By far the majority of successful attacks against WordPress installations is due to automated attacks (scripts) exploiting known security vulnerabilities in themes or plugins.
The key is ensuring that security fixes for the known vulnerabilities are applied. Recent versions of WordPress have a builtin capabilitiy to automatically update the WordPress Core. Plugins and Themes will usually alert the user in the WordPress admin dashboard when updates are available.
/wp-content/themes/folders on the site it can still be attacked, even if not in use.
During 2013 a botnet made up of over 90'000 web servers was built by automated scripts brute forcing WordPress weak admin passwords. The password list used consisted of 1000 common passwords.
In testing WordPress password brute forcing against a small VPS I was able to attack 700'000 password combinations a day without taking down the VPS or the site. In fact without security monitoring (see number 6), I may not have even noticed the password guessing attack.
These two examples highlight the fact that weak passwords can easily be attacked both by automated attackers and more focused targeted attacks.
It is important to understand that the security of your WP site is more than just locking down the WordPress application, you must also ensure the server that the site runs on is also secure, no point locking the window if the door is wide open.
From required services such as Nginx / Apache, PHP, Mysql, to remote access services (SSH / webmin / cpanel) and components such as web server caching components it only takes a configuration error, a poor password or software vulnerability to lose everything including
In the past even some of the most well known shared web hosting providers have had mass compromises of WordPress sites.
If you transfer files to your web server using FTP is simply a bad idea. The FTP protocol sends the username and password in the clear to the server. There is no security around the authentication, meaning anyone
sniffing the traffic can easily collect your web hosting password.
Most web servers will have
SSH and if they do you should be able to upload your files using
SFTP or SCP. Using SFTP ensures the authentication and transfer of the all occurs within an encrypted tunnel using the SSH protocol. A client such as WinSCP can make this process very similiar to FTP for those Windows users who think bash is something you do with a club.
Similar to Tip number 4, accessing
HTTP means your password and WordPress authentication cookie can be scooped up by anyone with access to your traffic. In a coffee shop / library / airport with Free WiFi this means anyone could get full admin access to your site without even sending a packet to you.
Security monitoring alerts you to events on your system that are a potential threat. Tuning (customisation) of the security monitoring application or script ensures that only events (log entries) that meet a threshold are alerted upon, other events are recorded and can be compiled into a regular security report.
Find out if your security is rubbish, so you can start to mitigate any security issues. Understand the security of both your system and your WordPress site so you can effectively evaluate the risk and make informed decisions when securing your system.
In the event that the above steps are not enough and you still get hacked (yes it could happen) you need a plan of last resort to get your site back online and doing its thing. This is where Backups take the stage. Even if you don't get hacked you really need a recent a recent backup in the event of hardware failure anyway.