A friend of mine recently set up his own WordPress blog, so I gave him a few hints on how to secure his blog and I thought I might as well share it with all prospective WordPress users out there Although WordPress is an excellent system for getting your thoughts out to the world, the WordPress developers could do more to make the system really secure. In the meantime, here are a few steps you can take yourself:

1. Change the SQL table prefix: You can either do that via the configuration files before you run the WordPress installation, or via a plugin later. My advice is to do it before you set up your blog, just to be on the safe side. Otherwise your blog will use the same table names as 99% of all self-hosted WordPress blogs, making it vulnerable to SQL injections.
2. Secure the administration interface: Your administration interface is located in the subfolder ~/wp-admin/. Again, since all WordPress blogs use the same subfolder, this is another common point of attack. There are various ways to add another layer of security here. Unfortunately, you cannot just rename the wp-admin folder. But you can use a .htaccess file to restrict who will be able to access the folder. One possibility, for example, would be to only allow access from a certain IP. But then you would have to tie yourself to a certain location to access your blog, and if your ISP uses dynamic IPs, this won’t be an option anyway. Another option is to add another htaccess user/password combination. Of course, this requires that you type in two different login credentials each time you log in, which is a bit of a hassle. But there are other options as well. Simply try your luck at Google.com
3. Get the Secure WordPress plugin and use it to further secure your administration interface. Simply install it and play around with the settings a bit. Not all settings are important, but you should definitively apply the option to remove error messages on your login page. Again, this is something where the WordPress developers could have done more. In case somebody makes it to your login page after the measures we have taken above, WordPress will by default tell them if they entered a correct user name. Why is this a bad thing, you may think? Well, normally people neither know the user name nor the password you’re using to access your blog. So they would have to guess millions of possible user-password combinations to log in. But if WordPress gives them a notice as soon as they hit a correct user name, they would only have to continue looking for your password. That makes it a lot easier for them, and they could step by step brute force their way into your system. See more below.
4. Change the name of your administrator account: You will need direct access to your SQL database to do this. Most web space providers will give you a link to a tool to handle administration of your SQL databases. Normally, they run some flavour of phpMyAdmin, but you could also install the script yourself. Again, all WordPress blogs use the same name for their administrator accounts. And again, this is something where I think the WordPress guys could have done more. As I said above, things will get a lot easier if attackers already know which user name you use to sign in to your system. And since they will also know where to look for blog’s login page, they are already half the way. I can’t go into detail here too much, since WordPress changes over time and I don’t want to give the wrong advice. Google is your friend.
5. Adding to this, I also suggest your set up a new user with lower privilidges that you use to do your every day blogging. In case somebody catches you typing in your password, he won’t be able to cause too much trouble at least. Note that WordPress alows you to specify a display name for your new user account that is different from the actual name you use to sign in. Make use of this feature!
6. Get a spam filter. You’ll be surprised how many comments a new WordPress blog receives during its first days.

Hope this helps

internet, software