Recently there’s been more and more sites getting infected with malware via automated scripts because of weak passwords or insecure non-updated WordPress sites. Here’s a few tools and tips we recommend to secure your WordPress web site better.
First, start using a strong but memorable (so you’ll actually use it) passphrase for each site login. See this kxcd comic first to understand the point: http://xkcd.com/936/ Then go here to help you choose a nice, easy to remember, yet very strong passphrase: http://passphra.se/ I add the site name to the end, so the passphrase is different per site (in case one site gets hacked), i.e. “four buckets fly facebook”
Wordfence is amazing, go get their free WordPress plugin installed ASAP. It is a great preventative service, and blocks a ton of very specific WordPress core, plugin, and theme vulnerabilities. I recommend disable Automatic scanning after your first clean scan, as it can be quite frequent and can affect site performance in some cases.
Clean out old unneeded core files with help from this free WordPress plugin: http://wordpress.org/extend/plugins/old-core-files/ It removes old files that may still be vulnerable to attack.
Restrict your WordPress login to certain IPs. There’s a free plugin for that, too: http://wordpress.org/extend/plugins/limit-login-attempts/ Just be sure you don’t lock yourself out if your home IP address changes, maybe have multiple login IPs defined, in case one stops working.
To really lock down your site, use the free Google Authenticator WordPress plugin. It acts like a 2-part authentication random code key-ring devices, except it’s an app on your smartphone: http://wordpress.org/extend/plugins/google-authenticator/
Share your favorite security plugin, tip, or story in the comments, we’d love to hear from you.