Securing WordPress Admin

In today's online world security is a top concern. For WordPress maintainers keeping your installation, themes, and plugins updated is an essential first step but there are many other things that should be taken into concern. Today I am curious to get your feedback specifically on locking down the admin section of your WordPress site and after collecting those results I will throw together a post with some links to some really great material on locking things down in a more generalized fashion.

Now as far as the admin section goes, I use a server-side technique that requires both a password an me being at a specific IP address to access the wp-admin section. That may be too strict for most, particularly those on mobile so here is a little snippet that will force Apache to require a user name and password (all of which are stored server-side) before even displaying the page.

*** Update: A great discussion resulted on Facebook as a result of sharing this post and I learned something extremely useful. There is a Google Authenticator WordPress Plugin which enables two-factor authentication via the Google Authenticator app/service. I already use this technology for a variety of other sites/services so naturally it was a no brainer to use it for WordPress.

Here is some important information to keep in mind when using this plugin from Justin Dessonville:

"The key is to make sure you have your wordpress general settings timezone set to whatever time zone your phone is in. I'm not sure how this would work if you travel across time zones a lot, but it could potentially lock you out if it's not setup right. Regardless, when both your phone & wordpress instance are set to the same time zone it's been solid for me."

To re-cap: after the update, I am still using Apache/htpasswd to protect the /wp-admin part of the site, but I have removed the IP checking in favor of the 2-factor authentication. I feel just as secure (if not more) and I don't have to worry about tunneling in via VPN to satisfy the IP check.