Improving Security on a Wordpress Site

[leporello]

Sorry if this is in the wrong area, but it's obviously a big issue for affiliates. One of my sites was also hacked some time in the past few days.

Is there any kind of noobs guide to increasing security on a Wordpress site? I'm pretty new to WP as a CMS and have a load of sites on that platform, so it's probably best to get them all sorted asap!

Thanks.

[sipka]

• Always have the latest wordpress install, update it at once when updates are available
• Download only trusted plugins
• Update your plugins frequently when update is available
• Put a htaccess file in your wp-admin directory and make your wp-admin available only from fixed IPs
• Make sure your server displays "Access Denied" when browsing directories in browser (e.g. if you type in mysite.com/wp-content/plugins for example then you cannot see a directory list but an Access Denied. If you see the directories, then put an empty index.php into that directory or put a htaccess file
• Always use trusted themes. Before you activate a theme look through the php files it uses in the theme, so there is no malicious code in the files
• Change the admin login name. Go to phpmyadmin and browse your database, and manually change the admin's username to something else
• Install WP Login Lockdown plugin, it will prohibit excessive login attempts
• Change the table names in the WP database. You can do this with one click with the help of WP Security Scan plugin. It will also show you what other weakness you have
• Hide your WP version. WP by default will display in the code what WP version you use with wp_header(), there are some plugins that can remove this making the attacker's work a bit harder by not giving them what each WP version's have in vulnerability
• Also remove the readme.html and license.txt from your root install directory, so they cannot be visible from a browser, or make a htaccess file where you deny to serve these files in a browser
• Make sure you have the proper file and directory permissions in place, do not use the built-in plugin updater as it requires ftp access and unnecessary file permissions. Update your plugins and WP by hand through an SFTP connection
• Move your config.php to a non-web directory, there is another file that calls for the config, I don't remember which one, you need to modify that too, on the wordpress forum you will find answers
• If you know that you won't use your wordpress site though XML RPC then rename the xmlrpc.php file in the root install directory to something like xmlrpc.php.disabled. The latest wordpress attacks happened through this file.

And maybe the most important: backup your content often, through the WP xml export and through a database sql dump too. This way you can ensure that your site won't get lost.
Hope this helps.

[leporello]

Man that is an awesome reply. Really appreciate it!

[Bryan]

Where's that thanks button again?

Great post sipka.