Matt Cutts, the Google engineer gave some amazing tips at WordCamp 2007. I discussed some lessons learnt and new WordPress updates, that were revealed at WordPress camp. Now Matt Cutt has released the powerpoint presentation that he talked of at the conference and some new wordpress security tips were known.
Posting an article about Whitehat SEO tips for bloggers, Matt Cutts released the PowerPoint deck (.ppt) that he presented after the Google’s PR team okayed the release. I learnt 3 new WordPress security tips from his presentation.
Drop version string in header.php
The tag in your header.php that displays your current version of wordpress.
<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" />
Since everyone knows your wordpress version this way, your blog is prone to hackers if you have not upgraded to the new version.
Hide your wordpress version by deleting it or simply changing it to
<meta name="generator" content="WordPress" />
Blank index.html in /plugins/ directory.
In a normal wordpress installation, anyone can access your WordPress plugin folder to see which plugins you have installed. The path is
http://www.yourdomain.com/wp-content/plugins/
Try it for your blog and your entire directory structure is revealed. Just create a blank file in notepad and name it index.html and drop it in your plugins folder and the folder details will no longer be visible to the public and prevent hackers from cracking a plugin security hole.
Put .htaccess in /wp-admin/
He points to this article of Protecting the WordPress wp-admin folder. This will limit access to this folder by IP address and attempts at accessing any file within this folder will be greeted with a Forbidden error message.
He warns that you need to place this file in the /wp-admin folder and not replace or delete the .htaccess file in the root folder of your blog. Though he says the security issue was fixed in recent wordpress version, this is a security idea which can help you further protect your wp-admin folder.
Tip: It is easy to block search engines from crawling your wp-admin folder by blocking access via robots.txt file. I added this line
Disallow: /wp-admin/