Be Selective When Choosing Plugins and Themes
WordPress allows you to extend and customize your site with thousands of plugins and themes. While extending your site’s capabilities and customization is important, it should not come at the price of your website’s security.
Even if your WordPress installation, plugins and themes are all up to date, it does not mean that a site is not vulnerable to attack. Plugin enumeration allows attackers to discover what plugins your WordPress site is using. By avoiding the installation of unnecessary plugins you would automatically be reducing your site’s attack surface.
When choosing which plugins and themes to use, be selective. Before installing a plugin or theme, read about it (ideally on sources other than the plugin/theme developer’s site). This prevents you from installing malware such as the Tools Pack malware plugin.
Check how many downloads the plugin or theme has and when it was last updated by its authors. The more downloads and recent updates the plugin or theme has indicates that it is in wide use and that it is being actively maintained by its authors, which means that if a vulnerability is found, it likely to be fixed quicker.
Remove Inactive Users
Keeping inactive users on your WordPress site increases your attack surface. Users, especially Administrators and others which have the ability to modify content, are possibly one of the weakest points of any site because unfortunately, most users tend to choose weak passwords.
If you absolutely need to keep inactive users in your WordPress database, change their role to ‘Subscriber’ in order to limit any actions that could be performed.
Read Part 1 in the Series on WordPress Security – Basic Measures
In Part 3 we shall be discussing WordPress Security Configurations