Some tips to Protect your wordpress
- Secure your /wp-admin/ directory. What I’ve done is lock down /wp-admin/ so that only certain IP addresses can access that directory. I use an .htaccess file, which you can place directly at /wp-admin/.htaccess . This is what mine looks like:
AuthName “Access Control”
deny from all
# whitelist home IP address
allow from 126.96.36.199
# whitelist work IP address
allow from 188.8.131.52
allow from 184.108.40.206
# IP while in Kentucky; delete when back
allow from 220.127.116.11
I’ve changed the IP addresses, but otherwise that’s what I use. This file says that the IP address 18.104.22.168 (and the other IP addresses that I’ve whitelisted) are allowed to access /wp-admin/, but all other IP addresses are denied access. Has this saved me from being hacked before? Yes.
- Make an empty wp-content/plugins/index.html file. Otherwise you leak information on which plug-ins you run. If someone wanted to hack your blog, they might be able to do it by discovering that you run an out-of-date plugin on your blog and then they could exploit that
- Subscribe to the WordPress Development blog at http://wordpress.org/development/feed/ . When WordPress patches a security hole or releases a new version, they announce it on that blog. If you see a security patch released, you need to upgrade or apply the patch. You leave yourself open to being hacked if you don’t upgrade.
Thanks for mattcutts