WordPress is a popular target for attackers and currently there are a lot of botnets discovering vulnerable sites and trying to brute force the admin password. If you haven’t hardened your WordPress installation, this is the perfect time to do that.
1. Don’t use the defaults
When installing a new instance of WordPress, make sure you choose other name for the administrator account than admin and change the default table prefix (wp_) to anything else.
2. Make sure you always have the latest version of WordPress installed.
3. Make sure all plugins are updated to the latest versions.
Plugins are often vulnerable and open up holes that allows an attacker to access your data or modify files or posts.
4. Deactivate and remove plugins that are not necessary.
Do you really need 50 plugins?
5. Delete the admin user if there is one.
When doing brute force attacks on WordPress blogs, the attacker usually assumes that the user admin exists.
6. Delete any unused user accounts and give them just the privileges needed.
If users are only writing posts on the blog they don’t need the Administrator role, instead assign the Editor or Author role.
7. Always use strong passwords for users.
8. Disable directory listing.
If users can browse plugins and files available, it’s easier to find out if the user has a vulnerable plugin installed To disable directory listing add this line to the bottom of .htaccess in the WordPress root directory:
Options -Indexes
9. Add IP restrictions to the wp-admin to only allow specific IP addresses to use the WordPress admin.
Create a new file named .htaccess in the wp-admin directory containing these lines:
<Limit GET POST> order deny,allow deny from all allow from 127.0.0.1 </Limit>
Replace 127.0.0.1 with your IP address
10. If IP restriction is not working for you because you are accessing from multiple locations or have dynamic IP address, perhaps country based restrictions will work.
Blocking out most countries in the world and allowing only your country will lower the risk of attacks. Install the GeoIP Apache module (Instructions for Debian) and create a new file named .htaccess in the wp-admin directory containing these lines:
<Limit GET POST> GeoIPEnable On SetEnvIf GEOIP_COUNTRY_CODE IS AllowCountry order deny,allow deny from all allow from env=AllowCountry </Limit>
Replace the country code IS with the code of the country you want to allow
11. Install SSL certificate for the domain and only allow access to wp-admin using secure HTTP connections.
If you frequently use public internet connections or shared connections it’s possible for attackers to sniff you username and password. You can easily create self-signed certificates if you don’t have a certificate already. With the Better WP Security plugin (http://wordpress.org/extend/plugins/better-wp-security/) you can force users to use HTTPS for wp-admin.
12. Limiting login attempts will prevent brute force attacks.
This can be done with the Limit Login Attempts plugin (http://wordpress.org/extend/plugins/limit-login-attempts/)
13. Scan WordPress for malicious files and vulnerabilities.
You WordPress installation may have been hacked already without you knowing it. There are many plugins available to do this, including Better WP Security (http://wordpress.org/extend/plugins/better-wp-security/) and Wordfence Security (http://wordpress.org/extend/plugins/wordfence/)
14. Don’t allow users to view wp-config.php.
By default wp-config.php doesn’t reveal anything but if PHP breaks at some point, for example while updating Apache or PHP, users may be able to get database details from the file. To avoid this, add these lines to .htaccess:
<Files wp-config.php> order allow,deny deny from all </Files>
15. Enable Two-Factor Authentication
Two-Factor authentication adds an extra layer of security to the authentication process to prevent unauthorized users to access your services or data. Normally you only type username and password (something you know) but with Two-Factor authentications, additionally you need to provide something you have (for example one time code on your mobile phone).
There are many ways to implement this and one of them is using Google Authenticator plugin:
http://wordpress.org/extend/plugins/google-authenticator/
16. Install plugins to increase security and scan for vulnerabilities.
Here are a few examples:
Better WP Security (http://wordpress.org/extend/plugins/better-wp-security/)
It’s a feature packed plugin allowing you to remove a lot of things used by attackers to identify that you are running WordPress, scan for issues, enforce strong passwords, prevent brute force attacks and more.
Wordfence Security (http://wordpress.org/extend/plugins/wordfence/)
Great scanner to check if you are currently vulnerable and monitor brute force attempts
Bulletproof security (http://wordpress.org/extend/plugins/bulletproof-security/)
Tool to protect against XSS, RFI, CRLF, CSRF, Base64, Code and SQL injections.