This post is written for blog readers and blog owners. I am not an expert, only a user. If you find any mistakes or you have some ideas, please feel free to tell me.
For blog readers
Do not register
Most of blogs allow non-member to comment, so I can see no reason to register.
How many of blogs you know which support HTTP over SSL? Without the support, your password or cookie (hash-hash-hash of password) are in clear text. Your classmates, roommates, colleagues, unencrypted wifi co-users, bother(s), sister(s) (don’t underestimate females), boy/girl friend(s) (plural is possible, nowadays) or someone who helps pass the notes probably are enjoying them.
It’s easy to know whether the blog web server support SSL or not: a) check address bar, if you read https, then that’s it; or b) read the HTML source, check the login form’s action attribute, if there is https in it, then that’s it.
However, the SSL support may only be used in logging process by default meaning your cookie may still be sent insecurely afterwards (and cookie need to be specified with secure attribute). Although, you can forcedly use https to visit throughout whole session, but the unauthenticated content may not be loaded.
If someone gets your cookies, they can log in and do whatever you can, like changing password (I wonder why WordPress doesn’t request your old password?) No need to mention what if they get your password.
Do you know the blog owner?
How do you know s/he didn’t modify WordPress core file? (actually, that only need one line or two, then s/he can get your password while you are registering/logging in)
If you really need to register, please must use a unique and special password for each blog.
Once again, password matters
You probably think even someone gets the hash of my password is OK, at least they don’t have my password in clear text. That’s completely true, if you use lazy password! I personally believe there are some people can recite md5 or sha1 hash of passwords “123” or “abc” from their memory. Yes, some lazy passwords are more complicated than that. But I also heard there is a DVD stores hashes of strings.
For blog owners
Do not allow blog reader to register
There may be a security hole in plugins and even in core files (2.3.2). Unless you have special reason, do not let reader to register.
In addition, you will get many spam registrations, if your blog is open.
Remove admin account
Remove admin account. Create two more accounts, one is role administrator, another has enough privilege to publish. The latter is just a suggestion, but you must do former to have an account other than admin.
Remove WordPress version number
This gives quick idea for bad people, but not quite useful to stop them. They will try everything.
Move core files to other place
I think WordPress core files can be run from other place (I haven’t tried that), but we love using plugins. Not all plugins can work normally if you install core files in different place. Many plugins have style sheets or JavaScript files reside their own directory, they may give correct URIs of those files or not. In either case, that makes non-default directory installation meaningless, unless you can put those .css or .js to other directory.
So, this is really not an acceptable option.
Disable Directory Index
Put
Options -Indexes
in your root .htaccess of your blog. However this still gives out clues like 403 ~ there seems to be a thing and 404 ~ no, there isn’t a thing.
If you want to give all 404, then you need to write some rewrite rules. Is that worth? It’s up to you.
Add Disallow rules in /robots.txt
Some plugin will use URIs like /blog/wp-content/plugins/plugin-A/program.php?a=1&b=2, and this kind of URIs may appear in your blog post contents (which make robots blocking a little bit useless), then robots would go to index them. You can use inurl:/allinurl: modifiers with right keywords to get a bunch of vulnerable blogs. You can use search engine in both good way and evil way easily.
Use the following to block robots indexing:
User-agent: * Disallow: /blog/wp-*/
If you have a reason to let /wp-content/uploads/* be indexed, then you can add
Allow: /blog/wp-content/uploads/
However, this seems to be a non-standard syntax, but Google Webmaster Tools robots.txt checker still can recognize it.
Remove unused plugins
Unused plugins could be very out of date and have many beautiful holes in terms of bad people. Remove them, don’t be lazy!
Don’t use plugin list plugin
It’s not worth showing off.
Upgrade ASAP
Both core and plugins. Should I emphasize how important this is?
Subscribe to Security Bulletins
milw0rm (RSS) is the only one bulletin I know, I also have been reading some blogs about security. When some people find a vulnerability, they may not inform the author of plugin and wait author to patch the hole. Moreover, if you are using Windows, enjoy the messages for your Windows (I didn’t say Linux is safe).
LLBB 