WP-Config – The wp-config.php file within your site’s root directory contains the keys to your database. It isn’t directly accessible from the external web, but it is worth spending a bit of time here to ensure security. There are a couple of things you can do here to help yourself.

• Database name, username and password – Your database name can be anything, no one but you will ever see it, so make it something that is not easy to guess. The username and password that you enter here will only be used by Wordpress, so once again, make them something that is not easy to guess, and different from the credentials for your server, GoDaddy account, bank accont, Wordpress users, etc. This way if someone does get access to your server they can’t go crazy on the web getting access to everything you’ve ever owned. You’ll still have access to your database as the domain administrator, and if you ever do need these passwords again they’ll be safely stored in your site backup files.
• Security Keys – Wordpress 2.7 has four keys that you can add to the config file. The point of these keys is to add random elements to the passwords that are stored, making them more difficult to crack. You’ll never need to refer to these ever, so make them long and include every character you can get your fingers on. If you have trouble grasping the concept, use the generator that Wordpress provides.

File Access – Most people use FTP to access the files on their server. That’s great for ease of use, but this is an insecure method. If a sniffer picks up your traffic, they now have the credentials to access your server. Avoid the possibility by using SSH, which IS secure. If you need an SSH client, PuTTY is free.

Admin Account – When Wordpress is installed, it creates an admin account automatically, with a username of ‘admin’. If you use this account to either write for or administer your site, then anyone wanting access already has half of the information they need. Make them work, create an administrative account with a different username and then delete the ‘admin’ user. You can take this a step further by creating an ‘editor’ account to publish with. This prevents a would be hacker from finding out what your administrative credentials are.

Strong Passwords – Now for your account passwords. You want them to be long, and you want them to contain upper and lower case letters, numbers and special characters (# * @ ^, etc). Also, don’t use the same password for your Gmail, bank and GoDaddy accounts. If you have trouble remembering them get a password manager (I LOVE Roboform).

Protect Folders – Wordpress does a pretty good job of promoting itself as software, which is unfortunate because it gives would be hackers information that can be used against your blog. There are two folders that you need to think about protecting. We’ll tackle the easy one first.

• wp-content/plugins/ – This folder is where plugins are stored. By default, anyone that navigates to this folder can see which plugins you’re using. If someone wanted to hack your blog they would check here for potential security holes. Protect yours blog by adding an index.html file. It doesn’t need to contain anything in particular, in fact it can even be blank.
• wp-admin – This is the administrative section of Wordpress, all of the back end and many of its functions. This is the prize for hackers. There are a couple of ways to protect it, writing an .htaccess file yourself, or installing the Wordpress AskApache security plugin. Both will be effective. Once you select a method, and before you begin implementing it, take a few minutes and back up everything sixteen ways from Sunday, then read the instructions. You’re about to lock down your site for real, which means that its possible for you to lock yourself out.

Remote Publishing – One feature of Wordpress is that you can post to it from email or an external blogging platform such as Windows Live Writer or Ecto. This is pretty handy if you’re on the go, have limited access or like the features of your preferred blogging platform more than those within Wordpress. I would venture a guess that most people either don’t know or don’t care about this feature, and if that’s you then turning this off will leave one less opening. I do not mean to suggest that if you do choose to use this feature that you’re leaving your site exposed, I would not consider this an opening. But, if you aren’t using it then why leave it open? To disable this feature log in as an administrator and go to ‘Settings’, then ‘Writing’ and deselect ‘Atom Publishing Protocol’ and ‘XML-RPC’.

Stop Advertising Your Version – By default Wordpress lists its version number in the header code of your blog. Once again, this is giving a hacker information that he can use against you. Open your theme’s header.php file and remove this line “<meta name=”generator” content=”WordPress <?php bloginfo(’version’); ?>” /> <!-– leave this for stats please -->“.

Keep Current – As security holes are discovered the Wordpress development team addresses them. If you don’t stay current then your blog likely has security holes that you’re unaware of. When a new version of wordpress becomes available, install it. Be sure that your plugins are up to date as well. With version 2.7 this can be done with the click of a button so upgrade to 2.7 and then keep it current. No excuses.

Scan for Vulnerabilities – Now that your site is current with the latest software and locked down, scan every once in a while to ensure that a new vulnerability hasn’t exposed you. It takes only seconds to run, and provides valuable information on you site’s security.

Congratulations. Your blog is now more secure than it has ever been before. Go outside and do something fun. But remember, it may be safe today, but it may not be safe tomorrow. Hackers are always looking for ways of gaining accees to Wordpress. You’re never ahead of them, so there’s a good chance that within the next six months you’re going to need to take further action to keep yourself protected.