Securing Your Wordpress Installation
Any time I install WordPress for a client or for myself, I take a few precautious steps before I adjust settings or begin customizing the theme for use.
The first step is to move your entire site into a subdirectory. This means put everything in a subdirectory with a unique name, for example: "my_secure_wp_folder". Once you have all your files in this subdirectory, copy the index.php and the .htaccess files to the root directory, as shown in Figure 1:
You will also notice I like to put all of my resource files into a separate folder in the root directory as well. With this setup, it is very unlikely anyone will be able to determine your site structure, therefore making it that much more difficult in accessing your site files (View the source of this site as an example)
When this is complete, edit the index.php file in the root folder and where the statement reads "require('./wp-blog-header.php');", change it so that it reads "require('./my_secure_wp_folder/wp-blog-header.php');". Update your .htaccess file accordingly as well.
You can now begin your WordPress installation using a temporary username, email and password.
By default, when you install WordPress, you are given the unimaginative username of admin. Not only is this username dull, it is also known by anyone who visits your site(s) who happens to have intentions other than reading your blog.
Install WordPress as normal and once your temporary password for the admin user is given, log in and go directly to Users / Add New. Add a new user with your own, or your clients, details and set the Role as Administrator. This will now be your new Admin User. Logout of Wordpress and log back in as your newly created administrator. Once logged in, return to the User section, select the original admin and delete the user. Go to your Profile page and customize to your liking.
That's it, that's all. Nothing to it.