I've already done most of the things recommended to protect a blog.
Deleted the 'admin' account - check
Installed 'Limit Login Attempts' plugin - check
Create a strong password for the superuser account - check
I am wondering whether its worth changing the login URL to
something obscure like http://www.mydomain.com/tceruwq.php (for example) to
through hackers off the scent.
I read a comment that it helps security a bit, but not MUCH.
Why is that? Are there ways and means of finding out your new login URL regardless?
In my opinion... it's better to write an .htaccess to restrict access to the admin section by IP address only. Place it in the wp-admin folder... something like:
#Deny access to wp-admin folder
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny,allow
deny from all
#IP addresses allowed to view wp-admin folder
allow from 000.000.000.000
Only the person with an IP address of 000.000.000.000 can access the login area! Even if they were able to bypass your login page and attempt to access a file within the wp-admin folde, they'd be blocked.
Security through obscurity is never very secure.
@wpismypuppet: and even if you're on DSL, your IP will change from time to time.
@TWD: See How to Hide The Fact That You’re Using WordPress | Ben Word for some ideas.
I agree, but if you are that concerned about hackers, you'll keep up on your IP address and change your .htaccess file as needed. You'd still have access to your site through FTP, so it shouldn't be an issue. Brute force hackers generally use bots to execute their attacks... those same bots will find the login page, even with obscurity in place.
