The past week has been very informative. I have learned a few things about proper website management, and I will share them with you in just a moment.
A little foreword:
I have started SimpleVancouver.com in November 2012 with a simple idea: to document the process of being a student that is trying to settle in Vancouver. I had very little HTML-coding knowledge, and 0 website management experience. The most I have done prior is terrible-looking website with a template at Narod.ru back in 2004 or so.
Since then (well, more since Nov. 2012 than earlier) I have learned a few things, that have I used them differently, would not have an outcome as tragic as it has been (i.e. 95% of the images are gone from my website, backup is pending from my hosting provider).
So, if you are starting your own WordPress-based website, make sure to:
1. Do NOT name the admin user “admin”. Chose a name that is not your name, and not anything related to the website (basically, anything that is not easy to guess). Much better if the name is a mix of letters and numbers, and that it does not make any sense (e.g. 123ihazalotofdough99butimsingel6969).
This will decrease the chance of a password-guessing program gaining access to your site.
2. Use a strong password, that is not a real word or a combination of words, and that includes 24 or more characters. I now use http://passwordsgenerator.net/. A 24-character password will take an eternity to generate.
You should change your password every other month or so, and use a different password for everything. This way if one of them is somehow compromised, the rest stays safe. Try to make each password different and hard to guess.
3. Back it up! Keep at least one recent backup of all files, and at least one recent backup of the database. Files in case they go missing (like they did for me), and database in case something crashes, and this way you would not have to go and point each image to the post individually.
There are Wordpress plugins that make it a lot easier. I have installed WP Complete Backup, but I haven’t had a chance to use it yet. I have also downloaded a 1.2 GB copy of the entire database to store locally (including, but not limited to SimpleVancouver files).
4. Do not display Login or Registration links on the website, unless you know 100% what you are doing. This is what messed me up: bots have created 15,000 subscriber accounts, eating tonnes of traffic, and slowing down the website for legitimate users. God knows what they used these accounts for, but I decided to delete all of them.
For commenting, people can use guest accounts, their WordPress accounts; or you can set comments up through a third party widget, such as Disqus.
5. Use proper plugins:
Akismet plugin to protect yourself against spam.
Block Bad Queries (BBQ) plugin to protect you against malicious requests.
Cartpauj Register Captcha to prevent spam registrations.
Limit Login Attempts to slow down password-guessing (for both programs and humans).
Sucuri Security – Auditing, Malware Scanner and Hardening for better security. This plugin recommends necessary security changes based on what it knows about my site, notifies me each time a wrong login is initiated, a change is made to the post, and what IP address asked for what on my site.
Theme Authenticity Checker (TAC) just because I am paranoid, and want to ensure that the problems are not coming from within.
6. Protect your WP_admin area.
Edit: AskApachePassword is an awesome plugin.
Also, here is a really good article to help you with adding another layer of security.