I'm a long-time WordPress developer / user and have been pleased overall with the product. But I ran into something today that caught me off guard and now has me doing some more digging on WordPress security utilizing several of the top security plugins on the market today. I typically use two:
- Securi Security
I'm not going to write about differences or pros & cons of either security plugin.
To be conservative, I've done 2,000+ WordPress installs over the years, but 2015 is a completely different animal. In the past hackers might deface a website, but they've gotten more clever; Now they don't deface your website, they secretly install their malware or spam software to run quietly undetected unless you are paying attention to server logs or your data center / ISP sends you some sort of complaint.
Typically, WordPress has been one of the most secure CMS / Blog platforms available although there are constant updates required. With that said, it still has been a fairly stable and secure platform.
What I have seen more recently is that even with a clean up to date WordPress install on a web server that is also up to date is that hackers are still easily gaining access and installing their spam scripts or malware. One site I found this week was running both Wordfence and Securi Security and neither one of them during a scan detected anything abnormal, but my server logs said otherwise. When I FTP'd into the site, there are all types of PHP files that did not belong there..I manually cleaned up the site and ran the scan again..Upon the 2nd scan, Wordfence picked up one file I had missed.
Now I have to question the reliability of two of the top WordPress security plugins on the market.
Another thing I've noticed during installs is that if you do not change / hide the way your user profile displays vs. showing your actual login username, lurkers are quickly taking note of your default UN which should never be "admin".
If you have seen anything similar with your WordPress installs please share below. I will continue to update and share any new information I come across.