There are many things you can do to make WordPress itself more secure, and I’ll cover those in another post.
The first level of security for WordPress should be your hosting account, done at the server. But with almost all hosting providers, you have to install security; good security almost never comes with the hosting account — most hosting providers don’t know security, they know how to provide an account that matches everyone’s basic needs.
There are major hosting companies that literally think they have good security because they have an armed guard outside their server room. Companies like these tend to have outdated server software; haven’t installed dedicated security software and dedicated someone to monitoring international security discussion groups for issues, haven’t done anything to counter these new issues.
A few companies, such as Sucuri can help you identify if your site is compromised, and clean up the malware. You still should have good security in place, to prevent as many attacks as possible.
You will likely have to make some exceptions to any security system, to allow requests for some of your pages. For example, ‘administrator’ is a common word targeted by hackers (for example, trying to get into database administrator tools), but also is legitimate for several non-computer web site topics.
You can block bad people from accessing your site through bad characters or phrases in several places in the URL, (including some you might not expect); or through bad cookies, that you might not even see.
You could detect them by the User Agent they use (though the smarter ones pretend they use a normal browser, many use the User Agent to brag about who they are).
You could try to block them by their IP address, but hackers know how to constantly change their IP address, so this is a wasteful approach. You would have to constantly be updating your ‘banned IP’ list, and having your server check through the huge list for every request, just slows down your entire web site.
Security experts have identified some very common methods of attacks, and nuisances that waste your server resources — and come up with very effective ways to block them.
I added having my server keep a log of what pages where blocked And Why (what phrase or trick was thwarted by my security systems, and what part of the security script caught their foul deed) — so if the security is blocking requests for a real page on your site, you can easily make an exception to the rule, leaving the protection in place for all other pages on your sites.
This is a big deal. When an important part of your site is blocked, you might not even know about it. Then you want to fix it quickly, not having to somehow guess right (literally, in the past I had to try removing large pieces of a security system, to hope one of the pieces was to blame, not a combination of security rules). Trying to fix a problem ‘blind’, in a very detailed technical part of your web site, under pressure, is No Fun.
I’ll be writing how to stop each type of bad trick hackers play, so you understand how it works; and if you know .htaccess fairly well you can implement the security and reporting yourself.
If you don’t know .htaccess well, or just want me to take care of it for you, contact me and I can probably set it up for you.
You don’t have to leave security for your WordPress sites up to luck. Stop those bad people before they damage your site.