Two of my favorite sessions of WordCamp NYC 2009 were:
- Locking Down the Chastity Belt on WordPress Security by Brad Williams
- Writing Secure Plugins by Mark Jaquith [slides here]
There are real threats out there and there are real sites being hacked. Sure, you could be the lucky guy who can stay safe. But, instead of counting on pure luck, why not take a few minutes to apply these simple steps that will bring your WordPress site to a higher security level and give you more peace of mind.
WordPress Security Tips
|Installation||Easy||“wp_” table prefix
Do NOT use default “wp_” table prefix. Instead, choose something unique for your site.
Create a user with “administrator” privilege. Delete “admin” user account.
|Anytime||Medium (need FTP)||wp-config.php
Move “wp-config.php” to one level above the WordPress folder. (Version 2.6 or later and when WordPress is installed under a subfolder under web root, for example /public_html/blog/)
|Anytime||Medium||Folder (wp-content/upload) permission
First try 755; if not work, then 775; still not work, then 777.
|Anytime||Medium||Authentication Unique Keys
Open “wp-config.php”, follow the instructions to set up these keys. https://api.wordpress.org/secret-key/1.1/
Modify .htaccess to only allow access to wp-admin to one or a range of IP addresses.
|Development||Difficult||Develop themes or plug-ins
Follow instructions on: http://codex.wordpress.org/Data_Validation