WP beginner security question

Well it sounds like you’re Doing It Right. One thing I would strongly recommend is regular backups of your your WordPress database and the wp-content folder (at least the uploads and any custom themes – no need to backup plugins as you can just download and re-install).

That and make sure you local machine connecting to the site is safe (no viruses/malware).

And don’t use untrusted networks (like an open internet point at a coffee shop) to connect to the site and log in.

Oh and make sure your files and folders are using appropriate permissions – see http://codex.wordpress.org/Changing_File_Permissions
You can use your server’s control panel or SFTP client to set these with a nice user interface or you can do it manually using the appropriate commands on a command line.

But yeah, you’re doing good. You can do some more security stuff at the server level to help block malicious requests to the server but that’s more advanced and, to be honest, not really needed unless evidence suggests otherwise.

I have a few suggestions.

Adding this code to your .htacess file will GREATLY decrease the number of brute force attacks you experience. The reason for this is that nearly all brute force attacks are performed by attacking the wp-login.php file directly, NOT by loading the page and actually filling in the login fields. When the attack is performed this way it does not send your website referrer. I was getting about 30-50 login attempts from across the world before I added the referrer code below, and since I added it I have had ZERO.

The same is true for spam comments when they attack the wp-comments-post.php file the same way. By blocking login and comment attempts with any referrer other than your website (or no referrer at all), this code will send the bot back to whatever IP address it came from. Replace yourdomain with whatever your domain is.

RewriteEngine On

# BEGIN Limit Login Access by Referrer
	<IfModule mod_rewrite.c>
	RewriteCond %{REQUEST_METHOD} POST
	RewriteCond %{HTTP_REFERER} !^http://(.*)?yourdomain\.com [NC]
	RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
	RewriteCond %{REQUEST_URI} ^(.*)?wp-comments-post\.php(.*)$ [OR]
	RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
	RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301]
	</IfModule>
# END Limit Login Access by Referrer

Also, several files in the wordpress installation list the version of WP you are running. Once a hacker knows what version you are running, it makes it easier for them to exploit any security issues that may exist. Adding this code to the .htaccess will deny access to those files.

# BEGIN Deny Access to Certain Files
	<FilesMatch "readme.html|license.txt|wp-config-sample.php">
	Order allow,deny
	Deny from all
	</FilesMatch>
# END Deny Access to Certain Files

Lastly, adding this code to the functions.php file of whatever theme you are using will strip the wordpress version from your source code

# Remove WordPress Version
	function remove_wp_version() { return ''; }
	add_filter('the_generator', 'remove_wp_version');

# Remove Version Query Strings From JavaScript JS and CSS Stylesheet Files
function _remove_script_version( $src ){
	    $parts = explode( '?', $src );
	    return $parts[0];
	}
	add_filter( 'script_loader_src', '_remove_script_version', 15, 1 );
	add_filter( 'style_loader_src', '_remove_script_version', 15, 1 );

A lot of the security plugins are basically doing what you’ve already done and what we’ve suggested – so basically you can do it without a security plugin if you want.

I’ve used the All-in-one WP Security and Firewall plugin and it provides a bit of everything – limiting login attempts, immediately refusing logins with usernames that don’t exist, .htaccess settings to refuse malicious queries, change the database prefix, database and wp-config.php backups, file permission settings, block IPs, etc. It actually does a decent job of explaining what it’s doing and why.

Do you need to use a security plugin? No. Does it help? It certainly can – but a lot depends on you and your WordPress setup. At any rate, download and test the plugin on a test environment and find out if it’s useful for you and your server environments.

I use BulletProof Security to write my htaccess for protection of my entire site (including wp-admin and a folder for database backups) and to add Custom Code wherever I wish, and it is mostly idle the remainder of the time unless being used to limit failed login attempts. Also, here is a bit of code I use to stop enumeration from being used to discover user names for invasive login attempts:

#### ba00 send username enumeration to Home Page
## see http://llocally.com/blog/2013/08/19/what-is-your-login-username-to-your-wordpress-website/
# BEGIN author & enumeration redirects
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{QUERY_STRING} ^/?author=([0-9]*)
RewriteRule ^(.*)$ /? [L,R=301]
## ba02 send /author/ scans to Home Page
RedirectMatch (?i)^/author.*$ /
</IfModule>
# END author & enumeration redirects

note: The “ba02” part of that stops author scans from returning all posts made by a known author.

great leejosepho

for clarity, you ad the code to your htaccess file?

Yes, and if you want a version of the first part that returns “Forbidden” rather than your Home Page, AITpro has posted two replacement lines here:
http://wordpress.org/support/topic/what-file-permissions-are-needed-while-editing?replies=29#post-4863434

And for anyone who might prefer a plugin, that all began here:
http://wordpress.org/plugins/stop-user-enumeration/