Securing WordPress Admin

In today's online world security is a top concern. For WordPress maintainers keeping your installation, themes, and plugins updated is an essential first step but there are many other things that should be taken into concern. Today I am curious to get your feedback specifically on locking down the admin section of your WordPress site and after collecting those results I will throw together a post with some links to some really great material on locking things down in a more generalized fashion.

Now as far as the admin section goes, I use a server-side technique that requires both a password an me being at a specific IP address to access the wp-admin section. That may be too strict for most, particularly those on mobile so here is a little snippet that will force Apache to require a user name and password (all of which are stored server-side) before even displaying the page.

*** Update: A great discussion resulted on Facebook as a result of sharing this post and I learned something extremely useful. There is a Google Authenticator WordPress Plugin which enables two-factor authentication via the Google Authenticator app/service. I already use this technology for a variety of other sites/services so naturally it was a no brainer to use it for WordPress.

Here is some important information to keep in mind when using this plugin from Justin Dessonville:

"The key is to make sure you have your wordpress general settings timezone set to whatever time zone your phone is in. I'm not sure how this would work if you travel across time zones a lot, but it could potentially lock you out if it's not setup right. Regardless, when both your phone & wordpress instance are set to the same time zone it's been solid for me."

To re-cap: after the update, I am still using Apache/htpasswd to protect the /wp-admin part of the site, but I have removed the IP checking in favor of the 2-factor authentication. I feel just as secure (if not more) and I don't have to worry about tunneling in via VPN to satisfy the IP check.

The World In Links [April, 2012] -- Code, Mobile, Ruby

The World In Links by Nicholas Kreidberg Code - My recently updated projects on Github.
Github - Instantly Beautiful Project Pages.
HTML5 - Toying w/ the HTML5 File System API.
Lifestyle - 8 tips to simplify your work life.
Mobile Security - The top 10 Security Tools For Your Smartphone.
MongoDB - A year with Mongo.
Monitoring - Monitor your Website’s Uptime with Google Docs.
Phono - A simple jQuery plugin and JavaScript library that turns the browser into a phone.
Photography - A showcase of landscape photography.
Ruby - Teach your children Ruby with Kidsruby.
Snippets - Awesome sites to find useful code snippets.
WordPress - Useful action hooks and filters.

The World In Links [3/26-4/1/2012] -- E-Commerce, Music, PHP

The World In Links by Nicholas Kreidberg Backlift - Easy deployment and hosting for backbone.js apps.

Design - Showcase of vintage and retro web design.

E-Commerce - 10 essential things your site should have.

ImageMagick - Create Instagram filters w/ PHP.

Music - Push music behind 19 startups.

Photography - Inspiring architecture.

PHP - Easy form generation using FuelPHP.

WordPress - 10 SQL queries to clean up your database.