WordPress

This guide is just the basics to new, non-technical WordPress users. For more advanced technical users, follow the guide on WordPress (Hardening WordPress) - http://codex.wordpress.org/Hardening_WordPress.

Keep Up to Date

The first rule is quite simple, keep WordPress up to date, all your plug-ins, and all your themes up to date. Each update is usually because a bug has been found and corrected, new vulnerabilities being found and corrected, or just the functionality has been improved. It is important that you keep all aspects of your WordPress site up to date. The most common cause of your site being exploited is due to some part being outdated.

Remove unused features

If you have several themes installed, these can still be exploited whether active or not. Once you have settled on a theme for your site, remove any extra themes from your server.

This is also true for plugins for your WordPress site, even inactive plugins can still be exploited, so any plugins you no longer use, delete these files from your server.

Reduce Spam

Through your settings in the dashboard it is advised that you disallow the usage of PingBacks as these can be abused by spammers. Also make sure all comments need admin approval before being displayed on the site. There is an option that will allow a user that has 1 approved comment then be allowed to make other comments without prior approval, switch this off, as it is better just to approve each comment as they are made.

Recommended Plugins

• Askimet Plugin - http://wordpress.org/extend/plugins/akismet/

  Comments are checked against the Askimet web service to see if the comments look like spam. Any spam comments are moved to a spam folder for you to review at a later date. Very good accuracy rate.

• Stop Spammers Registration Plugin - http://wordpress.org/extend/plugins/stop-spammer-registrations-plugin/

  Any email address that is being used to register on your site is automatically checked against the Stop Forum Spam database. If a match is found they cannot register with your site.

• Project Honey Pot Spam Trap - http://wordpress.org/extend/plugins/project-honey-pot-spam-trap/

  Invisible links are scattered throughout your blog that only Bots can see. Their IP addresses will be tagged and this info will be sent back to ProjectHoneyPot.org

• Secure WordPress - http://wordpress.org/extend/plugins/secure-wordpress/

  Registered users can have a lot of access to useful information that will help them if they decide to hack your site. This plugin will remove some of that information (as well as doing some other minor tweaks) such as removing update notices to non-admins, removes the WordPress version number, error-information on login page, etc.

• Login Lockdown - http://wordpress.org/extend/plugins/login-lockdown/

  Every failed log-in attempt is logged (IP Address and Timestamp). If a certain amount of log-in attempts are failed within a short time period then the log-in function is disabled for one hour (default setting) for the IP range.

• WordPress Firewall 2 - http://wordpress.org/extend/plugins/wordpress-firewall-2/

  This has been updated due to bug fixes on WordPress Firewall. Scans every request made on your site and blocks suspicious requests and notifies the blog admin of any reported attack on the site. Very handy for reducing SQL attacks against a WordPress site as well as many other useful security features.

• Lockdown WP Admin - http://wordpress.org/extend/plugins/lockdown-wp-admin/

  Prevent access to WP Admin area by renaming the yourdomain.com/wp-admin/ to yourdomain.com/anythingyoulike/, this is a very handy plugin which hides your wp-admin login area preventing malicious users from trying to access your site through brute force attacks.