Passwords
Some vulnerabilities can be avoided by good security habits. An important element of this are passwords: do not use your own name for your password, do not use a dictionary word (from any language) for your password, do not use a 4 character string of numbers as your password. Your goal with your password is to make the search space as large as possible, so using numbers and varying capitalization all make it more difficult, statistically, to brute force a password. This is particularly important if you do not rename the administrator account. In that case half the puzzle is already solved for malicious users as they know what username will give them significant privileges to edit files and databases. The Automatic Password Generator can be helpful in generating reasonably complex passwords.
Security Plugins
The WP Security Scan Plugin can be downloaded at WP Security Scan. While this helps tremendously to protect your WordPress installation, you still need to maintain good passwords, check plugins and themes before installing them, and keep good backups of your files and database in the event that you do get hacked.
SSL Encryption Security
You can secure and encrypt all of your communication and important WordPress cookies using the Admin-SSL plugin. Works with Private and Shared SSL.
Updated SSL Plugin: http://www.kerrins.co.uk/blog/admin-ssl/
Hide Your Plugins
Be sure to hide anything that will give away what WordPress plugins you’re using and what version they are. It is easy for evil-doers to track down known vulnerabilities in older plugin versions, and if they can see what plugins are running on your site. Add blank index.html files to directories you want to protect, or add this to your .htaccess file:
Options All -Indexes
Security through obscurity
Do not advertise the WordPress version you are running: If you are running an old WordPress version with known vulnerabilities, it is unwise to display this information to the public. The easiest way to do this is with the Replace WP-Version plugin (a newer and better version with more features is Secure WP).
Rename the administrative account: You can do this in the MySQL command-line client with a command like update tableprefix_users set user_login='newuser' where user_login='admin';, or by using a MySQL frontend like phpMyAdmin.
Update Everything
Keep your WordPress install and all of your other plugins updated as much as possible. Staying on the leading edge of updates keeps your store from becoming vulnerable to known security vulnerabilities.
Backup Everything
Backup your data regularly, including your MySQL databases (see Backing Up Your Database). Data integrity is critical for trusted backups. Encrypting the backup, keeping an independent record of MD5 hashes for each backup file, and/or placing backups on read-only media (such as CD-R) increases your confidence that your data has not been tampered with.
Restrict Admin Access
If you’re a single person shop, you should consider restricting your wp-admin directory to your IP address. Make sure your IP address doesn’t change before doing this. Edit your .htaccess file in your wp-admin directory and add:
Order deny,allow
Allow from 111.111.111.111 # Replace with your IP address
Deny from all
Logging
It is possible to log all $POST variables sent to WordPress. Standard Apache logs do not offer much help with dealing with security forensics.
* Mod_Security – Logs and Prevents using Apache
* Plugin that logs using WP
Related Articles
* Securing your site with HTTPS
* Security and Hacking: Protect Thyself and Thy WordPress Blog
* 10 Steps To Protect The Admin Area In WordPress