3 New WordPress Security Tips I Learnt from Matt Cutts

Matt Cutts, the Google engineer gave some amazing tips at WordCamp 2007. I discussed some lessons learnt and new WordPress updates, that were revealed at WordPress camp. Now Matt Cutt has released the powerpoint presentation that he talked of at the conference and some new wordpress security tips were known.

Posting an article about Whitehat SEO tips for bloggers, Matt Cutts released the PowerPoint deck (.ppt) that he presented after the Google’s PR team okayed the release. I learnt 3 new WordPress security tips from his presentation.

Drop version string in header.php

The tag in your header.php that displays your current version of wordpress.

<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" />

Since everyone knows your wordpress version this way, your blog is prone to hackers if you have not upgraded to the new version.

Hide your wordpress version by deleting it or simply changing it to

<meta name="generator" content="WordPress" />

Blank index.html in /plugins/ directory.

In a normal wordpress installation, anyone can access your WordPress plugin folder to see which plugins you have installed. The path is


Try it for your blog and your entire directory structure is revealed. Just create a blank file in notepad and name it index.html and drop it in your plugins folder and the folder details will no longer be visible to the public and prevent hackers from cracking a plugin security hole.

Put .htaccess in /wp-admin/

He points to this article of Protecting the WordPress wp-admin folder. This will limit access to this folder by IP address and attempts at accessing any file within this folder will be greeted with a Forbidden error message.

He warns that you need to place this file in the /wp-admin folder and not replace or delete the .htaccess file in the root folder of your blog. Though he says the security issue was fixed in recent wordpress version, this is a security idea which can help you further protect your wp-admin folder.

Tip: It is easy to block search engines from crawling your wp-admin folder by blocking access via robots.txt file. I added this line

Disallow: /wp-admin/


  1. ram says:

    2nd one can be avoided by adding a line
    Options -Indexes
    in your .htaccess file. This way you dont have to manually add index.html files to folders like plugins.

  2. pearl says:

    I am so glad I came across this article because just a few days ago I saw all of my plug-in files were visible, I thought I might have done something wrong! great tips!! thanks for pointing them out… will be working on these soon

  3. health-prodigy says:

    thanks for the tips , i have implemented it immediately

  4. Craig says:

    Regarding the robots.txt suggestion — if I understand correctly, search engines do not necessarily honour the instructions in the file, so you may only be blocking access to “legitimate” crawlers.
    I am not 100% sure on this, but if I am, then it is a good thing to do, but not as effective as one might wish it to be.

  5. iwebie says:

    Nice tips. I used to use WordPress, but I got sick of all the security holes and switched back to MovableType.

  6. Cebu Seo says:

    Great tips and I will definitely try this one on my WP-based blogs. I don’t know if Wp.com is using this tips, any idea coz some of my blogs are hosted on their site?

  7. Teenburg says:

    I’m use security key!
    What is Security Key?
    It is a hashing salt that is not readable through the database or in more easy words the WordPress Security Key is a unique phrase which causes better encryption of information stored in the users cookies.

  8. cebu seo says:

    While you are learning a few tip or two from the Google engineer, I am here struggling to learn basics like upgrading a template… All my 6 blogs in wordpress are having a hard time getting updates because I don’t know how to access through ftp.

  9. km says:

    Nice tips specially for the tips 2 and tips 3 to avoid others to view your wp structure

  10. coolwebdeveloper.com says:

    robots.txt does not provide any security at all. A malicious bot can simply choose to ignore it.

    Make sure you password protect all the sensitive information.

  11. Frank Merlott says:

    I have to add my voice to the others in respect to the robots.txt file advice, malicious bots dont follow the rules of robots.txt, and since you can easily check robots.txt going to https://www.domain.com/robots.txt an attacker will find out what are the folders you want to protect easily.

    The other two tips are really good.

  12. vivi says:

    “Put .htaccess in /wp-admin/ “will limit access to this folder by IP address and attempts at accessing any file within this folder will be greeted with a Forbidden error message.

    But, I wanna limit access to any folder by Ip add. and attempts at accessing any file within my blog will be greeted with a forbidden error message….

    How can i do …?
    I need your help…..

  13. security locks says:

    Great content, very helpfull. The web needs more great sites like this.

  14. design says:

    I am not going to tell fibs, you have lost me here – 3 New WordPress Security Tips I Learnt from Matt Cutts. I recognize that you thought well and you manifestly know what you are talking about, but I cant state that I get where you are descending from. Keep the postings being published. As the terminator stated I will be back.

Leave a Reply

Your email address will not be published. Required fields are marked *