Top Security Tips To Make A WordPress Site Impenetrable for Hackers

[zeal]

MUST HAVE PLUGINS:

http://wordpress.org/extend/plugins/better-wp-security/
http://wordpress.org/extend/plugins/wp-security-scan/
http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/
http://wordpress.org/extend/plugins/tac/
http://wordpress.org/extend/plugins/exploit-scanner/

As a matter of necessity the above plugins must be installed and run/used at least once a week to check your wp-content for harmful code.

1. Always update your wordpress/themes/plugins to the latest versions.

2. Change all PHP file permissions to 600

3. Rename the admin user: On a new install you can simply create a new Administrative account and delete the default admin account by adding a new user with Administrator role, make sure you use a strong password.

4. Change the table_prefix: Many published WordPress-specific SQL-injection attacks make the assumption that the table_prefix is wp_, the default. Changing this to somethingn like myownsite_ can block at least some SQL injection attacks.

5. Keep wp-admin Directory Protected: Keeping "wp-admin" folder protected adds an extra layer of protection. Whoever attempts to access wp-content or directory after "wp-admin" will be prompt to login. You can set protection easily on any folder via cPanel’s Password Protect Directories graphical user interface.

6. Hide WordPress Version in the Header Tag: Add the following line to the functions.php file in your theme directory: (Create a blank PHP file with this name if your theme doesn’t already have one)

<?php remove_action('wp_head', 'wp_generator'); ?>

7.Nobody should be allowed to search your entire server: If you allow then the hacker will find the way to hack easily. The best way to block them is in your robots.txt file. Add the following line to your list:

Disallow: /wp-*

8. Protect your wp-config.php file: You can secure your wp-config.php by adding the following to the .htaccess file at the top level of your WordPress install:

<FilesMatch ^wp-config.php$>deny from all

This will make it harder for your database username and password to fall into the wrong hands in the event of a server problem.