1. Do not use admin or any part of the url as the user name , pick something random or not easy to associate with the site.
2. You must use SSL for the site (also gives seo boost)
3. From codex.wordpress.org
wp-includes: A second layer of protection can be added where scripts are generally not intended to be accessed by any user. One way to do that is to block those scripts using mod_rewrite in the .htaccess file. Note: to ensure the code below is not overwritten by WordPress, place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file. WordPress can overwrite anything between these tags.
# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]
</IfModule>
# BEGIN WordPress
Note that this won’t work well on Multisite
securing wp-config – can be moved above the root but may introduce issues. using .htaccess
<files wp-config.php>
order allow,deny
deny from all
</files>
disable file editing -The WordPress Dashboard by default allows administrators to edit PHP files, such as plugin and theme files. This is often the first tool an attacker will use if able to login, since it allows code execution. WordPress has a constant to disable editing from Dashboard. Placing this line in wp-config.php is equivalent to removing the ‘edit_themes’, ‘edit_plugins’ and ‘edit_files’ capabilities of all users:
define(‘DISALLOW_FILE_EDIT’, true);
Protect wp-admin folder user cpanel password protect or .htaccess
in the wp-admin folder add another .htaccess
order allow,deny
allow from xxx.xxx.xxx.xxx
allow from xxx.xxx.xxx.xxx
deny from all
Prevent folder browsing – inside .htaccess set “Options All -Indexes”
block the world but allow a specific IP
order deny,allow
deny from all
allow from <YOUR_IP_ADDRESS>
prevent php execution in uploads if they get it onto the server lets slow them down from executing . place .htaccess file in the /wp-contents/uploads folder
php_flag engine off <–do not use if suphp is in use
<Files *.php>
deny from all
</Files>
xmlrpc.php implementing this depends on if you have any plugins that use it (for example jetpack does)
Add this to your htaccess rules. Here is an example of what this might look like:
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ – [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
—>RewriteRule ^xmlrpc.php$ “http://0.0.0.0/” [R=301,L] <—-
</IfModule>
# END WordPress
Other Stuff
Never , ever log on to the site from an untrusted network. So coffee shops, airports etc are high risk. A bad person could be sitting there sniffing the traffic and get both the user name and the password to your site. I will take a latte with my hack?