Even for do-it-yourself blogs, Wordpress is pretty secure from the get-go. But you must still do more to ensure you never see that dreaded "You've been hacked" Homepage on your blog. I assume you intend to run a very popular site, but here are 5 easy steps you should follow, even if you will be the only person to ever come visiting.
THE FIRST 5 STEPS AFTER THE 5 MINUTE INSTALL
1. Immediately create an Editor User for all your Content-Administration, and an Author user for your Content-Creation, saving the in-built 'admin' user for Design and Admin Issues only. For a small or single-user blog, you may choose to use this Editor Role Account for your regular Content-creation as well, but never, ever blog as admin. For one, it leaves you vulnerable to hackers, and second, it alerts the world that you are not security-conscious — inviting unwanted attention from hackers who would have otherwise left you alone. See number 10 below.
Somehow the question that always seems to come up at this point is: Do I need to change the adminstrator's username(admin)?
I don't think so — "Security through obscurity never works." And in wordpress there really is no strong obscurity for the admin username, and the admin username is much easier to discover than cracking the password. So just follow safe practices when using and accessing this account, and you should be good.
If you are still so inclined to muck around with admin-related settings:
- You might want to consider changing the name of the admin folder, wp-admin. While I don't think this should be the first thing you do, you can find details in an excellent article by Michi.
- You may also want to block access to the wp-admin folder via a .htaccess file, as described by Reuban Yau. If you are denying access based on IP Address, make sure you list at least one IP Address that you can ALWAYS access the site from, or you will have successfully blocked access to your site. Welcome to the wonderful world of Self-DOSing…
2. Install the Bad Behavior spam-blocking plugin. I've found this plugin to be very effective at preventing spam from cluttering up a blog site. Imagine spending 5 minutes a day cleaning up spam, or even longer if you've got a slow internet connection. That's 5 X 365 = 1825 mins = 30 hours = 1.5 days a year, just cleaning up blogspam. I don't know about you, but I'd rather spend that extra day and a half posting a few more articles or with my girl. 
Also, I want to echo here the sentiments of "Otto42" on why captchas don't work. I remember reading somewhere of a spammer who created automated YahooMail id creation scripts, by simply downloading every single Yahoo captcha image, then storing the code/number for that capcha in a database, and using that code automatically whenever the same image came up.
3. Control the urge to load every theme and every plug-in. Not only will this leave you open to any vulnerability in the activated plugins, but it also slows down your site. Remember, security is not just about confidentiality and integrity of information, but also of (timely) availability of that information. By just slowing down your site by 20%, you may make a thorough browsing of your site impossible for a dial-up internet user. (Yes, Virginia, dail-up users DO still exist.)
Having fewer plugins and themes also makes it easier for you to keep track of the inter-relations between them, as well as, to pinpoint which plugins and themes overwrite/interfere with your customizations.
While I encourage you to try out all the themes, plugins, and widgets you can get your hands on, just remember to do the following once you've had your fun:
- Deactivate all unused plugins.
- Remove any and all unused themes and plugins from your wp-content directory. This includes the default Wordpress themes.
4. Speaking of plugins…You should consider the following:
Just remember the caveats that go along with each of the plugins. You are responsible for the proper functioning of your site, but hey, isn't it that same control that drove you to managing your own blog in the first place? "With great power, comes great liability…."
5. Ensure as restrictive permissions on the Wordpress directories as possible, while still allowing the blog to function. If you are doing a self-install, you would likely have access to the actual install directories on the webhost.
- Set the permissions for each directory to be at least as restrictive as those given in the Wordpress "File Permissions" Doc.
- Place blank index.html (Apache) or default.htm (MS-IIS) files in every folder to prevent directory browsing, though most web servers can disable this by default.
Well, is that it? Not by a long shot…. that was just what you needed to do immediately upon loading Wordpress. The list continues now with some steps you should take on very soon after or on an 'ongoing' basis. Hey… read 5 steps, get 5 free, what could be better!
