As I posted last week , this site was hacked and it wasn’t pleasant in the least bit.  To be honest, I only took a few measures to secure my WordPress blog.  More and more people are getting hacked into regardless of how much security they do to ensure that it won’t happen.  Luckily I was able to retrieve my database files and install a fresh version of WordPress.  Some people aren’t so lucky, I’ve seen sites completely wiped out only to be left with “Hello World.”  I encourage you to take all 10 steps into account when you’re trying to secure your WordPress site.

Choose a strong password

This is easy enough, you need a good password so an intruder can’t “guess” it and immediately go into your Dashboard.  I suggest picking something that doesn’t relate to anything about you or a password you previous use elsewhere.  Also, use a mix of capital and lowercase letters and numbers. Be sure to create a new password every once in a while.

To do this, click on “Your Profile” in the “User” menu or the username on the top right of your dashboard.  From here you can easily create a new password.

Change the Username

This is another easy way to protect your blog.  By default WordPress defines you as “admin.”  For those of you who haven’t changed the username, I know it.  Isn’t is scary that I’m half way to hacking your site?  To avoid this create a unique username to log into.  After you created your new user name, log out and in again using your new username.  Then go to “Users” and delete the Admin.

Limit Login Attempts

With the plugin called Login Lockdown you can protect yourself against brute force password discovery.  This plugin records the IP address and timestamp of every failed login attempt.  After a certain amount of unsuccessful login attempts during a specified time period, the plugin will disable to login function of your WordPress site.

Upgrade to the latest version

When a new version of WordPress  hits the blogging market, you should upgrade ASAP!  The new version will most likely fix old security loopholes.  Besides security, upgrading to the latest version will boast new features that doesn’t exist in the previous version.  As of July 2010, you should be running WP 3.o.

This rule goes for plugins also.  You should upgrade any and all plugins that become available.  WP will display, in the Dashboard, when a new plugin has an upgrade available.

Hide Your Plugins

By creating a blank document called “index.html” and placing it within your plugin folder, you will hide the plugins you have installed on your blog.   Your plugins folder is found in the wp-content folder.  To see if your blog is exposed type the following in the address bar: “http://yoursite.com/wp-content/plugins” (obviously replace yoursite.com with your domain name).

Protect wp-config.php

The wp-config.php file is the most important file in your directory because it has your database login details.  Insert the following code into your .htaccess file  so there is no public access to this file

# protect wp-config.php
<files wp-config.php>
Order deny,allow
deny from all
</files>

For more .htaccess hacks visit this site.

WP-Security Scan

This plugin scans your entire site for vulnerabilities and issues, then takes corrective measures.  WP-security scan checks passwords, file permissions, database security, versions, and more.  It’s an essential plugin to keep your blog secure to the max.

Remove WordPress Version

In your header file, WordPress shows what version you are using.  Like I mentioned above, a hacker could corrupt an older version of WordPress more easily.  Don’t let him or her find out if you are using 3.0 or 2.8, just eliminate it.  To do this, find the following code in the header.php file and delete it

<meta name=”generator” content=”WordPress <?php bloginfo(‘version’); ?>” />

Backup, Backup, Backup

One final word of advice…backup your WordPress database often and regularly.