Recently there’s been more and more sites getting infected with malware via automated scripts because of weak passwords or insecure non-updated WordPress sites. Here’s a few tools and tips we recommend to secure your WordPress web site better.
First, start using a strong but memorable (so you’ll actually use it) passphrase for each site login. See this kxcd comic first to understand the point: http://xkcd.com/936/ Then go here to help you choose a nice, easy to remember, yet very strong passphrase: http://passphra.se/ I add the site name to the end, so the passphrase is different per site (in case one site gets hacked), i.e. “four buckets fly facebook”
Sucuri is amazing, go get their free WordPress plugin installed ASAP: http://bit.ly/sucuriwp It is a great preventative service. The paid service includes not only monitoring and alerting of malware, but the best part is it includes removal and recovery from malware infestations, no matter how many pages are infected.
Clean out old unneeded core files with help from this free WordPress plugin: http://wordpress.org/extend/plugins/old-core-files/ It removes old files that may still be vulnerable to attack.
Restrict your WordPress login to certain IPs. There’s a free plugin for that, too: http://wordpress.org/extend/plugins/limit-login-attempts/ Just be sure you don’t lock yourself out if your home IP address changes, maybe have multiple login IPs defined, in case one stops working.
To really lock down your site, use the free Google Authenticator WordPress plugin. It acts like a 2-part authentication random code key-ring devices, except it’s an app on your smartphone: http://wordpress.org/extend/plugins/google-authenticator/
Share your favorite security plugin, tip, or story in the comments, we’d love to hear from you.