I run several WordPress sites which have not been updated for ages. None have been hacked.
I feel the need for a new blog post….
- Keep it updated
- If you only update from a few select locations and have static IP, block all but your IP from access /wp-admin – see below for instructions.
- Install a firewall, e.g. http://wordpress.org/extend/plugins/wordpress-firewall/ (yes its old, but still works)
- Install Secure WordPress http://wordpress.org/extend/plugins/secure-wordpress/ – and hide the stuff that makes it easy for hackers to locate your site (and adds blank index files to directories to prevent browsing)
I do this for all my sites and the only time I have been hacked was when I installed an image uploader plugin which had a vulnerability.
Pick your plugins wisely. Many plugins, and also some themes, can carry vulnerabilities. Often the problems are caused by a small part of the plugin or theme. While the core plugin may be fixed / patched, plugins which use the core files are often left out of date and vulnerable.
TimThumb is a good example of this. The actual TimThumb plugin (a php image resizer) is safe now, but older plugins and themes which used the original TimThumb code are still open to hackers.
Avoid plugins which have not been updated for a long time, especially those which allow users to uploaded or edit content. Image uploaders are common problem.
Whitelist Your IP
Add a .htaccess file to your wp-admin directory with the following (IP addresses are made up, you should change these to your own):
<Files ~ “\.(php)$”>
deny from all
# whitelist Range of IP addresses – office and home
allow from 22.214.171.124
allow from 126.96.36.199
You can also add IP ranges – I do not have a static IP at home, but by adding ranges for my ISP I can still access even when my IP changes.