This guide assumes that you’ve already know how to install WordPress and that you know how to backup and modify files. This guide is by no means complete, so feel free to add your own “How to secure WordPress” or “Securing your WordPress” tips on the comments.
BEFORE INSTALLATION
1. Download the latest version of WordPress.
2. Delete the readme.html file.
3. Edit your wp-config.php file.
3-1. In your wp-config.php file change the database prefix from wp_ to another prefix, like for example, goo_
3-2. Use the WordPress.org secret-key service in your wp-config.php file.
3-3. If your web host supports the use of SSL, you can let WordPress use this by pasting the following code in your wp-config.php file:
define('FORCE_SSL_ADMIN', true);
4. Edit your functions.php file. It is located inside your wp-includes folder.
4-1. You can prevent the display of error message in case of failed login by pasting the following line in your functions.php file:
add_filter('login_errors',create_function('$a', "return null;"));
4-2. To remove your WP version number, paste the following line in your functions.php file:
remove_action('wp_head', 'wp_generator');
5. When connecting to your FTP (to start uploading), if possible, connect instead to SFTP (it is more secure). See “Source: #15″ below.
DURING INSTALLATION
1. Do not use the default “Admin” username. WordPress 3.0 and above, will let you change this during installation. If you are using an older version of WordPress: (1) you can create another admin account using the default admin, and use the new one instead, or (2) you can run the following SQL query to change the default name to another:
UPDATE wp_users SET user_login = 'YourNewUsername' WHERE user_login = 'Admin';
2. Create a complex 14+ characters password.
AFTER INSTALLATION
1. Move your wp-config.php file one folder higher than your default WordPress installation.
Install security-related plugins (you don’t need to install all these, just the ones you need).
1. WP Security Scan
2. Block Bad Queries (BBQ)
3. Login LockDown – Blocks repeated failed login attempt.
3.1 Limit Login Attempts – Blocks repeated failed login attempt.
4. CHAP Secure Login – Makes your login secure if you are not using SSL
5. Stealth Login – Change your login URL
6. WP-DB-Backup – Backup your MySQL database
When everything is complete, use these methods for additional security
Adding security through your robots.txt file. The file is located at the root of your WordPress installation.
1. Prevent indexing of wp- folders, add this line:
Disallow: /wp-*
Adding security through your .htaccess file. The file is located at the root of your WordPress installation, make sure to always backup the file, before modifying it. Just copy/paste the codes posted below into your .htaccess file. If your website didn’t load or if you are experiencing errors, just restore it using your backup .htaccess file.
1. Protect your .htaccess file
# STRONG HTACCESS PROTECTION
order allow,deny
deny from all
satisfy all
2. Protect your wp-config.php file from being viewed.
# protect wpconfig.php
order allow,deny
deny from all
3. Disable index browsing.
# disable directory browsing
Options All -Indexes
4. Stop Spam Comments
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*yourblog.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
5. Protect Your WordPress Blog From Script Injections. The following code blocks script injections and any attempts to modify the PHP GLOBALS and _REQUEST variables.
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\< |%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
6. Protect your website against hot-linking.
RewriteEngine On
#Replace ?mysite\.com/ with your blog url
RewriteCond %{HTTP_REFERER} !^http://(.+\.)?mysite\.com/ [NC]
RewriteCond %{HTTP_REFERER} !^$
#Replace /images/nohotlink.jpg with your "don't hotlink" image url
RewriteRule .*\.(jpe?g|gif|bmp|png)$ /images/nohotlink.jpg [L]
7. Blacklist IPs and ban users from getting into your website. Remember to change the 192.168.123.456 to the IP you want to block.
allow from all
deny from 192.168.123.456
When you are satisfied with editing and modifying stuff, the last thing to do is create a backup of your whole website and SQL database, then mark it with a date-label. So that, in case your website was still compromised, you can restore from a backup. Weekly and/or monthly backups are recommended.
Also note, that the steps before, during, and after installation can also be done if WordPress has already been installed. You can, at anytime, modify the files for added security. Also remember that if something has gone wrong after modifying your file, just revert to your backup file to restore it.
Sources:
1. Hardening WordPress
2. 10 Useful WordPress Security Tweaks
3. 12 Clever Tips for Securing Your WordPress Site
4. WordPress Configuration Tricks
5. WordPress security: Hide login error messages
6. How to: Force using SSL on wp-admin directory
7. 10 Easy Ways to Secure your WordPress Blog
8. A to Z of WordPress .htaccess Hacks
9. 11 Best Ways to Improve WordPress Security
10. Protect your WordPress blog using .htaccess
11. How to protect your blog from content thieves
12. How to Remove the WordPress Version Number (The Right Way)
13. 13 Useful WordPress SQL Queries You Wish You Knew Earlier
14. 18 WordPress Security Plugins & Tips To Secure Your Blog
15. How To Connect To Your WordPress Account Via Secure FTP