Tips to help protect yourself from WordPress security issues:
1. Upgrade WordPress: This is probably the first thing you should do! If you’re not running the most up-to-date version, you’re asking for trouble. Currently, it’s 2.2.3, but soon will be version 2.3. May as well wait till the 24th and install the newest version. There have been a few releases recently that were just security fixes (SQL Injection, etc). It may seem like a pain in the butt and sometimes it can be, but upgrading is really not that bad. I held off upgrading from version 2.0 to 2.2 for a few months because I was scared something was going to go wrong and everything deleted. Finally, I mustered the energy and went through their instructions step by step and it was fine! After you upgrade WordPress once, it’s not all that bad!
2. Change default passwords: Are you still logging into your wp-admin page with the same default password that was emailed to you? If so, CHANGE IT! That password is only 6 characters and just numbers and letters. My grandmother could probably crack it after a few weeks. Make it complex and more than 10 characters if you can. Also, try not to use words, make it a nice jumble of letters, numbers, and symbols. Also while you’re at it, go ahead and log into your hosting company’s site and change your password there for your account login and any control panel logins, like cPanel, etc.
tips for Protect your WordPress Blog
3. Use SSH/Shell Access instead of FTP: This one is a big one! It’s not as easy to implement as the other two, but it’s probably the best tip out of all the others that I will list here. If someone gets a hold of your FTP login information (which is usually not encrypted and easy to get), they can manipulate your files and add spam to your site without you even knowing about it! Just read this story! It’s actually best to disable FTP altogether if you can! Using SSH, everything is encrypted including the transfer of files, etc.
4. Install LoginLock plugin: This is a really cool plugin that will automatically block an IP address from trying to log into your WordPress admin area after a certain number of attempts. LoginLock will prevent bots from continuously trying different combinations to crack your account. This is very similar to how Windows works if you’re in a domain environment. The default locked out time is 1 hour.
5. Create a blank index.html file in your /Plugins/ directory: By default, your WordPress plugins folder is completely visible to anyone by going to http://www.domainname.com/wp-content/plugins. Go ahead and create a blank document in your favorite editor and save it as index.html and upload it to the plugins directory. Now when you try to access it, you only get a blank screen. This prevents hackers from finding out a security hole in one of your plugins.
6. Block access to wp-admin folder using .htaccess: There is an article written Reuben that talks about how you can protect your WordPress admin folder by allowing access to it from a defined set of IP addresses. Everything else will bring up a Forbidden error message. So if you only access your blog from one or two places routinely, it’s worth implementing. Also, you’re supposed to create a new .htaccess file inside your wp-admin folder, not replace the one at the root of your blog
7. Remove the version string from your header.php file: Of course, if you’re running version 2.0 and the current release is 2.3 AND your blog explicitly states that it’s at 2.0 on every page, it’s not going to be very hard for someone to find your vulnerable blog and attack it. The line looks like this:
To remove the WordPress version info, log in to your WordPress dashboard. Go to Design->Theme Editor. On the right, click on the Header file. On the left where you see a lot of codes, look for a line that looks like this
<meta name=”generator” content=”WordPress <?php bloginfo(‘version’); ?>” />
8. Block WP- folders from the search engines: There is no need to have all of your filesWordpress files indexed by Google, so it’s best to block them in your robots.txt file. Add the following line to your listisallow: /wp-*
9.Hide Your DNS or Subscribe Protect Service: my advice is to use CloudFlarefor Security and website optimize its very good service !
10.Avoid using free themes and plugins without checking them for malicious code: you can run into serious trouble by installing plugins and using themes without checking them for malicious code. If you don’t know PHP, I’d recommend only installing plugins and themes which are listed in the official WordPress directories.
11. Encrypt your login:Whenever you try to login to your website, your password is sent unencrypted. If you are on a public network, hacker can easily ‘sniff’ out your login credential using network sniffer. The best way is to encrypt your login with the Chap Secure Login plugin. This plugin adds a random hash to your password and authenticate your login with the CHAP protocol.
12.Stop brute force attack: Hackers can easily crack your login password and credential using brute force attack. To prevent that from happening, you can install the login lockdown plugin. This plugin records the IP address and timestamp of every failed WordPress login attempt. Once a certain number of failed attempts are detected, it will disable the login function for all requests from that range.
13. Use a strong password: Make sure you use a strong password that is difficult for others to guess. Use a combination of digits, special characters and upper/lower case to form your password. You can also use the password checker on WordPress 2.5 and above to check the strength of your password.
14. Protect your wp-admin folder: Your wp-admin folder contains all the important information and it is the last place that you want to give access to others. Use AskApache Password Protect to password protect the directory and give access right only to authorized personnel.
15. Hide your plugins folder: If you go to your http://yourwebsite.com/wp-content/plugins, you can see a list of plugins that you are using for your blog. You can easily hide this page by uploading an empty index.html to the plugin directory.
Open your text editor. Save the blank document as index.html.
Using a ftp program, upload the index.html to the /wp-content/plugins folder.
16.Do a regular security scan: Install the wp-security-scan plugin and perform a regular scan of your blog setting for any security loopholes. This plugin can also help you to change your database prefix from wp_ to a custom prefix.
17.Define user privilege: If there is more than one author for your blog, you can install the role-manager plugin to define the capabilities for each user group. This will give you, the blog owner, the ability to control what users can and cannot do in the blog.
18. Backup your wordpress database:No matter how secure your site is, you still want to prepare for the worst. make sure you back up EVERYTHING, including your posts, comments, files, images, logos, template, links, and HTML coding. That way, even if your blog does get wiped out, you’ll have everything you need for quickly putting it back together.
The best plugin to do this is: Backup Buddy.
If you want free plugin : Install the wp-database-backup plugin and schedule it to backup your database daily. but i must warn you this plugin only backup the database