Other WordPress Security Resources

• Block snoopy bots with Jeff Starr's list of 6 great .htaccess bot-blocking techniques at Digging into WordPress
• Move your WordPress installation out of your root directory with Jeff Starr's tutorial at Digging into WordPress
• Password Management software: 1Password or KeePass (free)

Featured WordPress Security Plugins

• Update Notifierwill email you every time there’s a new WP or plugin update to install.
• Limit Login Attempts prevents brute force attacks.
• WP Security Scan looks through your WordPress installation and identifies common insecurities. It is super easy to understand and implement.
• AntiVirus keeps an eye on your theme files and emails you if anything changes them--like a hacker adding malicious code.

Code snippets

Prevent directory browsing

Turn off directory listing by adding this code to your .htaccess file:

Options -Indexes

Hide your wp-config file

Block all external access to your config file by adding this code to your .htaccess file:

<files wp-config.php>
order allow,deny
deny from all
</files>

Defend against injection.

Protect against any attempt to modify your PHP GLOBALS and _REQUEST variables by adding this code to your .htaccess:

Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

From http://www.smashingmagazine.com/2010/07/01/10-useful-wordpress-security-tweaks/

Hide your WordPress version

Remove your WordPress version number from your header by adding this code to your functions.php:

remove_action('wp_head','wp_generator');

Credit to Jeff Starr: http://digwp.com/2009/07/remove-wordpress-version-number/

Don’t show login errors.

Hide login errors from hackers. Add this code to your functions.php:

add_filter('login_errors',create_function('$a', "return null;"));