No matter what your website needs, WordPress provides an attractive and easy to use option for building it. There are many things to keep in mind when starting a WordPress site and security should top the list. Many solutions exist to help keep your site secure. Some of them are easily implemented, some of them take a bit more hard work. SilverServers would like to cover some of the simple choices to keep your site as protected against hackers and malicious code as possible.
One of, if not the biggest, source of security problems for WordPress is the multitude of plugins available on the web. Plugins can help enrich, add features and provide many ways for you to control the way your website is presented. Some of them make management easier, some of them add visual flair. It can be demanding and frustrating to search through all of the provided plugins to find one that will solve your problem, but research and comparison can be worth their time in gold.
Here are a few simple guidelines to help protect your site when using plugins:
1) Only use plugins from long-standing trusted sources. Check the developer's history and read as much information from other users as you can. Very often, even upstanding widely used plugins like MailPoet or Slider Revolution can be compromised long after they are widely used. Anytime a plugin has an update, the update can contain new malicious code used to get past your site's basic security. This is a recurring theme throughout the WordPress community with the above mentioned plugins being great examples of once secure plugins being hijacked for nefarious purposes. (MailPoet: http://www.pcworld.com/article/2458080/thousands-of-sites-compromised-through-wordpress-plugin-vulnerability.html, Slider Revolution: http://www.fudzilla.com/36560-thousands-of-wordpress-sites-infected).
2) Before using or updating a plugin, have a security expert do an audit of the code. While time consuming and possibly expensive, this could be the only place you can catch a malicious piece of code in an otherwise trustworthy update. WordPress requires constant updates to function properly, both of the core code and any plugins you use. Hackers and other shady characters ride the coattails of this culture, knowing that knowledgeable WordPress users keep on top of their updates. Without security experience and direct viewing of the code you are using there is no way to know that the update you are downloading is free of problems.
3) Try to keep your site "login" free. Any plugins that manage a user login system are targetted substantially more than plugins that simply manage photo galleries and the like. As of October last year, sites with user login/management plugins suffered 59% of all directed attacks, also representing 63% of all SQL injection attacks. The more numbers we find the more it is obvious that WordPress user login plugins are the largest target for would-be WordPress hackers (http://www.itproportal.com/2014/10/10/why-wordpress-is-hacked-more-than-all-its-competitors-combined)
4) Forgo third party plugins altogether. The only way to be sure that your site is safe from possibly dangerous WordPress plugins is to only use official plugins from WordPress. While these plugins are still open-source and can have their existing security holes exposed, they at least have their code supported by WordPress' staff and developers. If a third-party plugin becomes compromised, there often is no recourse and no solution other than to remove the plugin and (hopefully) revert to a previously clean version of your site (you are backing up right?). Official WordPress plugins do offer more support and defense against harmful outcomes.
In short, WordPress security is a growing whirlpool of information and is an integral part of starting/running a WordPress site. Doing your research, making good choices and keeping on top of your site's security situation will go a long way to helping your WordPress site stay up and running.