There are a bunch of things you can do at no cost that will make your Wordpress installation more stable and secure.

Keep Wordpress and all of your plugins up to date – Many upgrades include security enhancements. Wordpress 2.7 and higher versions offer automatic updating of your Wordpress installation as well as your plugins.

Do not use the default wp_ as your table prefix – Read about the WP Security Scan plugin below for information on how to fix this.

Make sure your Wordpress version is hidden – You can delete the name=”generator” line from your theme’s header.php or you can use the WP Security Scan plugin to automatically hide it.

Make sure DB errors are turned off – This is the default setting on the current version. If you are using an older version you should upgrade.

The WP ID META tag should be removed from WordPress core files. The easiest way to do this is with the WP Security Scan plugin.

Delete the default “admin” log in if you have one. Create a new User ID with full admin permissions first.

Use a strong password – The WP Security Scan plugin has a password generator that will create very strong passwords.

Create a .htaccess file in your Wordpress folder – Open a new plain text file. Leave it blank. Save it as .htaccess. It should have RW-R-R or 644 permissions on the server. Wordpress will add lines to this file.

Create a .htaccess file in your wp-admin folder – Open a new plain text file. Paste this into it and save it as .htaccess

IndexIgnore *

then upload it to your server as a plain text (ASCII) file. This will prevent the index of files from being displayed.

Hide your plugins – If you can see the contents of your plugins directory in your web browser (at yourdomain.ext/wpfolder/wp-content/plugins) you are allowing hackers to look for exploits. Upload the above .htaccess file to wp-content/plugins.

Hide your backups – If you have a plugin that periodically backs up your database and saves the backup files to your server, upload the above .htaccess file to that folder as well. Otherwise people will be able to download your entire database.

Noindex / nofollow – You may have read my previous article about using noindex and nofollow tags to help your search engine ranking by preventing them from indexing pages and following links on pages that contain duplicate content. You can also go into your Wordpress admin’s Settings > Privacy page to mark your entire site noindex/nofollow if you don’t want the search engines to list it or spider it at all. This is useful for private organizations.

---

Here are some plugins that will help you improve the security of your Wordpress blog…

Security Scanner

WP Security Scan – will check your installation for security risks and provide you with corrective tools, such as the one for renaming your table prefix if it’s currently the default wp_ and the one that hides your Wordpress version mentioned above.

Firewalls

WordPress Firewall SEO – This is the one that I use. I like the fact that it sends me emails with details of the attack and the attacker’s IP address, as well as blacklist & whitelist capability. It also has a set of hard-coded criteria that it rejects and prefitted whitelist to make it work out-of-the-box.

WPIDS – The WPIDS plugin offers protection for your Blog from malicious code injections. Any Request considered as malicious is logged into a database for later analysis. You can also set up email notification for attacks with very high impact. The back-end pages of the plugin will notify you if new filter rules are available and you can check a list of latest intrusion attempts.

Maximum Security – includes a powerful server analysis tool that shows you exactly what kind of server your site is running on along with its hardware configuration, current operational status (memory usage, disk space, CPU load, etc) and software capabilities. It also scans your entire Wordpress configuration to detect potentially dangerous settings, such as using the default table prefix, using a “generator” tag in your site’s page headers, leaving the default “admin” account enabled, and more.

Database Backup & Maintenance

WP-DBManager – gives you options to schedule backups and optimization of your database, as well as drop tables from deleted plugins, and repair database errors.

This article copyright © John Nasta 2009 – All Rights Reserved

Related posts:

1. Changing The URL Of Your Wordpress Site Wordpress web site owners often come to realize that they want to change the URL...
2. Accessing Your Wordpress Site From The Root Folder I see a lot of people asking how to make their Wordpress site accessible from...
3. Excluding Your Web Site From Search Engines People often write about how to increase your search engine ranking by using noindex and...
4. Wordpress Plugins – User Access Manager vs. Role Manager Do you want to control access to your pages & posts or your admin features?...
5. Wordpress User Access Management What’s the most fun you can have with a program that’s written for information sharing?...