1. WordPress security at the Configuration and installation level
This section explains measures to be taken for achieving wordpress security while installing and configuring wordpress.
1.1 Change default table prefix
Many published WordPress-specific SQL-injection attacks make the assumption that the tableprefix is wp, the default. Changing this can block at least some SQL injection attacks.
1.2 Securing wp-config.php
Are you aware that wp-config.php can be stored one directory level above the WordPress installation?
This is quite a simple task. Also, make sure that only you (and the web server) can read this file (it generally means a 400 or 440 permission). This file contains quite sensitive information like password, database user etc so it’s very imp to protect this file
1.3 Disable File Editing through WordPress Dashboard
The WordPress Dashboard by default allows administrators to edit PHP files, such as plugin and theme files. This is often the first tool an attacker will use if able to login, since it allows code execution. WordPress has a constant to disable editing from Dashboard.
Add below line in wp-config.php
1.4 Blocking Search Engine Spiders from Indexing the Admin Section
Search engine spiders crawl over your entire blog and index every content. Using robots.txt file we can restrict the content which we would like to be indexed by Search engines. Obviously the admin section is not required to be indexed. Just create a file named robots.txt in your root folder (generally public_html) folder and paste below contents in that file.
1.5 HTTPonly cookie
Add below in your htaccess file.
php_flag session.cookie_httponly On
Reference: OWASP XSS Bonus Rule SQL injection
1.6 Subscriber account
Login with a subscriber account regularly to check of any of your plugins have created any unnecessary administrative links which are not supposed to be accessed by subscribers
1.7 Keep your wordpress and plugins uptodate with latest versions
Latest wordpress version mostly has fixes related to recent security vulnerabilities. It is very important to update your wordpress installation as soon as a new version is released. The same follows for plugins. However plugins security is mostly upto the author so it is very important to select a secure plugin.
1.8 Change the default login URL
WordPress default login URL is http://www.yoursite.com/wp-login.php
A hacker who wants to break in to you site typically uses Brute Force technique on this URL. Brute Force in this case means a script which will automatically try various usename/password combinations on your login URL. You would think that you are safe because your firewall is set to track this particular activity and would just block the IP. Howerver the hackers are one step ahead. They keep trying this script from various IPs. So if one IP is blocked the script automatically runs from a different IP. Also the script is set to run at regular intervals to avoid any DDoS alarlms
To avoid such scripts attacking your login page, just change/redirect your login page to some secret page e.g. http://www.yoursite.com/entermysite. That way you would protect yourself from such automated scripts trying to Brute Force your authentication.
To change your login page just install the plugin Rename wp-login.php and on the settings page on this page provide your new URL.