First of all I want to give thanks to Syed Balkhi ( @syedbalkhi ) for passing along his knowledge at WordCamp in Atlanta 2010. Some of the techniques here are really easy and some take some effort.

These are the 6 easiest things to do and you should be able to knock out in about an hour or so:

  1. Delete the install.php file in the wp-admin folder
  2. Delete the admin user account. Create a new account for an administrator. Log out. Log in with the new user account and delete the admin account.
  3. Move the wp-config.php file up one folder on your server. This is really good to do if your site is in the root of the server.
  4. Download and use these plugins: WP-DB-Backup, Login Lockdown, WordPress File Monitor, WordPress Security Scan, Stealth Login, WP Spam Free, Secure WordPress Plugin
  5. Deactivate tooltip and error message at login of WordPress with Secure WordPress
  6. Make sure file permissions on .htaccess and wp-config.php files are 644

Some other things you can do to help secure your self-hosted WordPress site:

Additional Resources and Links:


Now, I’m not saying this is 100% guaranteed and you will not be hacked but it doesn’t hurt to try and prevent it.