Three WordPress Security Tips

I came across this post on quickonlinetips who got these tips from Matt Cutts. While some of them I have been following there a few tips that are new to me or can be done in a better way I am listing them all here.

1. Drop the WordPress Meta Tag

By default a large number of WordPress themes have the WordPress Meta Tag which show the version of WordPress that is currently running on the blog. I have even removed the Powered by WordPress links from the footer this has reduced spam by a certain degree.

2. Disable Access to your Directory Indexes.

If you are not aware by default if some types in the path to your Plugins Directory they can view a list of all files in the directory. The best way to disable this is through the HTACCESS file. add the line given at the bottom of your Htaccess file in the root of your blog.

Options -Indexes

The other way to disable it as outlined by matt cutts is to put a blank index.php or index.html file in the Plugins directory.

3. Disable access to /wp-admin/

This is the most drastic measure you can take. i.e. to block access to the wp-admin directory using htaccess. But this will work only if you browse the net with a Static IP address. Also this is not necessary if you are using the latest version of WordPress.

4. Bonus Point Keep your WordPress Blog upto date using The WordPress Automatic Upgrade Plugin

8 Responses

Awesome tips! Thanks for sharing.

Simple but effective tips for security are always the best.


Hmm, its Quick Online Tips, not Quick Tips Online :P ! And yes, those tips were really security helpful! :D

I never know about the problem with Meta tag. Nice article. I think the last link in your post is not correct.

I never gave a thought to that, these are a must have, i will surely be giving a thought to that.

I’m new to wordpress. Had no idea about the /wp-admin/ Thanks!

Is there any way that I can get rid of the meta tags and retain certain content which previously was meta tagged?

I would add one more tip that I have seen happen to blogs that I host. Don’t use the default table prefix wp_, come up with a difficult to guess one.
If you already have wp_ , it is easy to change through phpmyadmin.

1. Why would this IP restriction be more effective than a password protection using the similar .htaccess and .htpasswd method which offers the same level of protection sans the changing of IPs when you move/travel. And let your browser/keychain remember you password so you can just hit enter when prompted.

2. I’m pretty sure most web host have directory browsing turn-off by default and in that case, won’t it show a 404 page thus going to that location makes no sense. However for those not doing that, I’m pretty sure they have a reason and if they’re to follow your steps, they must have been smart enough to do a directory browsing off through their Web Host Panel or through .htaccess.

3. This is the least updated feed and we’re talking about WordPress, you’ll definitely hear about new releases within days unless you’re on an extended vacation.