Over on BlogSecurity, there’s a whitepaper on How to create a secure WordPress install. It covers several areas, including MySQL setup, WordPress user configuration, Apache protection of directories, and some useful plugins. I’ve glanced over it, and I have mixed feelings. Here’s a quick list of notes, off the top of my head:
Pros:
- There is detailed information about granting the minimum privileges necessary for the MySQL login. This is a good idea that many people probably don’t think about.
- Creating a less privileged WordPress account for posting, separate from your blog admin login, is also a good suggestion.
- The notes on password enumeration are important. [...]
