Standard Method for Securing a WordPress Site

If you are looking for some kind of “set it up and forget it” security solution, then you are going to be disappointed. There are things that can help mitigate risks, such as firewalls and obscuring your installation, but ultimately a site will only be as secure as the software that runs it and the processes and tools that are used to administer it.

With a WordPress site, you have various plugins and themes installed beside WordPress core, and any one of these can contain security vulnerabilities. Keeping your plugins up to date is a good practice, but it won’t fully protect you because there are plugins that have 0-day vulnerabilities in the most recent version. So unfortunately, while keeping up to date is a good start, it is important to also monitor whether the plugins you use may contain vulnerabilities that haven’t yet been fixed. (The Plugin Vulnerabilities plugin can notify you of 0-day vulnerabilities; I use it on my sites.)

Apart from the software side of things, you also have to consider whether you are following best practices in how you administer the site. Are you using a secure connection? Does your computer have antivirus software installed? Do you disable scripts from all but trusted sites in your browser? And so forth.

At last, if your site is hacked, the most important thing to do is to find out how the attacker got in. If you don’t do this, your site will very probably remain vulnerable. But when you know how the hacker got in, you can fix the issue.

So in summary, there isn’t a simple solution, unfortunately. But there are probably a few more things that you can do to reduce the possibility of being hacked, and to learn from an attack after it occurs.

error code: 523