yes, you're an admin on your site. No, your username should not be "admin." That's the default username suggested by WordPress during an install. But it's a suggestion you should ignore. To access the admin area of your site, a hacker needs two pieces of info: your username and your password. If the former is "admin", they're already halfway home. Your username should be something far more unique — and far harder to guess.
3. Add some gibberish.
Do you have your password memorized? Then it's a terrible password. A strong password is a soup of number, letters, and weird symbols that you can't possibly remember, and the longer, the better. Again, WordPress makes this incredibly simple, but generating random passwords from the User Management pane. After you've made your password into a lengthy string of nonsense, get yourself a password manager to remember the nonsense for you. All decent browsers include this functionality, but I strongly recommend a dedicated password manager like 1Password or Dashlane (which I love.)
4. Update some more.
Since you've stayed with me this far, I have a confession to make: I intentionally saved the most important tip for last. What makes WordPress so incredibly powerful is its extensibility. There is an absolutely massive number of plug-ins to add functionality, features, and ease of use. However, any yahoo can make a plugin. Heck, *I've* made plug-ins, which tells you something about how awful they can be. A sloppily-coded, out-of-date plugin is like a beaded curtain that beckons hackers to come and do whatever nefarious thing a hacker wants to do. So here are a few ways to reduce your level of exposure when it comes to plugins.
- Make sure the plugin is actively updated. At the WordPress repository, you can get info on a plugin, including how recently it's been updated (Days or weeks are good. Months or years are bad.)
- Go with a reputable developer. There are companies who profit handsomely by creating incredibly useful plugins (I'm looking at you, Gravity Forms.) These developers have the resources and motivation to keep their plugins secure. A plugin that was created by some gal you've never heard of, from some place you've never heard of, that was downloaded twice might be less than secure.
- Use it or lose it. If you're not actively relying on a plugin, turn it off, then delete it. That sequence is important because when you delete an active plugin, bad things can happen, and usually do.
All of these tips are obvious, but I'm repeating them for a reason. People still make these mistakes. And you don't want to be one of those people.