Securing WordPress Blog Installation
Solution 1:
Ensure you haven't set the file permissions to 'chmod 777' as some guides will have you do. Go through and look at anything your web server account or group can write to, and ensure that they are only areas you expect to be dynamically updated (images, attachments, etc).
Solution 2:
I think the best suggestions are well explained in the official "Hardening Wordpress" document:
https://wordpress.org/support/article/hardening-wordpress/
At the end, those are the same suggestions for every application out there:
- Keep it updated.
- Use good passwords
- Reduce what information your are presenting (versions, server info, etc).
If you want to improve security with obscurity (not only thought it, but as an addtional measure), this document gives some ideas:
http://sucuri.net/?page=docs&title=wordpress-hardening
Solution 3:
Only login over an SSL connection.
If you go into a coffee shop and login at http://www.yourblog.com/wp-admin/ your password is sent in clear text and is easily visible to anyone sniffing the network in the coffee shop and all routers between you and the server.
If you move your blog login page to a secure server and force users to login using SSL at https://www.yourblog.com/wp-admin/ the password will be encrypted as it is sent to the server.
You can either add some PHP code to wordpress something like this
if(strpos(strtolower($_SERVER['REQUEST_URL']),'wp-admin')===true
&& $_SERVER['HTTPS']!='ON')
{
Header("Location: https://www.yourblog.com/wp-admin/")
}
or use a .htaccess file to enforce SSL login which would look something like this:
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI}
Solution 4:
Some people rename pages like wp-admin.php
to reduce probing.
Solution 5:
Secure your /wp-admin/ directory. Lock down /wp-admin/ so that only certain IP addresses can access that directory. You can use an .htaccess file, which you can place directly at /wp-admin/.htaccess . This is what one could look like:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName “Access Control”
AuthType Basic
order deny,allow
deny from all
# whitelist home IP address
allow from 69.148.58.93
# whitelist work IP address
allow from 69.148.59.6
allow from 69.148.58.92
# IP while in Kentucky; delete when back
allow from 63.144.53.91
Josh