3 New Wordpress Security Tips I Learnt from Matt Cutts
August 14th, 2007Matt Cutts, the Google engineer gave some amazing tips at WordCamp 2007. I discussed some lessons learnt and new Wordpress updates, that were revealed at Wordpress camp. Now Matt Cutt has released the powerpoint presentation that he talked of at the conference and some new wordpress security tips were known.
Posting an article about Whitehat SEO tips for bloggers, Matt Cutts released the PowerPoint deck (.ppt) that he presented after the Google’s PR team okayed the release. I learnt 3 new Wordpress security tips from his presentation.
1. Drop version string in header.php
The tag in your header.php that displays your current version of wordpress.
<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" />
Since everyone knows your wordpress version this way, your blog is prone to hackers if you have not upgraded to the new version.
Hide your wordpress version by deleting it or simply changing it to
<meta name="generator" content="WordPress" />
2. Put a blank index.html in /plugins/ directory.
In a normal wordpress installation, anyone can access your Wordpress plugin folder to see which plugins you have installed. The path is
http://www.yourdomain.com/wp-content/plugins/
Try it for your blog and your entire directory structure is revealed. Just create a blank file in notepad and name it index.html and drop it in your plugins folder and the folder details will no longer be visible to the public and prevent hackers from cracking a plugin security hole.
3. Put .htaccess in /wp-admin/
He points to this article of Protecting the Wordpress wp-admin folder. This will limit access to this folder by IP address and attempts at accessing any file within this folder will be greeted with a Forbidden error message.
He warns that you need to place this file in the /wp-admin folder and not replace or delete the .htaccess file in the root folder of your blog. Though he says the security issue was fixed in recent wordpress version, this is a security idea which can help you further protect your wp-admin folder.
Tip: It is easy to block search engines from crawling your wp-admin folder by blocking access via robots.txt file. I added this line
Disallow: /wp-admin/
You might also like this
Comments
2nd one can be avoided by adding a line
Options -Indexes
in your .htaccess file. This way you dont have to manually add index.html files to folders like plugins.
Those are awesome tips, especially the one about changing the meta information in your header, I will surely do that as soon as I can
I am so glad I came across this article because just a few days ago I saw all of my plug-in files were visible, I thought I might have done something wrong! great tips!! thanks for pointing them out… will be working on these soon
thanks for the tips , i have implemented it immediately
Regarding the robots.txt suggestion — if I understand correctly, search engines do not necessarily honour the instructions in the file, so you may only be blocking access to “legitimate” crawlers.
I am not 100% sure on this, but if I am, then it is a good thing to do, but not as effective as one might wish it to be.
Nice tips. I used to use Wordpress, but I got sick of all the security holes and switched back to MovableType.
This is truly amazing. Keep it up your post!
Great tips and I will definitely try this one on my WP-based blogs. I don’t know if Wp.com is using this tips, any idea coz some of my blogs are hosted on their site?
nice blog it is very informative more people appreciate this kind of blog..thanks for the tips i learn in this blog.
I’m use security key!
What is Security Key?
It is a hashing salt that is not readable through the database or in more easy words the Wordpress Security Key is a unique phrase which causes better encryption of information stored in the user’s cookies.
While you are learning a few tip or two from the Google engineer, I am here struggling to learn basics like upgrading a template… All my 6 blogs in wordpress are having a hard time getting updates because I don’t know how to access through http://ftp.
I’m sure engineer Matt knows every security measure and he is just the perfect man. He must’ve been to wordpress a couple of million times each year for that reason.
Have you got any good tips in lessening those phentermine and jewelry guys spamming my blog 80 to 100 times each day? They never seem to run out of proxies to use. DA**
Nice tips specially for the tips 2 and tips 3 to avoid others to view your wp structure
robots.txt does not provide any security at all. A malicious bot can simply choose to ignore it.
Make sure you password protect all the sensitive information.
I have to add my voice to the others in respect to the robots.txt file advice, malicious bots dont follow the rules of robots.txt, and since you can easily check robots.txt going to http://www.domain.com/robots.txt an attacker will find out what are the folders you want to protect easily.
The other two tips are really good.
“Put .htaccess in /wp-admin/ “will limit access to this folder by IP address and attempts at accessing any file within this folder will be greeted with a Forbidden error message.
But, I wanna limit access to any folder by Ip add. and attempts at accessing any file within my blog will be greeted with a forbidden error message….
How can i do …?
I need your help…..
Comment on “3 New Wordpress Security Tips I Learnt from Matt Cutts”