Een mooie timing deze tips van Matt Cutts om je WordPress blog te beveiligen. Ik weet het uit eigen hand; naief omgaan met je permissies is vragen om problemen. Deze post komt als geroepen bij inrichting van een vernieuwde tanjadebie.nl Want uiteraard maak ik van de gelegenheid gebruik om het design een nieuwe boost te geven.
Here are three easy but important ways to protect yourself if you run a WordPress blog:
- Secure your /wp-admin/ directory. What Iâve done is lock down /wp-admin/ so that only certain IP addresses can access that directory. I use an .htaccess file, which you can place directly at /wp-admin/.htaccess . This is what mine looks like:
AuthName âAccess Controlâ?
deny from all
# whitelist home IP address
allow from 18.104.22.168
# whitelist work IP address
allow from 22.214.171.124
allow from 126.96.36.199
# IP while in Kentucky; delete when back
allow from 188.8.131.52
Iâve changed the IP addresses, but otherwise thatâs what I use. This file says that the IP address 184.108.40.206 (and the other IP addresses that Iâve whitelisted) are allowed to access /wp-admin/, but all other IP addresses are denied access. Has this saved me from being hacked before? Yes.
- Make an empty wp-content/plugins/index.html file. Otherwise you leak information on which plug-ins you run. If someone wanted to hack your blog, they might be able to do it by discovering that you run an out-of-date plugin on your blog and then they could exploit that.
- Subscribe to the WordPress Development blog at http://wordpress.org/development/feed/ . When WordPress patches a security hole or releases a new version, they announce it on that blog. If you see a security patch released, you need to upgrade or apply the patch. You leave yourself open to being hacked if you donât upgrade.
And hereâs a bonus tip: in the header.php file for your theme, you might want to check for a line like
<meta name=â?generatorâ? content=â?WordPress <?php bloginfo(âversionâ); ?>â? /> <!-â leave this for stats please -->
Iâd just go ahead and delete that line or at least the bloginfo(âversionâ). If youâre running an older version of WordPress, anyone can view source to see what attacks might work against your blog.
Update: In the comments, Joshua Slive pointed out that the .htaccess file shouldnât have a <LIMIT GET> around the IP addresses. That would have allowed IP addresses to POST, for example. Joshua, thanks for the pointer to the Apache docs on this point.