Securing WordPress

I panicked quite a bit when I discovered someone had been repeatedly hitting  xmlrpc.php on my install of WordPress. I didn’t realize it was happening until my host alerted me that I was potentially going to exceed resources for the month.

I wasn’t sure what the cause of the overage was initially, so I had to rely on my host’s reporting and server logs. (Pouring through weeks of logs sucks, by the way.) My host’s reports showed me the files that were being reported most often. I then searched through logs to see which IP addresses were accessing them most often.

My first step in stopping the attack was to block offending IP addresses via .htaccess:

<Files *>
  # 'files *' applies to ALL files.
  order allow,deny
  allow from all
  deny from
  deny from
  deny from
  deny from
  # and so on...

Because I’m not using any apps to publish to my site, I removed xmlrpc.php file from site’s root folder and replaced it with an empty file.

My next step was to install Better WP Security. It tracks failed login attempts and auto-blocks after a set number of failed attempts. It allows you to obfuscate the location of /wp-admin and /wp-login.php. It also walks you through a whole host of other recommended changes to better secure your installation. I’ve tried several other security plugins, and this was my favorite, by far.

Better WP Security emails you whenever there are too many failed login attempts using a particular user name. I deleted the ‘admin’ account long ago, and created a ‘cdharrison’ account instead. I started getting notices that several IPs were trying to login using ‘cdharrison’. (That freaked me out a bit, but was probably a little too predictable of me.) So, I created a new admin account, logged in as it, deleted ‘cdharrison’ and attributed all of the posts to the new account.

I’m also looking into other solutions, like Wordfence and Bulletproof Security and a few others, but Better WP seems to be working fairly well.

So… so far, so good. I’m not going to pretend my site’s completely invulnerable right now, but it’s in much better shape than it was. So, thank you random internet buttholes: Your attempts to compromise my site have made me consider security quite a bit more than I used to.

What’re you doing to keep your WordPress site secure? Have any best practices you’d share that isn’t covered in the Codex: Hardening WordPress?