Add security to your Wordpress website.

[Matt Geer]

I've been doing some research on how to make my sites that use Wordpress more secure. I thought I'd share something that I came across today.

You can read it here.

#2 is what stood out the most to me. Take the code that they give you ^, place it in a .htaccess file and drop it into your /wp-admin/ folder. When you go to: xhttp://www.yoursite.com/wp-admin/ and the IP address is wrong (or not there), it takes you straight to a 404 page. Correct the IP address and you'll be taken to the standard /wp-admin/ login page.

Since I'm still doing research I'm not sure if this is the most optimal method (I think you should use more than one anyway), but at first glance it looks like it can be a good addition to your overall security efforts.

[PokerFelts]

Great share Matt, think i might implement this in the morning.

[Bryan]

Keep in mind that doing this pretty much kills your ability to work on your site from "anywhere". Unless you have a VPN setup, such that your IP address never changes no matter where you are.

It certainly adds security, but there is a downside.

[Matt Geer]

Yeah, that's a good point. But how hard is that to take care of?

- Go to What is My IP
- Open your FTP, edit your .htaccess
- Login

Less than 5 minutes?

Granted, it won't be the perfect solution for everyone, but assuming you're not mobile it's far from inconvenient IMO. Especially given the upsides and that you could probably avoid using plugins such as Limit Login Attempts or something similar.

[parttimepoker]

Good thread from OP. I personally don't want to go through that (I am mobile) every time I want to log in to one of dozens of WP sites I work on, but that's just me.

I think WP has a pretty good guide:

Hardening WordPress « WordPress Codex

Changing the admin user name and locking down the uploads folder are the first things I'd do if I were worried.

I think using as few plugins as possible and trying to write your own when you need some functionality is also key. But really, if you just update everything religiously and choose secure admin names / passwords, you should be fine.