This is a strategy guide for WordPress security including removal of vulnerabilities, damage control, information hiding and what to do after an attack.

First – and most important – the things that should not need saying (but sadly, they do):

Use good passwords! Use different Passwords!

Always use latest version of WordPress and plugins! (and really of any software you are using).

Remove vulnerabilities

Choose wisely which plugins to use. The security of WordPress itself got a lot better in the last years. Sadly, this cannot be said about the plugins. Search the web if there are public exploits/vulnerability descriptions for the plugins you are using. If you really want to make sure they are save to use: Check the source code yourself. Best to read it line by line, but that might be a bit too much work, so instead just scan for the pieces which most likely are affected (such as any direct database actions; include, require, etc; handling user input).

Limit damage an attacker can make add

define(‘DISALLOW_FILE_EDIT’,true);

in wp-config.php

It will disable the theme and plugin editor (which – if only one php file is accidentally writable – are big security risks).

Check all rights (including mysql user rights, file permissions, user right on server, etc). The database user WordPress uses should not be allowed to write into files for example.

Hide information

Security through obscurity is not ideal. But it does help and the information hiding I suggest below is easily done. On its own it is not worth much, but in combination with the other techniques it does some good.

Stop the listing of directory content (such as plugins). If someone knows what plugins are installed, it makes it easier to attack your web site. Most plugins can be identified in other ways than seeing them listed, but it is a lot more work. Do this either by using Options -Indexes or add an index.html file with a generic error message.

Hide version of WordPress. It is nearly impossible to do this completely (you would have to create all the files that WordPress dropped since earlier releases, somehow hide that files exist that did not in earlier releases, etc), but at least remove the generator meta tag.

Do not use admin as username and remove all login error messages. Change the default table prefix. You might also not want to put WordPress in a directory named /wordpress or /blog, as these can be easily found and identified by crawlers (on the other hand, naming them something obscure is not very user-friendly).

Notice intruders and act on it

Read your error log regular. Of course, an attacker can clean up after him-/herself but they don’t always.

If you connect to the server, check the last login message.

Be observant: If you find files that you did not put there, check them out. If the server load went up without any apparent reason, check out why.

Search your php files for code that generally is present in shells.

If you noticed an intruder you can either set the whole server up from scratch. This is the best approach, but also quite a lot of work. At a minimum you should change all passwords, find the weakness the intruder exploited (and fix it), search for any shells the intruder might have placed (so search for any newly created files, but also check inside all old files for dangerous code).

Resources for secure WordPress

Read and follow the security tips by WordPress and search Google for even more tips.

There are also security plugins for WordPress, but I have not tested any of them till now so I am not commenting on them.