First of all I want to give thanks to Syed Balkhi ( @syedbalkhi ) for passing along his knowledge at WordCamp in Atlanta 2010. Some of the techniques here are really easy and some take some effort.
These are the 6 easiest things to do and you should be able to knock out in about an hour or so:
- Delete the install.php file in the wp-admin folder
- Delete the admin user account. Create a new account for an administrator. Log out. Log in with the new user account and delete the admin account.
- Move the wp-config.php file up one folder on your server. This is really good to do if your site is in the root of the server.
- Download and use these plugins: WP-DB-Backup, Login Lockdown, WordPress File Monitor, WordPress Security Scan, Stealth Login, WP Spam Free, Secure WordPress Plugin
- Deactivate tooltip and error message at login of WordPress with Secure WordPress
- Make sure file permissions on .htaccess and wp-config.php files are 644
Some other things you can do to help secure your self-hosted WordPress site:
- Use Security Keys in wp-config.php
- Keep WordPress Updated
- Use Strong Passwords (10 characters)
- Change Permissions on Folders (755) and Files
http://codex.wordpress.org/Changing_File_Permissions - Remove WP Version from header (or just update WordPress)
- Use a different prefix other than wp_ when installing WordPress
- Force SSL Login & Admin via wp-config.php or use the Secure WordPress Plugin
You will need a SSL Certificate to do this one which you can get from your host.
http://codex.wordpress.org/Administration_Over_SSL - Protect WordPress Against Malicious URL Requests:
http://perishablepress.com/press/2009/12/22/protect-wordpress-against-malicious-url-requests/
Additional Resources and Links:
Now, I’m not saying this is 100% guaranteed and you will not be hacked but it doesn’t hurt to try and prevent it.