WordPress isn't completely secure out of the box. There are extra configuration steps to protect your website from intruders.
The most common missed items…
– Exposing your wordpress version number
– Exposing your usernames to the world so anyone can see them
– Not blocking repeated login failures (These are usually attempts to break in)
– Not hiding or renaming the login page
– The WordPress files and plugin files are outdated. They need to be kept current, to close known security holes
– Not renaming the WordPress database tables
Properly securing a wordpress website includes installing 3 security plugins and configuring the core wordpress files to be updated automatically.
Why hide your wordpress version number?
This goes along with, Why keep WordPress files and plugin files up to date?
There are mixed opinions on this. One view point is – who cares. The other is – if someone wanted to break into your website, one of the easiest ways is to use a known security hole or back door. These vulnerabilities or holes are well known in older versions of the core WordPress files and plugins. So don’t help sinister people with telling them which version of WordPress you are using. Also, keep your WordPress files and plugins up to date, to immediately close those known vulnerabilities.
Why hide your usernames?
By exposing your usernames you are giving away half the keys to your website. All someone needs now is to guess your password and they are in. There are lots of tools out there, running 24/7 just to try various passwords in order to break in.
Why stop or block login failures?
If it’s you who typed the wrong username or password, no big deal. But password guessing is one of the top ways to break into a website. Even if you are confident that you have a very strong 20+ character password, it’s still a good security practice to stop these repeated login failures. Don’t give anyone a chance at password guessing.
Why rename the WordPress database tables?
There is a type of attack called a SQL Injection, where someone tries to mess up your WordPress database or insert something malicious. They can do it because you used the default database name. It’s better to rename them to prevent this type of attack.
Why hide the login page?
The ease of using WordPress is also it’s vulnerability. Everyone knows the default login page is at YourDomain.com/wp-admin. Why leave it open and exposed. It’s better to rename it. That cuts out most of the potential attacks.