At WordCamp last weekend, the first session I attended was all about WordPress security and how to protect your site from being attacked. Brad Williams of WebDevStudios.com covered a lot of important material on securing your WP site. While I previously have written a post about WordPress security, I did want to cover some of the additional topics from this very informative session at WordCamp.
The most important action you can take to protect your site is to keep WordPress updated—including your plugins and themes. I know I mentioned this in my previous post, but it’s certainly worth repeating—and it was one of the first things that Brad talked about. Also, be sure to use only plugins and themes from a trusted source, such as wordpress.org itself. These days, it’s very easy to find free downloadable themes and plugins. But you definitely need to watch out for files with compromised or malicious code.
A couple of slightly more advanced steps you can take to protect your WP site is to make sure that File Permissions are set to 644 and Folder Permissions set to 755. These can be set from an FTP client and limit access to your WordPress site from being totally open to harmful threats.
Another step you can take is to protect your wp-config.php file (where your configuration settings are stored) by moving it up a level in your public_html folder. Moving it out of the WP root makes it more difficult for malicious programs to access.
Additionally, the following WordPress plugins were recommended:
Limits the number of login attempts from the same IP range, which can prevent brute force password discovery.
Removes or hides certain information about your WordPress site and version.
Searches your website files as well as the post and comments tables of your database for suspicious entries.