Over the years, WordPress has increasing number of vulnerabilities. Believe me it has quite interesting stats! 
Below I mentioned 20+ basic tips to protect your WordPress blog. I omitted some tips because I considered them too complicated to apply (for newbies). Sorry!
1. Upgrade : Golden Tip. The latest version of WordPress always contains patches and bugs fixes for the security holes. Therefore it is important to keep your blog updated with latest version. It is also recommended to upgrade all the plugins and themes you use.
2. Change Username : It is one of the most elementary security measures for preventing it from being hacked. Change the default WP username admin. If you still use this username, you are indirectly helping the hackers, trust me. Change it into a difficult and memorable username. You can check the below tutorial for changing the username.
TUTORIAL : 3 ways to Change WordPress Default Username
3. Hide Plugins : Create an empty index.html file and upload to wp-content/plugins/. By this you are protecting your WordPress plugins directory. In other words, no one can access your plugins. Hackers can easily hack your blog if they discover an out-of-the-date or vulnerable plugin. You can also create .htaccess file and upload.
Update : New versions of WordPress already contain index.php in different folders like themes, plugins, uploads etc. (Thanks Usman)
MUST READ : Introduction to HTACCESS for Newbies
4. Remove WordPress Version : It is better to remove the WordPress version which is included in most of the themes by default. Even many WordPress developers often display them. Displaying the version info will help the attackers to exploit known vulnerabilities on a particular WordPress version. Check the tutorial to remove them correctly.
TUTORIAL : How to Remove the WordPress Version Number (The Right Way)
5. Registration : Disable registering feature unless you have a revenue sharing blog or a blog with Guest Blogging feature. To Disable it go to General Settings page | turn off Anyone can register option.
6. Akismet : Automattic Kismet (Akismet for short) is a collaborative effort to make comment and trackback spam a non-issue and restore innocence to blogging, so you never have to worry about spam again. If your blog is not protected by Akismet, download it now.
7. Captcha : CAPTCHA is an acronym for “Completely Automated Public Turing test to tell Computers and Human Apart”. A CAPTCHA is a program that can tell whether its user is a human or a computer. CAPTCHAs are used by many websites to prevent abuse from “bots,” or automated programs usually written to generate spam. You can use reCAPTCHA to stop spam.
8. Stealth Login : Stealth Login allows you to create custom URLs for logging in, logging out, administration and registering for your WordPress blog. Even if your password is leaked out, the hacker will have to suffer figuring out the login page. You can prevent malicious bots from accessing your wp-login.php file. Download Stealth Login plugin.
9. WP API Keys : Using these API keys you can use services and enhancements built on the WordPress.com platform. This allows you to leverage the power of WordPress.com even if you host your blog elsewhere. You should not share your API key, it is like a password. To get one, you have to sign up for a free WP.com account.
EXAMPLE : By installing Akismet, anti-spam service and entering your WP.com API key, your blog will be protected from spam the same way every blog on WP.com is.
10. Remove or Disable : You would have tried lot of themes and plugins for checking the functionality, but you would not have disabled or removed it. Remove all those craps at once. Hackers can find a way exploit to them, even if you are not using them.
11. Hardening WordPress : You can harden WordPress software too. You can read this Hardening WordPress document. They cover aspects like securing wp-config and MySQL, setting up file permission and son on.
12. Security Updates : You can subscribe to the WordPress Development blog. When they patch a security hole or release a new version, they’ll usually announce it on their Development Blog. Upgrade and apply them as soon as possible.
13. Use Role Manager and Sabre : Many blogs allow their readers to comment only if they are registered. You can use Sabre plugin to prevent fake registration by bots. It adds image verification or math test in registration. You can also use Role Manager plugin to define the capabilities for the users. You can also control what the users can do and cannot do in your blog.
14. Protect Your Content : You should protect your blog in terms of content also. To get a detailed explanation, you can check Prevent Content Theft guide from WordPress.com.
RELATED : How To Copyright Your Literary And Creative Work?
15. Adieu Spammer : You can suspend the IP addresses of the spammer so that they can’t spam/comment further. You can use Bad Behavior plugin for that. They check the visitor’s IP to mark it as a spammer or not. You can try WP-Ban to display a custom ban message when someone from banned IP tries to visit you blog. They also allow you to exclude certain IPs from being banned.
16. From Matt Cutts : Matt Cutts gives you three easy but important ways to protect yourself if you run a WordPress blog. You can read his Three Tips To Protect Your WordPress Installation.
17. Scan The Blog : You can download WP Vulnerability Scanner plugin. Activate it and launch the WP Scanner. Once you are done with test, deactivate it.
18. Secure Source : Yes. Always download the themes and plugins from trusted source. It is recommended to check the identity of the owner and popularity of the theme, plugin, and the site.
19. FTP and Backup : Always keep back up of your blog’s files and database. It is a MUST for every blogger. FTP the blog contents to your system regularly. Taking manual backups are tedious tasks. So I recommend you to use WP Database Backup. Even if your database is compromised, you can restore it with the help of back up.
20. Read More : I just mentioned the current basic tips to protect your blog. Please also read other blogs to find more interesting and easy measures to protect your WordPress Blog.
21. Password : Last but not least. Don’t think it is difficult to break or guess a password. By keeping a hard and difficult password you can protect your blog to the core. You can use Microsoft’s free web-based tool, Password Checker, for finding the strength of your password.
MUST READ :
1. Beware Of Social Engineering Attacks
2. Beware Of Phishers – A Brief Review
Having any other basic tips to protect WordPress blogs? Please feel free to share it here! 
