How can I protect a WordPress installation?

There is actually a really good guide to this on the wordpress website - Hardening WordPress.

However my personal short check list is

  • mod_security - @atdre already mentioned mod_security it is a very good step. However it does require a lot of tweaking of the core ruleset in order to allow wordpress to operate correctly. You will also most likely need to customise the ruleset depending on the plugins you use.
  • File Permissions - see here
  • Administration Over SSL - Use SSL for the Admin area see here.
  • Update - the most critical in my opinion keep wordpress up-to-date. By using the built tools, by patching manually or by using an update script (I wrote this one).

ModSecurity with the Core Rule Set isn't bad, but it's better to configure it explicitly for every input the app takes, as well as fixup the unescaped output it sends on the outbound. This works best in full proxy mode, but embedded has some other unique advantages. It might be clever to use both, especially since Wordpress is insanely insecure.


One step would be to secure the server (which is usually Apache) which is outlined in the responses of my previous question of Hardening Apache Server