Appendix B. Securing a Self-Hosted Site

As you know, WordPress is one of the world’s most popular site-building tools. Thanks to its popularity, it attracts plenty of attention—and not all of it is good.

The uncomfortable truth is that the Internet is swarming with nefarious people who would love to get their hands on your site. The good news is that these enemies aren’t the sort of computer super-geniuses you see in movies, using semi-magical powers to hack into government sites faster than you can make a slice of toast. Instead, they’re the sort of riffraff you find loitering in the bushes near an empty house, or lurking around parked cars in an alleyway. They’re looking for low-hanging fruit—easy crimes of opportunity that become possible when someone leaves a door unlocked, forgets to close a window, or just plain stops paying attention. In the WordPress world, slip-ups like these occur when you forget to install a plug-in update, say, or fail to conceal your password. These attackers aren’t out to steal your stuff—usually, they just want to pull your site into their spam network by planting garish ads, dummy links, and other sorts of garbage.

Fortunately, you don’t need to make your WordPress site bulletproof; you just need to close the gaps and avoid the mistakes that allow 99 percent of the attacks. Do that, and hackers will move on from your site and find other places to cause trouble.

In this brief appendix, you’ll learn the five best security practices you can use to harden ...