WordPress Security

After installing WordPress there are numerous actions you can take to ensure that your blog is safe and secure as possible. Here are some tips:

First and foremost always keep your WP installation, themes, and plugins up to date.

Remove the admin user from the database after creating a new admin with a different name.

Choose a strong password for all accounts (use http://passwordmeter.com to check password strength).

Change your WP nickname.

During installation, change the wp_ prefix to something else for added security.

During installation, create a separate user for the WP database. Disallow the DROP command for that DB user.

Move wp-config.php up one directory level so it is outside of your root web directory. After all config changes to wp-config.php, change the permissions to 400 so public access is denied.

Configure security keys in your wp-config.php file (generate them from https://api.wordpress.org/secret-key/1.1/salt/).

Make sure you schedule or manually take backups of your WP installation.

Remove all readme.txt files from themes and plugins (they expose version information).

Remove the license.txt and readme.html files from the install folder.

Create a robot.txt file to disallow crawlers from reading certain folders. Use the following for robot.txt:
User-agent: *
Disallow: /feed/
Disallow: /trackback/
Disallow: /wp-admin/
Disallow: /wp-content/
Disallow: /wp-includes/
Disallow: /xmlrpc.php
Disallow: /wp-

Install the following plugins:
wp-security-scan
wordpress-firewall
ms-user-management
wp-maintenance-mode
ultimate-security-scanner

Run each of the above plugins to scan the security of your blog and make any adjustments based on their recommendations.

That's it! While nothing is ever totally secure, this list is a good starting point. Enjoy.