In light of recent events described on the BBC here: http://www.bbc.co.uk/news/technology-22152296 and explained in more detail (with more resources) here: http://ithemes.com/2013/04/15/ongoing-wordpress-attacks-details-and-solutions/
I thought I’d let everyone know a few basic things about WordPress security, as I have mentioned to my own clients several times in the past:
1) If you do not have a WordPress backup system in place, you are always going to be in a situation where you could lose EVERYTHING. If you spent a few thousand on your site, or spent countless hours pouring over your site content and setting it up just so, you could lose all of it in a hack like this, and there would be no ‘insurance policy’ against it. Many hosts will not have a backup copy of your site to protect you, and if they do, the backups only go to a certain point (kudos to them if they maintain daily, long-term backups). Your Web developer might have a copy of your site (they are not obligated to keep one), but it would likely be a copy from when they first developed it. You can imagine how different it would be if you’ve been using your site for months or years already.
This is why I now require all my clients to have a WordPress-tailored backup system in place before I launch or work on their sites. It is for your own good – it’s not just me trying to get you to spend more money.
Here are links to WordPress tailored backup systems (I make NOTHING on these links, they are not affiliate links):
2) If you have a username of “admin” on your site, you should get rid of it asap, or have me (or another professional) do a full site update and fix other security issues on your site, which you probably have if you are still using the admin username. This update and fix can not be performed unless you have a backup system in place as described above.
3) You must update WordPress! If you are my client you will know that when WordPress releases a new version of its software, I send out a notice letting you know that it’s time for update and maintenance services. I DO NOT recommend a novice try to do these updates on their own (sites can break in the process, so you need someone who can fix them if they do). If you don’t write back to initiate the update service, your site will remain running on an outdated version of WordPress, which hackers have long since figured out how to abuse with known vulnerabilities. I do not send these notices to annoy my clients or try to get them to pay me more – they are necessary for their sites’ health. In fact, anyone can take my e-mail notices as a reminder to have someone else they trust perform the update for them – it’s all good with me, as long as they know what they are doing and are having it done.
I’ve had comments in the past where people tell me they don’t want to spend the money on backing up or updating their site, or they don’t want to do it right away. It is a strange thought that some businesses would not want to spend a nominal amount to secure their site against attacks, but would rather spend thousands to re-build their site if an attack did happen. This recent massive WordPress security hack really sheds light on how real, and how possible it is to lose your entire investment into your Web site.
The above 3 points are really, only the basic, most least amount of effort you could put into securing your site. There is no reason, and no excuse to disregard them as unnecessary or consider them to be ‘too expensive.’ This is the cost of doing business online. Not taking care of these items would be like running a restaurant without smoke alarm – why take that risk?