Securing WordPress Installation

Whilst this might be like sticking my head above the parapet and asking for trouble there are some simple steps that you can take to make it harder for your WordPress installation to get hacked.

1. Lock down your wp-admin folder with htaccess
Create a new httaccess file in the /wp-admin/ folder and add the following lines

AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny,allow
deny from all
#IP address to Whitelist
#My IP
allow from xx.xxx.xxx.xxx
#Any Other IPs where I might need to get access from
allow from xx.xxx.xxx.xxx

2. Move the wp-config.php file up one directory
This makes it a little harder to get to, if you move it up high enough, impossible without FTP access. WordPress looks higher in the directory tree, so panic not.

3. Create Secret Tags from the API
Within the wp-config file add the secret tags from the wordpress API:

https://api.wordpress.org/secret-key/1.1/salt/

4. Create a new admin user with and unusual name and create a normal posting user (Editor)
When you delete the old admin user it will ask to assign the posts the new user, so again don’t panic that you will lose the posts. These wordpress folks are quite clever.

5. Set up robots.txt For /wp-*
Actually create a robots.txt file if you don’t have on and add the following lines to stop search engines indexing your pages, making a little harder for people to find your install files.

User-agent: *
Disallow: /wp-*

6. Set up Askimet
This stops automated submissions from comment spammers, well not all of them, but quite a few. You will need an API key though.