So it’s no wonder that we periodically hear about rounds of attacks on the platform. The bigger the target, the more likely people are to aim for it.

There are few things more sobering than to wake up one morning and find that your sites have apparently disappeared or that they’re suddenly serving malware. It needn’t be that way if you maintain control of your WordPress installation and make it as exploit-proof as possible. It doesn’t require constant vigilance – just a bit of tweaking after installation and a secure routine from then on.

Post-install cleanup

After installation, there’s some immediate housekeeping that you’ll be prompted to do. Don’t put it off – do it straight away.

The most important change is to delete or disable the ‘install.php’ file in the wp-admin folder. That’s the file used to connect WordPress to a database and create a configuration file. It can be removed, or you can FTP to your website and rename it to something like ‘installOLD.xxx’.

Web design blogger Jeff Starr suggests a more lateral solution: replace install.php with a fake file that generates an error message and sends you an email informing you there’s been a hack attempt. To download his replacement, install.php from his website.