Malware:
Most vulnerabilities are *introduced* by adding insecure plugins and /or themes. Be careful what plugins/themes you use. Check security forums to see if they have been reported as insecure, and if so, were they fixed.

If you want to avoid an attack from a server side exploit, best practice is to use a VPS rather than a shared website environment.

Very rarely vulnerabilities are found in WordPress themselves which are usually quickly fixed but nevertheless do occur.

Firewall
Few security plugins that offer little real world defense against faulty coding in themes, plugins and even the core WordPress coding errors – that open your website up for attack. Do your due diligence and don’t just install the most popular security plugins, many of them merely block last years attack vectors.

Passwords:
Use a password manager. You will need the following passwords:
– FTP
– MYSQL Database
– Admin login
– Editor login

These should all be different passwords. When you use a password manager this is easy to do.

1. Off site regularly scheduled backups.
2. Practice and document how to restore your backups.
3. Keep your code up to date. WordPress, plugins, themes and your host environment. The most hardened WordPress installation comes to naught if the server is insecure and vulnerable.
4. In the event of a compromise see step #2.

If you keep your code up to date and follow those practiced that t-p linked to, then you should be good.

@te_taipo- So what your saying is not to worry so much about getting the best security plugin but more so make sure that there aren’t any breaches of integrity in the plugins, theme, and coding making up my WP site?

@Jan- “If you keep your code up to date and follow those practiced that t-p linked to, then you should be good.”

I’m not a coder or programmer, how do I keep my code up to date? (Or is it just as simple as making sure I install the latest updates of WP, my plugins, and theme?)

Thank you for your input.
-Rob

For the host part, it’s a matter of picking a good host. I don’t want to get too much into that as host conversations get closed due to the likely amount of spam those topics generate.

You may need to do some host research for that part off of this site. ??

I read through the WP security article and implemented most of the suggestions outlined.

I installed a backup plugin that will allow for offsite backups (UpdraftPlus). And I installed a free highly rated all in one firewall/malware/password plugin (Wordfence).

I think if I continue to abide by the best practices you all have outlined in tandem with these plugins I should do just fine given my needs (personal blog with zero traffic and have yet to even write my first blog post).

I’ll upgrade once I expand my user base and take the leap from blog to business.

That’s my plan for now (lmk if I should do otherwise). Thanks for your input!