Security for Corporate WordPress Sites

Update!

The most important aspect is WordPress is also the easiest: keep your WordPress core, themes, and plugins updated.

Lock down things you are not using:

Once your site is rolled out, you probably do not need the plugin and theme editor. Disable this by adding this line in wp-config.php:

define( 'DISALLOW_FILE_EDIT', true );

You might also want to disable plugin & theme update installation & updates (you’ll still have to run your updates manually, of course):

define ( 'DISALLOW_FILE_MODS', true );

Restrict how users can log in:

Protect wp-config.php:

Move wp-content directory to make it more difficult for bots to find out what plugins you have installed

define( 'WP_CONTENT_DIR', dirname(__FILE__) . '/blog/wp-content' );
define( 'WP_CONTENT_URL', 'http://example/' );

Do not backup locally using plugin

Yes, do back up your site. A good hosting service may have options for this. But avoid using a plugin, as these are quite easy to exploit.

Be obscure:

Do not give the admin the username “admin” — it is too easy to guess and is exploitable
Remove WordPress version from header, to prevent identification as WordPress site
Avoid password protect wp-admin — can break front-end ajax requests and with proper login protection

Top it off with security plugins:

The main focus of website security is server-side. But plugins do add an extra layer of security so it never hurts to throw one into the mix.

This article is a composite of several external sources. Full credit to the following for providing excellent advice on keeping WordPress secure:

Blog and News.