Fellow security nuts:

“WordPress security has always been food for thought. Even though most of the latest updates including WordPress 4.0 deal with WordPress security issues, there is still a lot that can be done to improve that security, even by the less tech-savvy of us. In this article I’d like to enumerate a number of suggestions on how to improve security on your own WordPress website.

WordPress itself has a list on WordPress security you might want to read. Of course, some of the things in that list will be repeated in the article below. Personally, I prefer a more hands on list and direction, that’s why we decided on this article.

Don’t use ‘admin’ as a username

Think about this. This is perhaps the easiest baseline step for WordPress security you can take as a WordPress user. It costs you nothing, and the install makes it really easy to do. A majority of today’s attacks target your wp-admin / wp-login access points using a combination of admin and some password. Common sense would dictate that if you remove admin you’ll also kill the attack outright.

Yes, the argument exists that the attacker can still enumerate the user ID and Name and can in some instances pull the new username. There is no denying this. Remember though, like our friends at Sucuri like to say, Security is not about Risk elimination, it’s about Risk Reduction.

For the everyday, automated, Brute Force attack, removing the default admin or administrator username will suffice. For the sake of clarify, understand that when we say ‘admin’ we are speaking specifically to the username only and not the role.

Simply create a new user in WordPress at Users > New User and make that a user with Administrator rights. After that, delete the ‘admin’ user. Don’t worry about the post or pages the admin user has already created. WordPress will nicely ask you: “What should be done with content owned by this user?” and give you the option to delete all content or assign it to a new user, like the one you have just created.

Employ Least Privileged Principles

The WordPress.org team put together a great article in the Codes regarding Roles and Capabilities. We encourage you to read it and become familiar with it because it applies to this step.

The good news is you don’t have to do much here, other than employ best practices. You see, the principles of Least Privileged states that you give permissions to those that need it, when they need it and only for the time they need it.

This means that not every user accessing your WordPress instance needs to be categorized under the administrator role. Assign people to the appropriate roles and you’ll greatly reduce your security risk.

Use a less common password

An easy thing to remember is CLU: Complex. Long. Unique.

This is where tools like 1Password and LastPass come into play, as they each have password generators. You type in the length, and it generates the password. You save the link, save the password, and move on with your day. Depending on how secure I want the password to be, I usually set length of the password (20 characters is always right) and decide on things like the inclusion of less usual characters like # or *.

‘123456’ isn’t a password. ‘qwerty’ is like writing your security code on your bank card. ‘trustno1′; seriously? Shame on you. Remember, you’re never as unique as you think you are…

Hide wp-config.php and .htaccess

No, thou less tech-savvy WordPress website owner, that is not hard to do. It’s actually really simple, especially when you are using WordPress SEO > Edit Files to edit your .htaccess.

For better WordPress security, you’d need to add this to your .htacces file to protect wp-config.php:

<Files wp-config.php>
order allow,deny
deny from all
</Files>

That will prevent the file from being accessed. Similar code can be used for your .htacces file itself, by the way:

<Files .htaccess>
order allow,deny
deny from all
</Files>

You can do it. It’s no rocket surgery.”

If you’re into WordPress security, you should finish this article over at Yoast