Do Some Things About Your WordPress Security … and Why
1. Install a Security Plugin
That’s an easy one, install a plugin that checks your security settings and give you advice. For example “Better WP Security” tell you 20 things you should do to improve your WordPress security and you can do the most of them with just one mouse click.
It also ads database backup feature, login lockouts and ssl features. Check it out!
2. Delete Your Admin-User
There is a user with the username “admin” on every WordPress. You should create a new user with another username and admin-privileges, after that delete the “admin”-user and transfer all posts to the new user.
Why? Automatic hacking attempts depends on WordPress defaults, so many attacks assume that there is an admin-user and try to get his password and/or privileges. See also 5. “Make Things Complicated”.
3. Prevent Random Login Attempts
Look at your apache logs, you will usually find many login attempts with admin user to your blog. That’s automated brute-force attacks. You are quite secure now because you already removed your admin user but you can do even more. Add a second password inquiry to your login-screen with .htaccess. You have a two step login procedure on different software levels then.
Add this lines at the top of your .htaccess
AuthType Basic AuthName "Restricted Area" AuthUserFile /var/www/htpasswd/.htpasswd <Files "wp-login.php"> require valid-user </Files>
Of course, you have to create a .htpasswd file with a user and password … and don’t use the same password for both levels please.
4. Check Your Salts and Keys
Everybody is talking about salts, “Adobe has no salts”, “LinkedIn hashes are not salted” and so on. What all this security guys are talking about? A salt is a random and secret string you should add to your password hash-generation so it’s much harder to decrypt passwords with rainbow tables.
In wp-config.php are 8 keys and salts, everyone of these should be a different random string. If there is something like “put your unique phrase here” … DO IT NOW! There is a salt generator from wordpress.org that makes it easy and secure.
define('AUTH_KEY', '+W)!0iS266I@0TfT9jA4;qUtc!6W.D}4A !MEDZL0J +5#(l|_c=t`$$&F');
define('SECURE_AUTH_KEY', 'xN&y_3FlF4vtBXKXv+-x7z00 |spmsZX`Vt_bk]hie~U;OE/JiQcUO,5EL5-;%~I');
define('LOGGED_IN_KEY', 'SFgSKKIb7ZNP%+E)FJ fKbz-%?z`,M1#@o^GY lay;$![@+->4nc|6+1-~57*Dan');
define('NONCE_KEY', '9-sa~o?7T&.|o_|KtUIQ)jyTSs!v+r&[|H9`+lb|#|T},],dF@_G+l,Y$2&lyJ]v');
define('AUTH_SALT', '/Js]Ck2|5|smh.r%G!vjD+s3B7y2ECps3nV?qa.3M|*0K?B-=ZA:PH%uaP_Pk?bo');
define('SECURE_AUTH_SALT', 'Lo[Vcx5KAtIA|N9z]1ST_kLBYSr@-]^N96-UZaH1=SM]VQYJ)zVMHV|P`X:KY*8,');
define('LOGGED_IN_SALT', 'l3Pf#4o:U-6[3_QDf~;Pfz(E@jlA{5fs-2t,v|h`bKZ& =sY= .|t+,+:A*g/#uG');
define('NONCE_SALT', '}<|(G ;p+vc/Y(jyfW*@9O|fK0qpZtKLw(47,M)0_J-.DYKA^]Q-gdUn|<+_Y^!h');
If everything looks okay or you just created new salts ... nevertheless you should change it just a bit, add some random chars to it, just for the case.
5. Make Things Complicated
There are some things you can do that it gets very complicated to automatically attack your wordpress. For example you can change your database-table-prefix to something random (not wp_), rename your wp-content folder or hide your wp-login.php file. All this things are not so easy to do, they may break your blog, so you should use "Better WP Security" or other plugins for that.
6. Check File Permissions
Okay it's a bit of work, but you should check you file permissions and set it to less as possible. There is no need that your config is always writable or that all your plugin folders have 777 permissions. Remove write-permissions wherever it's possible.
A hacker is looking for places where he can modify things, make it hard for him to find such places.
7. Deactivate The Theme- And Plugin-Editor
This one is a must! Deactivate the build-in WordPress file-editors under themes- and plugins-menu, the menu-point where you can edit php-files direct in your wordpress. If ever an attacker get into your wordpress he can modify all files where apache-user has write-permissions.
Add the following line to wp-config.php
define('DISALLOW_FILE_EDIT', true);
8. Clean Up a Bit
Delete everything you don't need! Old and unused plugins and themes, readme-files, wordpress sample config, old database dumps, uploaded zip files, old renamed files ... anything you don't need anymore. Move it to a folder, make a zip out of it for backup and then delete it.
You don't need this stuff anymore and there is a chance that in future someone discover a vulnerability in one of these files. If this day comes it's maybe to late to delete it, so you should do it now.
Greg are discussing. 
Reply