A couple days back, I read Matt Cutts’ post: Three tips to protect your WordPress installation. His suggestions are decent, but there’s some better stuff you can do via security through obscurity.
Matt suggests protecting your wp-admin directory via .htaccess IP restricting. This is a good idea to be sure, but why let your wordpress install location be known when it’s simple as pie to hide?
Step One:
Toss your WordPress installation into a super secret directory.
Step Two:
Move your style sheet / images from your theme directory and into directories outside of your WordPress install. Change your head to reflect the change.
Step Three:
Dump that wlw reference from your head. This plugin will do the trick.
Step Four:
Move your wp-comments-post.php into your root and edit the beginning of it in the same way you did your index.php in step one. Edit your template files to reflect this. (Don’t visit my wp-comments-post.php, it’s a honeypot idea I’m in the middle of tweaking to snag some comment spammers. ;-)
Step Five:
I edited the pingback url my header sends out to go to Planet 404 since I’m a member of the Pingbacks / Trackbacks are Retarded Club. If you use them, I imagine it’d be just as easy as the wp–comments-post.php move is. You can edit that header info via /wp-includes/general-template.php - just search for “pingback” and you’ll find the line.
Step Six:
If you have any other plugins tossing info into your head or anywhere else that reveals your install location, tweak them.
If anyone knows how to get the install url in some other way(s), leave a comment with the info or email me and I’ll update this with the tweaks to prevent the info leak. In fact, I’ll cough up $20 via paypal to the first person who posts a link to my admin directory with the info on how they found it.
Matt’s second tip was to “make an empty wp-content/plugins/index.html file” to prevent potential plugin info leak. That’s obviously a moot point if you hide your entire install. And, as several people have already pointed out: leaving your indexes viewable is retarded and easy to change.
Matt’s third tip looks like it was just some filler for his post. Subscribe to the WordPress Development blog? Your admin panel already has that feed built into the dashboard.
His bonus tip was also a bit odd. He suggests dumping the bloginfo(’version’) snippet from your template’s header.php. Doing so won’t prevent your WordPress version from being leaked out to anyone though. All a person has to do is view the source of any of your feeds to get the same info. Here’s an example from Matt’s own blog. View the source of that page and you’ll see generator=”wordpress/2.3.2″ at the top. If you really want to prevent your version from being leaked you need to edit /wp-includes/version.php. You should change it to a version in the far future to avoid having that constant “A new version of WordPress is available! Please update now” nag from invading your admin panel. I’m kicking WordPress version 6.9 up in this biotch. :P
Here’s a bonus tip from me:
Change your default database prefixes (wp_) to something else. This basic security through obscurity tweak could save your ass from possible SQL injection attacks. Here’s a nifty plugin that can do it for you.
Now, let’s see who snags that $20.
P.S. I’m in the middle of tweaking this new theme. So, excuse the mess.