1 – Dump your database with WP-database backup
Here’s the first advice I would give to anyone: Make backups, and made it often. Of course, you can go through the phpMyAdmin on your host, or dump your database by using the command line if you have a ssh access to your server, but this plugin will really simplify the task: you’ll just have to login to your WordPress admin panel, and click on a few links.
A note, WP-Database Backup offers to daily e-mail you a backup of your database . A must have for every blogger!
2 – Scan your WordPress install to find security holes
We now have a very good plugin to dump our dear database on a daily basis. The next step is to scan our WordPress installation in order to verify that no security hole is present. For doing so, we’ll use the excellent plugin called WP Security Scan , that will allow us to identify vulnerabilities on our blog and will tell us how to fix these problems.
This excellent plugin also offers to rename tables prefixes, test your password strenght, delete the admin account and verify that your blog directories have the good rights (chmod).
3 – Protect your blog from brute force
Brute force consist to try the maximum possible combinations of letters/numbers/etc in order to find a password. There is even a Python script used to try to discover the password of a blog running WordPress.
It’s obvious that if your password is the name of your blog or something like “secret”, brute force can easily find your password. The first thing to do is to use a very strong password, with tiny, capital letters, numbers and special characters. You can also rely on the generator password included in WP Security Scan.
Even if having a strong password is a very good thing, adding an Apache login form to the wp-admin directory is another way to provide an efficient protection for your blog. The Ask Apache plugin allows you, among other things, to protect your wp-admin directory by an authentication server level ( htpasswd ).
Note also that the plugin allows you to disable hotlinking, or direct access to your wp-content and wp-includes directories.
4 – Beware of plugins
Some plugins can contain security vulnerabilities. For this reason, it is necessary to hide the contents of the / wp-content/plugins directory . You just have to create an empty file named index.html and upload it to the wp-content/plugins directory.
Since the time that this kind of disappointment is known, I must admit that I’m surprised that WordPress does not always hide the contents of this directory by default.
5 – Hide the WordPress version
If a security hole exists in a particular version of WP, a possible hacker will only have to display your blog source code in its browser and see if the version you used corresponds to the vulnerable one: By leaving the meta version , you’re indicating that you are potentially vulnerable. Simply delete the line in the header.php of your theme.
Similarly, there is also a plugin which allow you to lie about the WordPress version you’re using.