This guide should be relevant for both WordPress 2.92 (the most recent stable release as of this writing) as well as WordPress 3.0.

Overview:

-Preliminary steps for securing your WordPress install
-Changing defaults in WordPress to implement “security by obscurity”
-Choosing strong passwords
-Installing and configuring the Secure WordPress plugin
-Keeping WordPress updated and backed up
-And we’ll take a first look at some advanced security measures

Preliminary steps:

1. Secure your computer
As the WordPress codex says: “None of the following makes the slightest difference if there is a keylogger on your PC.” Make sure you are running anti-virus and anti-spyware software, and make sure said software is up to date. If you’re on Windows and don’t have any antivirus installed, I recommend AVG Free and Windows Defender.

2. Make sure you’re installing the latest stable version from WordPress.org.

3. If you already have another installation or WordPress or other database software on your server, and your host allows it, create completely new database and a brand new database user that only has access to the new database. This is to insulate your other sites in case someone compromises this installation of WordPress.

Installation:

We’ll follow the basic steps of the famed 10 minute install, but we’ll make a few changes to the default settings along the way.

1. First we’ll change the default table prefix (You won’t be able to change this if you’re installing using Fantastico):

If you’re installing manually you’ll see a screen that look like this:

Change the “Table Prefix” field to something else. Be sure to leave the underscore (_). You should have something that looks like this:

2. Next we’ll change administrator’s username. The default is “admin.” Change this to something secret. You’ll have the option later to set a “nickname” – that’s what your readers will see.

Be sure to use a strong password. Notice how WordPress helps let you know whether your password is weak or strong.

Some tips for creating a strong password:

You shouldn’t use any part of your name, username, or the site name in the password.
It should be at least 8 characters long
It should include numbers and symbols in addition to letters
You child’s first name and date of birth may be easy to remember, but is easy for anyone who knows anything about you to guess.
Here’s a strong password generator to help you out.

If you’re using Fantastico you’ll change the administrator username when you setup the new installation. Fantastico doesn’t help you create strong passwords, so you’ll be on your own. Follow the advice above and you should be ok.

3. Finish installing WordPress and login.

4. Next we’ll want to stop WordPress from displaying its verstion number anywhere on the site. I use the plugin Secure WordPress. It also provides some other security features we’ll look at in a moment.

On the dashboard, mouse over Plugins and click the arrow

Click Add New

In the search field, type “Secure WordPress” and click “Search Plugins”

Find Secure WordPress. To make sure you have the write plugin, verify that it is the one by Frank Bültge.”

Click “Install Now” and then click “OK.” On the next screen click “Activate Plugin.”

5. On the next screen, click “Settings” under “Secure WordPress”

You can leave all these settings alone, but if you’re not planning on using Windows Live Writer you should check “Remove Windows Live Writer link in wp_head of the frontend” and then click “Save Changes.”

Congratulations! You’re now ahead of the curve in terms of WordPress security.

Keep WordPress up-to-date, keep plugins up-to-date

The most important thing you can do now is keep WordPress up-to-date. When new versions of WordPress area available you’ll see a notice on the dashboard when you login:

Click the “Please update now” link to see your update choices. The easiest way is to just click “Upgrade Automatically.” If for whatever reason you can’t upgrade automatically, you can download the newest version and follow the included upgrade instructions.

You’ll also want to keep you plugins updated. You should frequently click on the Plugins link on the dashboard and check for notification that look like this:

Again, upgrading automatically is the easiest method. If you can’t upgrade automatically, follow each plugin’s upgrade instructions.

Backup often

Finally, you’ll want to backup your WordPress database frequently in case anything should ever happen to your WordPress install. WordPress Database Backup makes this a snap. We’ll cover database backups in a future article.

Advanced security

If you want to get your hands dirty with advanced security measures, you can lockdown your WP-Admin folder. We’ll look into the specifics of doing this in the future, but if you want to get started now check out the AskApache Password Protect plugin.

And for bonus paranoid points, you can use Open Source Tripwire to monitor your WordPress files for unexpected changes. In the comments, David pointed out that Open Source Tripwire is no longer maintained, and suggested some alternatives. But here’s a plugin specifically designed for monitoring your WordPress files. Works right out of the box!

This plugin will soon make it onto the WordPress plugin repository and is not tied strictly to the themes that iThemes offers. I wanted to take a moment to say that a plugin such as this could have easily been released to only iThemes customers to make it as easy as possible for them to upgrade their products but instead, they have released this to the entire WordPress community. Thanks!

Speaking of security, the security through obscurity argument regarding the public display of the version number of WordPress in the source code was over once the code for WordPress was available to the public. Matt Mullenweg mentioned this in his post regarding how to keep WordPress secure.

Hide the WordPress version, they say, and you’ll be fine. Uh, duh, the worm writers thought of that. Where their 1.0 might have checked for version numbers, 2.0 just tests capabilities, version number be damned.

So, I’m with Google in that including the version number in the source code can do more good than harm. In order to receive these update notifications from Google, you’ll need to have a Google Webmaster Tools account with a site attached.

The majority of people in the WordPress community have continuously advised removing this generator from being seen in the source code as a means of security. Will this line of thinking continue, or will we see more people add or leave it in to take advantage of the updates from Google?

Just upgraded three plugins in about 30 seconds using one-click upgrade — wish you could do them all at once though.

Well, now you can. I attended the WordPress developers chat today and according to the devs, the bulk upgrader works, all it needs now is to be tied into the API along with some cosmetics. I’m sure there are plenty of you, including myself that is pleased to see this addition to WordPress. However, I wonder what happens if during a bulk upgrade, one of the plugins fails. Does the upgrader skip the plugin and move on to the next one or does it ruin the entire upgrade? Looking forward to the answer in the comments.

As per the screenshot, the majority of those using WordPress 2.8.5 with version 3.1.7 of the Google XML Sitemaps plugin reported that it’s working. The beauty of this system is that it leverages the community in order to figure out what works with what. However, just because it works for the majority of users is no guarantee it will work on your particular setup. But using these statistics, it should make it easier to figure out whether the issue is with the plugin and WordPress or with your setup.

One of the biggest fears users have when it comes time to upgrade WordPress is whether their plugins will work on the newest version or not. There are a large handful of people who upgrade to the latest version of WordPress as soon as it’s released and the hope is, these folks will visit the plugin page and report their findings for others to take advantage of. If more users see that their plugins work on the newest version, they are more likely to upgrade.

What are your thoughts on this system? Any ideas to enhance it?

I’ve personally upgraded two of my blogs — one manually, and one using Keith’s awesome WordPress Automatic Upgrade plugin. In both cases, I ran into no issues aside from a few incompatible plugins (you did check the list, right?).

To get the ball rolling, here are several links to some upgrade experiences around the web. My hope is to make this post a resource with a list of upgrade guides and experiences. Please feel free to add your own in the comments below (only one link please).

• Alex Frison shares with us how to upgrade 2.5 in 5 minutes.
• Random View shares his experience with upgrading to 2.5.
• Christer Edwards discusses updating, not one, but multiple blogs to WP 2.5 with no issues.
• Jeffro2pt0 discusses his transition to 2.5.
• And of course Socialized Software provides us with an in-depth WordPress 2.5 Review (link removed for suspicion of XSS).

So what was your upgrade experience like?

I know I’ll be one of the first to upgrade my blog when I have the chance. When will you upgrade yours?

*Note* WordPress 2.5 was TENTATIVELY  scheduled to be release on March 10th, 2008. However, it looks like it’s not ready for production treatment and thus, has not been released.