How to make your WordPress blog more secure

Google engineer and SEO guru Matt Cutts has posted a handful of tips for WordPress users to help make their blogs more secure. To wit:

  • Secure your /wp-admin/ directory so only specific IPs have access to it.
  • Make an empty /wp-content/plugins/index.html file to hide which plug-ins you’re actually running.
  • Subscribe to the WordPress development blog and stay up to date with the latest patches.
  • Delete the version information from your theme’s header.php file.

To secure your /wp-admin/ directory, create an .htaccess file with this code:

Order Deny,Allow
Deny from all
Allow from XXX.XXX.XXX.XXX

Where XXX.XXX.XXX.XXX is your IP address. You can also hostmask the allow field if you are on a dynamic IP connection (cable, DSL).

Instead of adding a blank index.html to the plugins folder, I recommend turning off modautoindex across your site (only enable it on a per-directory basis — my media folder, for example. At your site’s web root, add this code to disable modautoindex:

Options -Indexes
Published on January 24, 2008 9:03 AM PST (8 months, 1 week ago).
Previous post 
 Next post