Wait... Hacking wordpress sites?

Start by changing your admin username from admin to something else

I can't give you a 100% guarantee that what I suggest won't still allow hackers to gain entry to your wordpress blog. I run over 100 blogs at this point and time and I make sure my username is not Admin, my passwords are all different for all blogs (a pain I know)

And I use these two free plugins.

WP Security Scan

And

Login Lockdown

I was going to post a link but I don't have enough posts to do so, but you can find them via Wordpress.

Oh ok.. thanks guys... yea i heard about the admin thing... It says you cant change it in my back office though.. is there a way around that? either way im going to upload those plugins now thanks!

Just add another admin user, log in with it and then delete the user 'admin'

Hi - I intend to write a detailed post on my blog within he next couple of days, detailing exactly how I secure all my Wordpress installations. Once it's finished I'll PM you. To date, and I've been working on the internet for 9+ years, I've never had a Wordpress blog hacked, although (unfortunately), the same cannot be said for the few regular websites I've also worked with.

Agree with the rest do not use Admin for the user
And Password are 123456 or some crazy stuff for your pass

try to avoid installing lots of plugins, and always update the plugins you're using

Couple of things to do to protect yourself

1) Use a strong username that is not just "admin"
2) Create a strong 10+ character password with numbers, letters and non-alphanumerical characters
3) Protect each folder with index.html/index.php so that the folder cannot be browsed
4) Backup your website daily
5) Always update the plugins and WordPress installation so that known security holes can be blocked
6) Don't brag that your website is hack-proof (because no website is :-)

goodluck

Something nobody has said, change the Authentication Unique Keys and Salts that are in your config file. Go to https://api.wordpress.org/secret-key/1.1/salt/ and refresh the page a couple of times, then copy and paste it into your config file in the appropriate area.

First of all, the most important is the webhost itself (especially shared hosting). It doesn't matter how good you are protecting the cPanel, if the webhost is weak on the security it will be still hacked.

If the webhost is good, then we can harden with some methods which are already mentioned above.

- Always update the wordpress itself and the plugins, or themes, all of the files whenever updates are available.

- Backup database regularly as well as backup wp-content folder for the images you have uploaded. If you restore your site only with database, you will lose all the images. So wp-content is also important.

To backup, there are plugins, such as wp-backup-manager or wb-db-backup, but to be sure, I backup manually once a week.

-Use other username instead of "Admin". Hide the one for login, and create another one to be displayed for everyone on the site.

- Use other database prefix, avoid using wp_ prefix which can be done actually in the installation of wordpress.

- Avoid a new registration in your site if it isn't necessary by removing the "Log in" link in the meta widget.

- Login to secure admin page, login lockdown, or login logger. Plus blocking all of ip address in wp-admin and wp-config.php except your IP via .htaccess

- Scan all the security with wp-security scan regularly. I personally deactivate the plugin after scanning.

Oh and I personally change my password regularly at least once a month.

Good luck

None of the suggested methods will resolve any of the Wordpress hacking issues that are going around.

You can, however, fix the wordpress hacking security flaw by doing 1 simple thing: chmod -R 444.

Set your entire wordpress directory root to READ ONLY.

The current method of wordpress hacks all take advantage of a variety of security flaws with image uploading, signature uploading, emoticon uploading, flaws in the authoring security model of wordpress and then uploading, etc.

So right now, the easiest way to give yourself some level of comfort is to READ ONLY all the files in your wordpress directory root. Change then when you need to upload something (which is not needed when adding simply articles/text, that is DB).

EDIT: It doesn't take much searching on Google to know the current popular hack methods for Wordpress. Once you find those, you will realize why the READ ONLY setting of all your WP files will combat that.

Nothing is secure so my advise is, don't put something you don't want others to have......

Hacking attempts to WP sites are increasing these days. It was with Joomla few years back, but now WP seems to be on target of hackers. It is better to not keep any username as admin. Also, changing password frequently is recommended.

I have also been wondering about this. Thanks for the plugin names

Yeah! Just use some good passwords. Gary McKinnon the famous NASA hacker said he was gobsmacked at the number of login passwords that were left as default Admin' and i think that's why Uncle Sam was so miffed. Lol!

What is the most security plugins you recommend installing? Some people recommend login lockdown, some recommend seo firewall 2, some recommend bulletproof security, etc... so it's confusing.

I gather that having too many plugins will slow things down and be a resource hog.

Would having these 3 plugins installed be sufficient?

WP Security Scan
Login Lockdown
Bad Behaviour

If you're really serious about protecting your WordPress site, read and understand what's on this page—it's the official security guide for WordPress.

You may also wanna consider using VaultPress (created by Automattic—the company behind WordPress).

Plugins..Plugins ..Plugins ! lol Plugins all over....

Instead of relying on plugins just go thorough the text in this page, and you will never get your Wordpress site "hacked"

Hardening WordPress « WordPress Codex

just get Last Pass lastpass.com. it will generate secure computer generated passwords.
any passwaord that you can remember is not good enough. there are programs out there that try any combination.
also to limit login attempts.