MadcapBaby's on FirePremium
Securing a WP install, as much as one could.
I've already posted this in one place, but there are brighter minds over here and I welcome their help if they so choose to give it. I know, unlike many newcomers, that no matter how much I try to harden the installation. Use Plug-ins and common sense that WordPress is such a giant target I may get hammered. I've done some things to the basic install to eliminate the easier routes into WP. Among other plugins I have chosen two to help me with security:
Better WP Security is the first of two I use. It has many great features for securing your WP install. From changing WP admin path names, switching table prefixes, taking admin off user id 1, detection and blocking of bots and brute force attacks, enforcing strong passwords, creates a separate database backup and emails it to me. Many good features.
Bulletproof Security is the second specifically for security. This one handles a lot of the .htaccess security. It rewrites them to improve the security or in places there are none, it has built in .htaccess files to place there (such as /wp-admin/ ) to make sure I can try and make it all as secure as possible.
I myself use strong passwords. I have deactivated registration to this site, all users will be handmade accounts and there will be few of those. I already use secure passwords that cannot be socially engineered. Even though this plug should never draw attention from hackers, I'm going ahead with such measures to make sure I'm not why my server goes down.
If you have more suggestions for me on security plug-ins (I've already done a poll on cache plug-ins so I'm set there) or other plug-ins you think would help feel free to PM me here or better, email me! basementcommando @ gmail.com
Keep core updated.
Keep plugins updated.
Harden the meta area by muting the generator tag. In feeds too. Google how to do this if your security plugins aren't already doing it. Test it (view source) to make sure it worked.
Limit wp-admin access to your IP address via a wp-admin/.htaccess file containing:
You can restrict access to wp-login.php (and deny access to wp-signup.php and wp-register.php) likewise in your root .htaccess, however in your case you may not be able to because you mentioned requiring several users.
deny from all
allow from your.numeric.ip.address
In reading the plugin pages for the plugins you listed, it appears they do at least some of this, but always verify.
Scott Brown Consulting