Securing WordPress

There are a number of things you can do to secure your WordPress installation including the following:

Delete the readme.html File
You should delete the readme.html file as this contain information about your WordPress version.

RSS Feeds Supply WordPress Version Number
To stop the version information from being given, you need to add the following function to your functions.php file. This will be located in a similar location to this:

/var/www/wp-content/themes/twentyten/functions.php

You will need to add the following after the <?php

function hide_version()

{

return '';

}

add_filter('the_generator', 'hide_version');

 Add index.php Page to Upload and Plugins Directories
You should of course not allow Apache to display a directory listings, but to stop the fobidden page, just add the following:

Uploads Directory

cd /var/www/wp-content/uploads
sudo nano index.php

Add the following to the index.php file

 <?php
// Silence is golden.
?>

Plugins Directory

cd /var/www/wp-content/plugins
sudo nano index.php

Add the following to the index.php file

 <?php
// Silence is golden.
?>

MySQL Permissions
Most installation guides recommend you grant all permissions.  This is not recommend, the following should be used:

SELECT
INSERT
DELETE
UPDATE
CREATE
DROP
ALTER
INDEX (used in rare cases)

Use HTTPS when logging into the Admin Page
As you are passing user name and password when you access the login page, it is advisable to redirect to HTTPS to do this so that the data is encrypted.

sudo nano /var/www/wp-config.php

add the following line below the line that reads:   define(‘WPLANG’, ”);

define('FORCE_SSL_ADMIN', true);

Change Database Prefix
Make sure you change it from wp_

This can be easily done by installing the plugin below and following the instructions:

http://wordpress.org/extend/plugins/wp-security-scan/

Remove Version Number from Style.css
To stop your theme version from being disclsoed edit the style.css file:

/var/www/wp-content/themes/twentyten/style.css

and remove the Version field

Stop Username Enumeration
When you browse to http://domain.com/?author=1 you are redirected to a author page that discloses the username of this user.  You can disable this in the.htaccess file:

# Stop wordpress username enumeration vulnerability
RewriteCond %{REQUEST_URI}  ^/$
RewriteCond %{QUERY_STRING} ^/?author=([0-9]*)
RewriteRule ^(.*)$ http://domainname.com [L,R=301]