Content Usage and Management

Posted on his blog back in Jan but still good advice.

I would add

Get themes only from authors site
Keep plugins up to date
Get plugins from reliable sources

Anyone have any others?

I don't know about limiting by IP since just looking, for example, at my profile in WebmasterWorld, there are a lot of IPs there. If you're connecting over a regular DSL connection, your IP probably changes a lot.

The WP Codex has some tips too:
http://codex.wordpress.org/Hardening_WordPress

IF I follow the advice outlined in this thread, including following the steps outlined in the linked to or referenced material, will my WP site still be an easy target for hackers to penetrate?

If "yes" then what more ought to be done? (I assume if you know that WP - even with the latest "security patch" - can be hacked then you must know "how" it can be hacked.)

If "yes" then what, exactly, are examples of the "known but not fixed vulnerabilities"?

Is WP, patched and up to date, secure or not? If not, then what more needs to be done to lock it down?

And please don't answer by stating that the answer to WP security is "don't use it". If you're so cocksure it's vulnerable then state the vulnerability.

Otherwise your "it's easy to hack" cockiness will be deemed to be flacid cockiness. ;-P

[edited by: Webwork at 4:38 pm (utc) on May 2, 2008]

The other Matt (Mullenweg) claims that almost all Wordpress installs that get hacked are out of date. I don't want to debate the truth or falsity of that. Instead, I'll let you read what Matt and Lorelle (perhaps the #1 WP blogger) have to say on it:

Matt Mullenweg claims WP is secure if kept up to date
Lorelle adds to what Matt says

These are long articles, so let me give you one takeaway: Matt gives a few methods to keep a WP install up to date and says it should take less than five mins. I recently tested the Semi-Automatic Update Wizard thingie and, yes, takes less than five minutes.