After migrating my site earlier this year I scanned through the old files to verify that everything made it across. During this verification I kept seeing dot files that weren’t a part of WordPress, and that set off some alarms. Turns out that the old site had been piggy backed for some nefarious (or at least unintended) purposes.
As the popularity of WordPress continues to grow it becomes a juicier target for automated bots. These bots exploit vulnerabilities in unsecured WordPress installs, or default settings. Luckily there is a pretty comprehensive rundown in the codex on how to address many of these issues. It’s a good idea to implement many (if not all) of these measures if possible, but if you’re strapped for time these cover some common issues:
Install a plugin such as Wordfence or Better WP Security
These will allow setting some basic options to get things running, including limiting login attempts, adding a blacklist/whitelist firewall, and logging access attempts so you can track what’s going on. These logs helped me discover that some of my images were being leeched. Wordfence also has the additional capability to scan/fix your existing WordPress install, which is a nice touch.
Do not use an “admin” username, or any name that can be derived from your site
If you have logging enabled it will most likely get filled very quickly with a bunch of login attempts for the “admin” username. As the default username it is easy to target, and can be flooded with a bunch of password attempts. Some bots also attempt variations of your domain name, or “administrator” spelled out among others. If you don’t want to use a full security solution a limit login plugin can handle this issue as well.
This is even easier with the release of WordPress 3.7 which introduced background updates, but keeping WordPress up to date is the simplest step to plugging known vulnerabilities.
Fortunately awareness on security in general seems to be on the rise. More developers seem to be including some sort of security solution with their newly deployed sites (if you’re not you should). There are also solid tools available to prevent problems, as well as help resolve existing ones in the vast WordPress community. Just make sure a new plugin isn’t doing more harm than good.