Most of the sites I create are done with WordPress. I noticed recently many of them were hacked, and a few of my clients complained about increased spam in comments and from the contact form. Are there any plugins you guys recommend or techniques to protect WordPress sites?
I also work mainly with WordPress and I faced the same situation. Over the last few months I started following a few rules (listed below) which almost completely removed the problems you describe:
With any WordPress installation, follow these rules:
1. WP Security – this is a great free plugin, which dramatically increases your website security. You should activate at least 80% of the settings the plugin provides.
2. You definitely need to make sure the website has a daily backup. I always recommend CodeGuard.com to my clients – it only costs $5 per month, is easy to set up and makes daily backups of the website, letting you restore old versions with one click. Of course you can also have some backups on your own server, but this is usually a paid option and much more expensive than $5/month. This tool also lets you know when code on your site changes, which is helpful with detecting any suspicious activity on the server.
3. When customizing the theme and plugins make sure to do it in a way that you can update them! This is crucial. Avoid modifying their core files, changing the look of plugins can usually be done by CSS, also use Actions, Filters, and Hooks (WordPress Codex: add_action, do_action, remove_action, add_filter, apply_filters). Also: use child theme (http://codex.wordpress.org/Child_Themes) and do not download plugins and themes from unknown sources.
4. Use strong passwords (to the server and wp-admin), avoid sharing access to FTP with anybody.
5. Keep your plugins and WordPress updated (use staging environment before major updates).
6. Sign up for http://mxtoolbox.com/ and monitor if your site is black listed anywhere.
I use Sucuri and it logs attacks by IP addresses. I now block those IP’s in the .htaccess file. I have knocked 90% of the attacks out. I have also blocked the login.php page from showing except for my IP and client’s ips.