Almost 20% of the web is powered by WordPress and there is a stunning increase in this figure, 40% of total hacks and exploits are targeted on WordPress, Believe it or not.
WordPress is bloated with multiple doors for exploitation, While a Simple HTML page can only be hacked by gaining access to Web Hosting Account.
Use an updated version
WordPress is often referred to as most secure CMS platform, it might be but it doesn’t mean it has zero vulnerabilities. Ever noticed official change logs, you will see atleast one security fix in every version update
WordPress comprises an ethical hacking team which dust-up vulnerabilities and security exploits and releases fixes in the next update. So it’s always advisable to the latest version to avoid getting your blog host to previous vulnerability exploits.
If you wish to use an older version, make sure your blog doesn’t publicly display your WordPress version.
Remove Version Information from Page source
Include this code in functions.php file
Choosing the right Login Credentials
Never use the username ‘admin’, BruteForce is one of the most popular technique deployed to hack WordPress Blogs. Using the username ‘Admin’ makes the process a lot easier than you can imagine.
Either delete the account associated with ‘admin’ username or change the username manually from MYSQL (WordPress doesn’t allow username modification)
Always choose a complex password comprising several characters, numbers and letters which makes bruteforces virtually impossible to accomplish. Write the password down somewhere secure, Do not store it in virtual devices. Never use the same password combination for your blog, hosting account and SQL Database.
More importantly, you must keep your domain most secure. Hacked files and database can easily be recovered through backups, once your domain account is compromised, you may kiss your site a Good Bye
Look Out for Common Vulnerabilities
There are several exploits that facilitate SQL injections and other techniques even in snippets of code. Take an example of timthumb.php script, Many have failed to install the updated version of that snippet and got SQL injected
Stay Update of Vulnerabilities of WordPress at Security Blogs
MySQL Table Prefix
WordPress by default installs MySQL Tables with a prefix ‘WP_’, It’s advisable to use a different prefix for better security.
Before Installation, change the value of Table Prefix in wp-config.php file from ‘WP_’ to something else. If you are using script installer like Fantastico or Easy Install, you can change it easily during the installation
As I’ve mentioned earlier BruteForce techniques involve trying out every possible combination until your password combination is obtained. Login LockDown plugin limits number of unsuccessful logins from a visitor disabling bruteforce techniques