Besides brute force attacks that try to guess your password by simply using the login screen or XML-RPC, bots that try to exploit vulnerabilities in your website PHP code are the most common form of attack targeting WordPress websites. Most of your time securing your site will be spent applying updates to fix vulnerabilities in your website PHP code. When you upgrade WordPress core to protect against a new kind of attack, you are upgrading to prevent an attack on WordPress’s PHP code. The same applies when you upgrade your themes and plugins to patch a vulnerability.
Vulnerabilities in PHP code are usually caused by a mistake that a developer made when writing the original code. It is quite common for a developer to launch a perfectly working PHP application like WordPress, but to not anticipate all the ways that hackers will try to gain access. As the application is used more and more, the developer will learn from users and their experiences with attacks how the website can be made more secure. Developing a PHP application is an evolutionary process, which is why it is important to keep abreast of security alerts.
The single most important thing you can do to avoid falling victim to an attack on a security vulnerability is to keep WordPress core, themes and plugins up to date. Developers generally release fixes quickly after vulnerabilities are discovered. Applying the updates keeps your site safe.
Enable automatic updates where practical and log in to your site to check for any needed updates often, at least monthly. The Wordfence scanner will alert you to known vulnerabilities, so make sure you have scanning enabled and alerts configured.
You should also be running a firewall built specifically to protect WordPress. The Wordfence firewall receives updates as new vulnerabilities are discovered, patching your site virtually. Sites running Wordfence Premium receive these updates in real-time, free sites 30 days later.
Mark Maunder – Wordfence Founder & CEO