It looks like you have the plugin Better WP Security http://wordpress.org/extend/plugins/better-wp-security/ installed with the Enable login limits feature activated here /wp-admin/admin.php?page=better-wp-security-loginlimits. You can configure the plugin to stop sending you these messages. But you should have the feature activated, since most likely some bot is trying to login. Or even consider to blacklist this IP … Read more
You can change the original user to a non-admin, but I would not modify the admin users ID in the database to another ID, as this ID is referenced in numerous places, such as in the posts table to indicate the author, custom meta, user meta, etc Instead, consider marking the admin as a subscriber, … Read more
Unfiltered HTML in post content and title is a capability usually reserved for admins. If you don’t want to allow that for your users, don’t make them admins. Sanitation of custom fields has to be provided by the code author. There are use cases for such fields where entering JavaScript code is a desired feature. … Read more
Per the link provided in my comment to your question, if you wish to prevent the editing of files by WordPress, just disable the file editor. To do that add the following to your site’s wp-config.php file: define(‘DISALLOW_FILE_EDIT’,true); Or to disable the file editor and the plugin and theme installation/update system: define(‘DISALLOW_FILE_MODS’,true);
That might be a problem coming from your settings when you created your WordPress website. Are you using a cPanel and an application that automatically takes care of the WordPress installation for you? For example, I use ‘Quickinstall’ (you might be using the same application, or Fantastico or something in that sense). There’s an option … Read more
No, passwords are stored as a hash in the database. This hash is very difficult to reverse. Here is more information how WP encrypts passwords: http://codex.wordpress.org/Function_Reference/wp_hash_password
WordPress nonces are meant to prevent unauthorized execution of code. In the case of meta boxes, they are protecting you against malicious users potentially adding unauthorized meta-information to your posts and pages by forging POST requests. Why wouldn’t you want to use nonces?
YES. You always escape output that originally comes from user submitted data. To be safe, you always escape variable output, period.
Viewing passwords is not possible, because they are not stored anywhere. WordPress stores just the hash of the password, not the password itself. When a user sends her password to authenticate herself, WordPress creates a hash of the sent password and compares that to the stored hash. You should not try to store the passwords … Read more
I would consider it somewhat safe since that’s where your database connection information is also stored. One could easily ruin your website by deleting your whole database if they had access to that file. There are a couple of things you can do to increase security: Move the wp-config file one level outside the root. … Read more