With all the recent WordPress security (or lack therof) news I was reminded of an SEO video talk I recently watched put on at WordCamp 2009 in San Fransisco by the one and only (SEO-God Spokesman) Matt Cutts of Google. One of the takeaways I got from the 45 minute online presentation was that Matt uses an htaccess file to protect his WordPress admin directory (/wp-admin/) using an IP whitelist.
Here’s what his htaccess files looks like, or rather what it did back in January 2008 when he published it:
AuthName â€œAccess Controlâ€
deny from all
# whitelist home IP address
allow from 00.000.000.00
# whitelist work IP address
allow from 00.000.000.000
allow from 000.000.000.000
# IP while in Kentucky; delete when back
allow from 000.000.000
The first four Auth lines are just basic htaccess commands and can be ignored when crafting your own version. The real meat is the “deny from all’ and the subsequent IP whitelist. Make sure you know how to get your own real IP address, and if it changes don’t freak out when you cant’ access your blog. Just login and update the htaccess file with your new IP via ftp/file manager.
Another security tip related to securing WordPress is to remove the ‘admin’ account, and use your own custom admin role login with a unique username.