The web has been buzzing with word of recent WordPress attacks. Although this site is hosted on SquareSpace I still run several WordPress sites which has encouraged me to take note. I've read several articles and it seems the best advice on how to protect your site is best boiled down to these few points:
- Use good passwords. Make sure each WordPress user has a strong unique password for the site that is rotated frequently. As you know, I'm a fan of 1Password.
- Delete your admin account. It seems most of the attacks are targeting the generic "admin" login. There's really no reason to use this account so delete the account and use another account as your administrator.
- Limit users access. If you have multiple users setup for your site, remember they don't all have to be administrators. Do an audit of the users and their access levels to make sure they're appropriate for your needs.
- Enable 2-step authentication. wpbeginner.com has an excellent post on how to do this using Google Authenticator and it's a lot easier than you may think. I've enabled it for all my sites and have been happy.
- Stay updated. With each update WordPress introduces new patches and bug fixes, so make sure your running the latest versions.
- Make sure you have a backup. I use WordPress Database Backup to email me a backup of my site on a weekly basis but there are several automatic backup plugins that will do the job. Find one that fits your needs and set it up.
See, that wasn't so hard.