First off, notice I said safer, not safe. Hackers enjoy this kind of challenge and it’s pretty hard to guarantee the safety of a blog. That’s why the first thing in the list is:
Regular backups
Backup your database and your theme regularly. Even if you don’t get hacked your server could have an issue and cause you to lose it all. Download the most recent version of the theme you are using and archive it in a safe place. Run the script in the admin panel (Tools> Export) and download a backup of your content at least once a month. Alternatively there are good backup plug ins like WP-DB Backup that can backup your database tables for you. Make sure you do this before you update or take any of the steps below.
Don’t advertise for hackers
Lots of themes display the WordPress version in the meta tags. In some–like Thesis_ you can turn this off.
Why do you care? Because WordPress updates versions as soon as they find out there is a way for hackers to get in. Hackers look for older versions they can easily exploit. If you need to remove it from your own template, here’s what the code looks like:
<meta content="WordPress <?php bloginfo(’version’); ? />" name="generator" />
Update often
Speaking of updating to avoid known exploits, you really should keep updated often. I generally don’t update immediately but wait to see if there are any alerts about an update having issues and then update to the new version.
Delete the admin account
Once you’ve got the blog set up make one of the users the admin and delete the account with the default “Admin” account. WAY too easy for a bot to start admin as the user and then they only have to figure out your password. If you’ve already used the admin account for posts you can just transfer them to another user.
Make the admin different than the published user
If the metadata of your posts include your username don’t make that username an admin. Make that username a contributor and have a separate admin only user.
Keep out the spiders
Block search engine access to your WordPress folders by putting this bit of cod in your robots.txt file:
Disallow: /wp-*
If you don’t have a rbots.txt file, here’s some info on that.
Lock down your login
Login LockDown is a plug in that records the IP address and timestamp of every failed login to your blog. If a hacker repeatedly hits your blog trying to decipher the password the plug in will lock them out of the site for an hour after 3 failed login attempts within 5 minutes.
Security Scan
WordPress Security Scan is another plug in that scans passwords, file permissions, database and other options to suggest ways you could tighten your security.
![Reblog this post [with Zemanta]](http://img.zemanta.com/reblog_e.png?x-id=3e0c0ade-d8b5-485d-b6c7-4f5f3a928f76)