Related Articles From This Blog :
- Password Protect Folders In Windows XP
- Protect Your Password In Cyber Cafe and On Public Computers
- 12 WordPress Plugins To Enhance Your Blog’s Performance
- List Of U.S. Government Agencies Using WordPress
- 25 Basic Tips To Get Google Sitelinks
- WordPress 2.9.2 Released
TechChunks (15)
sudharsan @ techn... (14)
Anup@Hack Tutors (12)
Anish K.S (11)
Techie (9)
GDI Blog (6)
Jasir Javaz (6)
Money from bloggi... (6)
Hami (5)
Rajeel (5)
{ 4 trackbacks }
{ 45 comments… read them below or add one }
Pradeep you have a great compilation of Wordpress security tips.I agree with all points except #7.reCAPTCHA is a big distraction to commentors.I personally keep a distance from commenting on blogs which activated reCAPTCHA.
George, yes it will be quite annoying for the readers to comment. But it is the best way to prevent SPAM indeed. Cheers!
Hi Pradeep,
All tips are useful. I am trying to install Prevent Content Theft, WP-Ban in my blog. I don’t know about reCAPTCHA.Is that useful plugin?
Deepika, it tells you whether the commentator is an human or a computer-generated !
Well, it will be quite annoying for your readers though.
If you use Akismet plugin, then you can remove reCAPTCHA from the list!
Wonderful, until now my blog is secure. May be I need them in little future.
P.S: I missed being the first to comment on this.
Ha ha.. don’t worry dude.. next time..
Glad your blog is secure!
Complete useful tricks. When talking about internet security, it seems we all are sheep
Ha ha.. yeah.. after losing something precious.. we’ll feel!
Hey it is a very nice and interesting blog post the tips to protect the WordPress blog are very good…Please tell us others too which you dint tell…Thanks a lot.
Oops. This article mainly targets newbies. Will put all the tips in next article. Cheers!
Nice collection of tips.. i dont know abt some of them,, will work in them to keep my blog safe and updated..
Glad you found this article worthy Rajesh! Cheers!
very good post… I think there is no need of placing index.html file in plugins folder because new versions of wordpress already contain index.php in different folders like themes, plugins, uploads etc.
Thanks Usman for sharing that !
I wondered why there was an index.php file in every directory. I thought my host has put that but now its clear that it is the Wordpress upgrade that has done it.
That’s a good step from WordPress..
I would like to see Akismet.. in WordPress code!
Yep, went to do the same thing and found that the index files are already there… good that wordpress is working to keep its cms safe
Good list man… As George said, captcha is an inconvenience rather than a distraction. Many people don’t leave comments when they say more than name/email/comment fields in a comment area. In most cases akismet should be good enough, I guess.
As for upgrades, it is more of a software engineering psychology. People always preach and customers always blindly believe that a new version of the software is always better than the old. In fact, a platform like WordPress should release minor versions only once in six months and a major version every year or so. It’s really stupid of them to keep coming up with silly enhancements and security updates to make bloggers adopt and upgrade. It works with most of us who are from technical background and for the rest of the blogging world, it’s a pain in the ‘you define’.
Yeah, instead of releasing new versions quite often they can release patches or some fixes. That will help I guess.
Thanks for the explanation Ajith!
)
These are great tips, indeed! Good collection of safety tips at one place.
thanks.. good tutorial
nice tips, iam using antivirus plugin, is this useful that much ??
Well it will be useful, but not very useful bro!
Hi Pradeep. Long time no visit here. This is a good post. We should not let bad guys like hackers win. We should defend ourselves from them
Yes, long time mate.. glad to hear.. that you are back to blog! Cheers!
And yes, Ban Hackers from WordPress!
am using captcha and akismet till now to stay away from spam
and to keep blog secured i keep regular backups and also change password frequently
other tips i will keep note and will use it once my blog gets old enough to keep it secured
A nice collections of tips to secure and protect your blog. Many users don’t realize what can happen and only worry about it once they have been hit.
There are so many plugins to check and help you secure your site more and one should always be on the lookout for new tips and tricks.
Yeah..right George.. many people worry about that after affecting.. bad guys!
This is a nice list and I totally agree with you. Wordpress security is very very important and some basic steps like username change, quick upgrade etc are essential for an wordpress user.
Yeah..absolutely right Sanjeev… simple security tips are easy to apply and they are MUST for WP user..
Wordpress security is very very important and some basic steps like username change, quick upgrade etc are essential for an wordpress user.. thanks for sharing such useful tips..
Glad you found these tips useful buddy! Cheers!
nice compilation, i do a lot of those myself, got a hacking hit on one of my blogs some time back and since then am trying to keep safe. Updating the wordpress version is the very important step, one must do it as soon as a new update comes.
You always provide a damn great information. I just knew about all the things you’ve mentioned above. Thanks for the tips and need more time to perform them one by one. Thanks again!
Great tips. thanks for sharing that. You have the ability to make posts private and only viewable to those who are on your list.
Thanks for the security tips Pradeep
Thanks Pavan..glad you liked it!
You can also allow only your ip address to login into the admin panel
This can be done using .htaccess file , i had read it somewhere
Sorry couldn find the link just google once and see guys
Thanks for sharing the tip bro…
Your post helpful to us .. success
Great Article, Captcha can be irritating at times, i will adopt few of tips you mentioned.
nice blog..
really appreciate your work!!
Thanks very helpful to me and even others
I found your blog on google and read a few of your other posts. I just added you to my Google News Reader. Keep up the good work Look forward to reading more from you in the future.
Nice work dude, a well constructed article