Wordpress security tips please

[murraybiscuit]

I've got a site being nailed by the Turks currently.
Every few weeks something breaks and I have to go fix it.
I'm pretty sure whatever I do they'll be more persistent at finding exploits.
I'm generally pretty good at keeping it up to date with patches & plugin updates.
They haven't actually gotten into the database or gotten any passwords so far but have managed to inject code into template files.
I'm thinking of just blanket blacklisting ip ranges from russia, turkey etc. seeing as this is a .co.za site intended for a .co.za audience.
Any other ideas?

 

[koeksGHT]

I just used a .htaccess file to deny the whole ip ranges of people that become problems. Not much we can do cause they will always find something new to exploit

 

[Barry Crous]

You may also want to add this to .htaccess to deny access to the admin folder except from the specified IPs.

<Limit GET POST PUT>
order deny,allow
deny from all
allow from 123.123.12.123
allow from 783.321.35.658
</Limit>

and also set file permission for wp-config.php to 640, this helped to solve a hacked site.

Good luck

 

[murraybiscuit]

thanks. i did a bunch of stuff.
i think the ip deny stuff is a last resort..
i actually moved wp-config to the parent dir (out of the webroot - wordpress autofinds it somehow)
i also tightened up some permissions and added a bit of xss kill to apache directives (most of the attacks seem to be js related).