One of the educational sessions held at the New Media Expo in Las Vegas last week (NMX 2013) was a presentation by Dre Armeda on how anyone can hack into a WordPress site in five minutes. During the session, Dre showed how automated programs can be used to discover your login ID. Then using a list of common passwords and repeated attempts, the WordPress site was hacked. While I was somewhat familiar with most of the security measures presented, they are very imported for all of us creating and maintaining WordPress sites. I’ll give a brief summary here.
First, the most common cause of a site being hacked is outdated software. Unfortunately, I experienced this first hand years ago with a Joomla site. I had neglected to update to the current version and paid the price—thank God for backups! The same concept applies to WordPress. Make sure you update to the current version of WP as well as making sure to update your plugins as well.
Another big security concern is compromised login passwords. The key here is to use your WP admin password as little as possible. You should never use an admin password to create content (posts, pages)–having your admin password show up as little as possible decreases the chance of a malicious program getting hold of it and gaining complete access to your backend WordPress environment. In addition to numbers and special characters, long phrase passwords provide much better security.
Dre also recommended that all WordPress site owners install the Limit Login Attempts plugin which will prevent automated hacker programs from repeated attempts at guessing your password. And of course, always backup your site—especially before and after upgrading to a new version of WordPress. That way you’re sure to have separate copies of your website in a pre and post upgraded state.
I really enjoyed this session at NMX 2013. I’d encourage you to check out more stuff from Dre on the Sucuri blog at http://blog.sucuri.net/.