1. Delete the Default Administrator

When you install Wordpress the default administrator is given the predictable username of admin. This appears harmless but is a huge security flaw. Why?

Well, one way to gain unauthorized access to a system is through brute force cracking. This works by using a program to automatically guess possibly millions of different username and passwords combinations over and over.

Using the admin username basically speeds up the process for brute forcers because it’s just one less thing they have to figure out. In reality you should think of your Wordpress username as a second password, and therefore follow similar rules to that of strong passwords:

• Don’t tell people your username.
• Don’t choose an obvious username (like your real name).
• Use a mixture of numbers and letters.

How to delete the default administrator.

2. Encrypt Your Cookies

Open up your wp-config.php file, and scroll down to this code:

define(’AUTH_KEY’, ‘put your unique phrase here’);
define(’SECURE_AUTH_KEY’, ‘put your unique phrase here’);
define(’LOGGED_IN_KEY’, ‘put your unique phrase here’);
define(’NONCE_KEY’, ‘put your unique phrase here’);

Now, go over to http://api.wordpress.org/secret-key/1.1/ and copy the randomly generated output. Replace the original 4 lines of code with this newly copied set.

3. Secure the Folder with .htaccess

Login to your server via FTP (or SFTP if you want to be extra awesome) and navigate to /wp-admin folder. If you haven’t done so already, create a .htaccess file and place this code in there:

order deny, allow
allow from xxx.xxx.xx
deny from all

But wait! You’re not done yet…

Head over to whatismyip.com and find out what your IP address is. Replace xxx.xxx.xx with your IP address and save the file.

The problem with this method is not all bloggers work from the same computer or IP address all the time. For those folk you’ll want to read the section about the AskApache Password Protect plugin.

4. Hide Login Errors

By default if you type your username or password incorrectly when trying to login, Wordpress lets you know what mistake you’ve made. This can provide a hacker with confirmation that they know one half of the login equation.

Edit the functions.php file in your /wp-content/themes folder and add this code to prevent these errors from showing up:

<?php add_filter(’login_errors’,create_function(’$a’, “return null;”)); ?>

5. Install Login Lockdown

Login Lockdown is an ingenious plugin that helps ward off brute force attacks. It works by temporarily blocking users by their IP address if they fail to login X amount of times.

Out of the box the default settings are pretty good but I still recommend you set the Lockout Length to as high as you feel comfortable with. The longer malicious users are blocked from the login page, the better.

6. Install Stealth Login

Stealth Login makes it easy to change the login address for the WordPress administration area, and prevent users form logging in via wp-login.php (just activate Stealth Mode). Even if someone cracks your username and password they’ll become stuck because there won’t be anywhere to login.

While it may not stop seasoned hackers from getting into your system, it takes just a few seconds to setup and is a worthy precaution to take.

You might also want to read...

• Hide the Version Number
• Secure Your wp-admin Folder
• How to Use this Guide
• Hide Login Errors
• One Click Plugin Updater
• Disable Comments on Older Posts
• WP DB Backup

1. Move wp-config.php

By default wp-config.php, which contains all your most sensitive data, is stored in the top level directory of your blog. What few people know however is that you can actually move this file to the directory above its default location.

If WordPress is installed in the /public_html directory this allows you to move the file completely out of public access.

2. Deny public access to wp-config.php

Add the following code to the .htaccess file thats in the same directory as your wp-config.php file.

# protect wp-config.php
<files wp-config.php>
Order deny,allow
deny from all
</files>

3. Use the Perishable 3G Blacklist

The 3G Blacklist is a block of code put together by Jeff Starr that you drop into your .htaccess file to fight the majority of common security exploits. While not strictly a Wordpress-related .htaccess hack it’s a must have for anyone running on an Apache-based server (which would be most people reading this guide).

To find out how to make use of this brilliant resource visit the official site.

You might also want to read...

• Use an Account with Limited Access
• Updating WordPress
• One Click Plugin Updater
• AskApache Password Protect
• How to Protect /wp-admin
• Secure Your wp-admin Folder
• Hide the Version Number