I love the WordPress content management system for its simplicity, flexibility, and community. It's what this site runs, and it's what many of my clients use. In fact, it's what millions of sites use, including many of the most popular sites on the web.

Because it's so popular, the WordPress system and its attendant plugins and themes are often the target of crackers, malware syndicates, and other bad guys. There's something of an arms race going on between these black hats, website owners, and the developers of WordPress, and some folks have pointed out that keeping everything protected is the true "price" of the excellent, free WordPress platform. I think it's a price worth paying… and I've paid it a time or two!

Both for my own reference and for your use as a resource, I've collected the best practices I've found to protect WordPress. Be sure to back up your WordPress site before trying any of these tips!

Top Tips To Protect WordPress

Don't be "Admin." When you install WordPress, the system assigns you the username "admin" by default, but you can make your username anything you want. You most certainly should not call yourself "admin." That's like giving the bad guys your username, since it's the first thing they'll try when they come knocking.
Use A Strong Password. This should be a no-brainer — WordPress actually gives you a hint as to the strength of your password — but it's worth mentioning anyway. This is your house you're locking up. Use a good lock.
Get Rid Of Unused Themes. We all do it — try out a bunch of different themes (most of them are free, after all) until we finally settle on something we like. But once you do have your dream theme, those unused themes you've installed are just sitting there, little bundles of code that you just might forget about. Eventually, they'll need updating… and what's the number one reason to keep themes (and plugins and your site itself) updated with the most current version? Updates often include patches for vulnerabilities that might let the bad guys in! It's too easy to ignore update notices for themes you're not using, so just delete the things. Keep a clean house and the vermin will be less likely to move in, y'know?
Get Rid Of Unused Plugins. Same deal as with unused themes. Old, unused plugins grow vulnerabilities like mold and attract bad guys like maggots. Delete 'em. They're (usually) free; you can always download and install them again if need be.
Get Login Lockdown. This simple plugin does a simple thing: records the IP address and timestamp of every login attempt. When x number of failed logins occur, no more attempts are allowed from that IP address until y time passes. A nice deterrent to brute force attacks on your front door.
Get WordPress Firewall 2. This plugin should be standard equipment in every WordPress installation. It blocks several varieties of attacks on your WordPress installation, and reports the type of attack and its originating IP address to you in an e-mail. That IP address is golden — once you know it, you can block it from your server. Expect to see lots of IP addresses from the Ukraine.
Always Use SFTP. Regular FTP transmits your server account password in plain text. SFTP (the S is for "Secure") does not. Make sure your web host provider has the option to use SFTP when transferring files. (All accounts hosted with MWS Media use SFTP.)
Assign The Correct Permissions. This is straight from the WordPress codex. Make sure your server folders and files are secure. WordPress recommends that directories be set to 755 and files set to 644. Consult the documentation of your FTP client for details on how to do this. If you use a terminal to access your server on the command line, you probably don't need to consult anything, you code warrior, you.
Move Your Wp-Config File. Your wp-config file has, among other important info, your database information. It's a plain text file, unencrypted. It's like the soft underbelly of a puppy, just waiting for a coyote to clamp down with its sharp, yellow, diseased teeth. You don't want that. So move wp-config one level up in the directory structure of your server. WordPress will still be able to find it, but this little trick might just throw the bad guys off the scent.
.htaccess: Block Nasty IP Addresses. Now that you know where the bad guys are coming from, put this in the bottom of your .htaccess file:

# Block attacks

order allow,deny

deny from XXX.XXX.XXX.XXX

allow from all
.htaccess: Block Directory Browsing. This trick keeps folks from reading the list of files in your WordPress install. Put this at the end of your .htaccess file:

# disable directory browsing

Options All -Indexes
.htaccess: Block HTTP Insertions. HTTP insertions are a particular type of attack. Putting this at the end of your .htaccess file will help prevent them:

RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC]

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ ///.*\ HTTP/ [NC,OR]

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\?\=?(http|ftp|ssl|https):/.*\ HTTP/ [NC,OR]

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\?\?.*\ HTTP/ [NC,OR]

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\.(asp|ini|dll).*\ HTTP/ [NC,OR]

RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /.*\.(htpasswd|htaccess|aahtpasswd).*\ HTTP/ [NC]

RewriteRule .* - [F,NS,L]

Remember, this is an arms race, and while neither side has won, no one's giving up just yet. It's next to impossible to be 100% secure, but these tips will make your WordPress site a lot less hospitable to crackers and malware injectors. This list is far from complete, too — I'll be updating it from time to time, and I welcome your own proven tips — please contribute by leaving a comment!

Need Help Protecting WordPress?

I found these tips and resources in various places on the World Wide Web, and learned, over time, how to put them into practice… so you can, too.

Still, I understand that some folks might not want to get their hands dirty with SFTP, the .htaccess file, moving things around, and so on. That's all right! You can always hire me to do it for you! Contact me and let's talk about getting your WordPress installation as secure as we can.

This is a post from Matthew Wayne Selznick. Thanks for reading Twelve Top Tips To Protect WordPress -- please click through and comment! If you like what you've read, I hope you will subscribe to Matthew Wayne Selznick's free e-mail newsletter for exclusive content and deals on Matt's products and services.