Today I happened to come across a great article (update – article no longer exists, so, link removed) that has some details on hardening a WordPress install. I already follow most of the advice whenever I install WordPress, as opposed to using the one button install. However, there were some great .htaccess tips that I did pick up.
The following summarizes what I recommend at a minimum for securing your WordPress install:
- Don’t use the default “Admin” user name for logging into WordPress and use a strong password
- Specify a custom table prefix
- Utilize the API Security Keys in the wp-config.php file
- Ensure your files and folders have the proper permissioning
- Use .htaccess to do the following (where it makes sense):
- Prevent the ability to list out a directory’s content when an index file is not in the directory
- Deny access to your wp-config.php file
- Restrict access to the wp-admin directory by IP
There are many other items that also can be implemented based upon your situation and some that are sometimes debated. The previous article is a great start to locking things down. Another article worth looking at is the Hardening WordPress post in the WordPress Codex.
Finally, WordPress is a very popular CMS platform for many wonderful reasons. The downside of this is that you have to worry about folks who don’t contribute positively to society but, instead, spend their time menacing the innocent by hacking sites built upon popular platforms where there are more potential victims. This results in new vulnerabilities being discovered as time goes by, so, the number one thing you need to do moving forward is to always ensure you are on the most current, stable release of WordPress. It’s the same advice you would take for keeping your computer’s operating system up-to-date. Also, make regular back-ups of your site’s database and file system and archive those at least monthly such that you can roll back if necessary.