one of the most popular web publishing platforms, it means that it's also a popular target for web-based attacks. Most of these attacks are automated and seek out old versions of WordPress, using default settings, vulnerable plug-ins and themes or incorrect file permissions and weak passwords.
easy one and helps put you a little higher than most of the lower hanging fruit. All you need to do is to change the default administrator username and default table prefix (anything other then wp_) at the time of installation. The simple solution is to always make sure you stay up to date with a current version. The WordPress developers are quick to push out a security fix, so make sure you take advantage of these updates. Most of these attacks are automated and seek out old versions of WordPress, using default settings, vulnerable plug-ins and themes or incorrect file permissions and weak passwords.
ramifications such as losing search engine rankings or being excluded from the search engine results pages altogether. Search engines and anti-virus systems can also alert users that a site is "unsafe". Not a good look!
WordPress has attracted an entire eco-system of developers and market places. Within these market places (and the broader web) there are vastly varying qualities of plug-ins and themes. I usually recommend users look for popular themes and plug-ins because not only are they most likely to be of a higher quality but they are also more likely to be updated and supported. Personally, I use a mixture of both free and commercial plugins and themes.
get right, it's a very common reason (along with old versions of WordPress) why sites are exploited. I always get advice from a particular web host on this if I'm unsure and recommend you do the same, since every host can be different. If you're using a package management feature such as cPanel/Fantastico/Easy Apps (where installing WordPress is a one-click process), these options are usually taken care of for you (such ashttp://faq.ventraip.com.au/questions...l+Wordpress%3F). The following assumes that you're managing your own permissions in a shared environment. It's also worth noting that VentraIP also have a "Permission Fixer" which can be handy if you mess things up and need to revert to default permissions (see http://faq.ventraip.com.au/questions...er+error%27%3F).
following files and directories are writable: /.htaccess /wp-content/uploads/ /wp-content/themes/name-of-theme (if you wish to edit in the Dashboard) /wp-content/uploads/
of configuring web server options at the directory and file level. On Unix-based systems, files beginning with a period are hidden so make sure you have your FTP/SCP/SFTP client software set to "show hidden files.
may seem obvious, however, it’s commonly overlooked. This applies not only to your WordPress password but your SFTP/SCP/FTP and hosting account password too. Always use long passwords. The longer and more complex the better. I always recommend people think in terms of "passphrases" rather than passwords. A good password management tool is also a great help. Make regular backups of your files and your database. Not if but *when* something goes wrong, a current backup will save your skin. You can get both free and commercial plugins (or services, see the next point) that can cater to any backup option you can dream of. Also, always only used trusted secure networks and secure protocols for your web and email traffic. Internet kiosks or free wifi may be tempting but make sure you understand the risks.
that specialise in keeping your WordPress site updated and monitored for security issues such as VaultPress and Securi. There are also hosted WordPress services that offer security and backup options as part of their plans. Also take a look at WordFence and WebsiteDefender. There are numerous services that provide backup and security scanning, but there is a lot of overlap so shop around.
using strong passwords, make sure your WordPress installation and configuration is correct and keep your version of WordPress (including plugins and themes) regularly updated. Chris Burgess @chrisburgess