“Website Hardening” is the process of removing website vulnerabilities to hackers.
Anyone who has ever had a site “hacked” understands the high level of frustration that is felt when this happens. Is it the end of the world? No, but before this happens to you, now is the time to perform a few basic tweaks that will “harden” your site against some of the most common vulnerabilities with this well engineered open source CMS [content management system].
Here's the bad news; There is no one solution (to my knowledge) that can make a WordPress site completely “hard” against attacks. Therefore, the best way to address “hardness” is by taking some measures that will sure up the site against most low-level attacks.
Bear in mind that not all WordPress website attacks come in through Wordpress applications and plugins. Sometimes the vulnerability is with the hosting provider, and sometimes the attack comes from the administrator's own desktop computer (or laptop). But, the majority of attacks do seem to come in through WordPress publishing portals along with “plugin and theme vulnerabilities” where a door was left open to the database, or was forced open by automated hacking bots.
The challenge here is this; WordPress simplicity and ease of use is what makes WordPress so attractive to so many people, and “hardening” a site could remove some of this user friendliness. Therefore, the solution here is to balance website hardening against the ease of user functionality – a tender balancing act at best.
The great news here is that more “hardening” can be added anytime, and that newer versions of WordPress include the latest script hardening updates – so stay current with all core, theme, and plugin updates. Secondly, back-up your site frequently!
Now that you know you can add more “hardness” anytime, and you also know that it is usually best to do only what is necessary to prevent most intrusions, without diminishing any user friendliness, there is a great article (http://codex.wordpress.org/Hardening_WordPress) written for “do-it-yourself” types that I suggest you read on this topic.
However, if you tend to lean on others to help you through the process, find out “exactly” what security measures those “others” are including in your site, and what other recommendations they have for hardening that are not included in your basic package.
It is best to perform some hardening during the initial set-up. Additionally, that is also the time to add functionality to create an enhanced user experience, as for those that are not “web-savvy” computer experts.
There are two basic functionality types of security plugins. They are preventative and cleanup, or what I call “before, and after” functions. I recommend using both, provided that useability is not diminished. Keep in mind that some system tweaking in the initial setup is also important, and nobody should rely on security plugins alone. TalkRite sites include both of these plugin types.
For “safety” sake, we don't publish which specific plugins we use, or how we modify them. That would be like announcing to hackers our entire game plan, and inviting them to hack – but we will provide our clients with a list of enhancements, and naturally, they will see the plugins in their dashboard when their site is setup.
In spite of all the “chatter” about hardening security - we recommend WordPress as the best platform to use for most Website owners. It is interactive, and best of all, it places the control over content, and updates back in the hands of the site owner. With little experience, the owner can operate the site and eliminate most ongoing site costs. WordPress, in my opinion, does this better than other content management systems (CMS), with more functionality being created constantly.
WordPress offers an environment for just about any type of functionality from simple blogs to full-blown communities, very inexpensively, because the basic package is free (open source) as are many of the plugins that most people need.
Note: If your WordPress website has already been hacked, you might find this FAQ information helpful: http://codex.wordpress.org/FAQ_My_site_was_hacked