Wordpress security on LAMP
Solution 1:
A few steps you can take that should help a fair amount (all are detailed further in the Codex's article on hardening):
- Change the name of the admin account - it's hard to brute-force that password if you have the wrong user name.
- Change the table prefix from the default of wp_
- There's a plugin called WordPress Firewall that blocks a variety of items, including attempts at submitting requests including suspicious strings like "wp_" (the default database table prefix) and "../../../../". I've seen this cause problems with one plugin that was named with a leading wp_ (most use wp- instead), but I've also received multiple email notifications from the plugin of attack attempts.
- Run regular backups, daily or weekly depending on how frequently your content changes. If you're using the standard backup plugin, it can email those backups to you. Keep in mind that depending on the tool you use the backups may not be encrypted; for encrypted backups you may have to do more fiddling in the guts of scripts.
Solution 2:
There's a good article on this over at the WordPress Support, especially the bits about protecting the /wp-admin directory and wp-config.php. Some more handy tips here, and here's a few other hints:
- Make sure you're running the latest version, and keep it up-to-date. WordPress has suffered from a number of exploits and security problems of late, so make sure you keep abreast of new releases and bug reports; the WP developers' blog is a good source for that sort of thing.
- That last point applies to your Apache/MySQL instances as well; keep 'em patched!
- Set strong root/admin passwords and change them regularly.
- Disable access to as many other services on your box as you get away with; the less there is to attack, the less chance of it happening to you.