Well the last year has been crazy. Half of my client sites were effected by the Revolution Slider vulnerability. Open Realty was also hacked. Brute force login attempts to WordPress admin has been constant, at times enough to crash the whole server.
But now I think all of this is behind me.
I have added iThemes Security plugin to all WordPress installs. This software is very nice to both auto secure the big things and alert you to what could be tighter in the medium and small things.
Two features really stand out to me in this plugin: brute force protection and active file monitoring.
The brute force protection will ban anyone trying to login in two ways. First is normal three strikes and you are out. Second is any IP address attempting to log in as admin is immediately banned. This is great! I have always left the default WordPress install user as “admin” for years! This is a huge flaw and the easiest for the bots to exploit. Recently I removed the default username and added my own with a stronger password. IMMEDIATELY the server is faster; using less resources and cutting down notification emails.
Active file monitoring is done by alerting me via daily mail of any file changes. This is very useful when trying to find a script that is making files in hidden places, then that file executing to send spam email. HUGE HEADACHE!
Do you have any security tips for WordPress? Let me know!