I run several WordPress sites which have not been updated for ages. None have been hacked.
I feel the need for a new blog post….
WordPress Security
- Keep it updated
- If you only update from a few select locations and have static IP, block all but your IP from access /wp-admin – see below for instructions.
- Install a firewall, e.g. http://wordpress.org/extend/plugins/wordpress-firewall/ (yes its old, but still works)
- Install Secure WordPress http://wordpress.org/extend/plugins/secure-wordpress/ – and hide the stuff that makes it easy for hackers to locate your site (and adds blank index files to directories to prevent browsing)
I do this for all my sites and the only time I have been hacked was when I installed an image uploader plugin which had a vulnerability.
Plugins
Pick your plugins wisely. Many plugins, and also some themes, can carry vulnerabilities. Often the problems are caused by a small part of the plugin or theme. While the core plugin may be fixed / patched, plugins which use the core files are often left out of date and vulnerable.
TimThumb is a good example of this. The actual TimThumb plugin (a php image resizer) is safe now, but older plugins and themes which used the original TimThumb code are still open to hackers.
Avoid plugins which have not been updated for a long time, especially those which allow users to uploaded or edit content. Image uploaders are common problem.
Whitelist Your IP
Add a .htaccess file to your wp-admin directory with the following (IP addresses are made up, you should change these to your own):
<Files ~ “\.(php)$”>
order deny,allow
deny from all
# whitelist Range of IP addresses – office and home
allow from 62.239.0.0
allow from 44.239.0.8
</Files>
You can also add IP ranges – I do not have a static IP at home, but by adding ranges for my ISP I can still access even when my IP changes.