One of the easiest way to attack WordPress blog is by targeting some script of admin interface or by brute force attack and it has been found that having a good password is not enough. I take two additional steps to protect my admin interface from even the most determined hacker while allowing access to the editors and authors.
The first step is to enforce a password at proxy (
haproxy) level. This is in addition to regular WordPress password and forms a gateway before WordPress admin can be accessed. Only the authors and editors know this password. Now, I could have made it different for everyone but it is not worth it. I chose and strong password. However even this may not be enough.
My WordPress interface is not even visible to a regular user and the server gives
500 Internal Server Error as it truly doesn’t exist. Only with a magic incantation and by that I mean by setting a HTTP parameter is the Admin interface accessible.
Other than the admin interface, rest of this blog is just static pages. It makes it very fast and completely secure.