The topic of website security can be an intimidating one. On the one hand, we all want our websites to be secure, but, on the other, we fear that we might not have the skills to battle hackers trying to break into our sites. But hold off on that thought for a second; why would anyone even attack your site in the first place?! You're not a financial institution or a popular online publication, so why would anyone care to spend their time trying to harm your site?
Well, the reality can be harsh in this case. Most hacker attacks are not about stealing your revenue or taking over your site as a whole. Usually, they are about including a small piece of code on your site that links out to other external sites (most of the time, either fraudulent sites or naughty content). What does the hacker get out of it? This varies, but usually, those kinds of attacks are done to use your site as part of a network that is meant to achieve a specific goal. Effectively, your site becomes a zombie—it does whatever the hacker tells it to do, and it's part of a bigger network of similar zombie sites.
So how can we prevent this zombification of your site from happening? That's what this chapter is about. Let's start with the basics.
Let's take a look at the topics that will be covered in this chapter:
- The principles of WordPress security
- The best practices for WordPress security
- Installing an SSL
- Security plugins and which ones to get
- Setting up secure user accounts
- User roles and abilities
- Managing users
- User management plugins