That’s a very good question. And the fact is that since WordPress is so popular, and so widespread, it is subject to a lot more attempts by hackers, especially people that have figured out that there are old versions of WordPress that are a little easier to exploit. So the very first thing that I do, is I try to make sure that I always have my server patched up-to-date.
I think as of this video it is 2.9.2, but already they’re out testing version 3.0. I’m sure that will have a lot more security as well. The other big thing that I do, is you can change your HT access file, .htaccess, which is in wp-admin, and you can basically say, you know what?…only a small number of IP addresses, the ones that I basically, what are called whitelisting, listing out explicitly, are allowed to access my wp-admin directory. So what that does, is it says, if you’re just coming from the general internet, you can’t log-in; you’ll get a 403, you’ll get a forbidden error. But, if you’re coming from, say my home IP address, or Google’s corporate IP address, or maybe a small number of IP addresses that I’ve very deliberately chosen, then you are allowed to log-in.
So that is the number one way that I protect myself. Besides being patched, try to make sure that you set something so that the hackers can’t get to your admin directory, unless they’re are coming from a specific small set of IP addresses. That might not be perfect, for example if you’re web host happens to get hacked, and people can read database passwords of other customers, or stuff like that, that’s not going to protect you very much. But I would at least do those two things, and that will help keep your WordPress, or any other piece of software, from potentially being hacked.
by Matt Cutts - Google's Head of Search Quality Team