1.2 Securing the site & dealing with spam
Prevention is better than cure
1.2.1 Keep wordpress (and plugins) up-to-date
This should be obvious! Keep your wordpress installation and all plugins as up to date as possible. WordPress will notify you when updates are available. If you customise any files, it is best to do this with a child theme so your changes aren’t lost when you update. Where-ever possible make any other changes via functions-user.php which will also not be over-written.
1.2.2 Enable akismet
Akismet is an excellent tool for blocking spam, and it’s included with WordPress as standard. All you need is a free API key to use it. Go to the plugins page in your wordpress admin. Click on the link Sign up for an Akismet API key, sign up for a key, go back to your wordpress plugins page, activate the plugin, follow the link to the Akismet configuration page and enter the key.
1.2.3 Prevent directory viewing
Edit (create it if it doesn’t exist) the file .htaccess in the web root and add a single line…
Options All –Indexes
1.2.4 Change the default username
You will need to edit this in the database — the easiest way is with phpmyadmin which should either be already available, or installable, via your control panel, or if necessary, manually. Once installed, login to phpmyadmin, click on the “databases” button, and then click on the database for your wordpress site. In there click on the “wp_users” table. Click the “edit” button at the left hand side of the top row (which should have the username admin by default). Change the value for the user_login field which should be the second row. Click go and then logout or close phpmyadmin.
1.2.5 Block bruce force attacks
Bruce-force attempts are always possible, and preventing them is easy. Install the login-lockdown plugin which blocks login attempts after a number of failed attempts.
Whilst akismet will block spam, it requires manual intervention. You can require registration which will prevent all spam. If you choose this route then you can also get plugins to enable logging in with google, facebook and other accounts.
If you don’t wish to require registration then you can increase the automation of spam filtering with various plugins including conditional captcha, which presents a captcha when it detects a comment is probably spam, with the plugin comment e-mail verification, which sends a verification e-mail to a user, enabling them to verify their details and thereby approving the comment automatically. Users who have previously verified their e-mail address will have their comments approved automatically
Use one of the many plugins available to back-up both your database and your site.