I was recently given access to a new WordPress plugin which claims to be very effective in protecting you from hackers. I discovered that the method used in this plugin was not only ridiculously simple, but actually inferior to a method I have been using for years.

The most vulnerable point of access that hackers have to your WordPress blog is through the wp-content folder. This folder contains all the scripts used by your themes and your plugins. A hacker ( or his robot ) need only enter the following into the ‘Address Bar’ in order to discover the names of all the files in the folder:

WordPress does not protect you against such access.

The plugin that I reviewed protects this point of entry by “fooling” hackers with a copy of the standard Apache ’500 Internal Server Error’ page. This fake page is uploaded as ‘index.html’ to both the ‘plugins’ and ‘themes’ folders, so it is “seen” by the hacker software when it attempts access.

Now for my “old-school” method, which I will show you for FREE.

There is a file in the root directory of your blog called .htaccess This file contains coded instructions for your browser to follow before uploading your blog. It already contains code that tells the browser how to access your blog pages. All you have to do to protect your wp-content folder is insert the following code BEFORE the code that’s already there.

That’s all!

This code tells the browser not to let anyone access the index file of any directory, so a hacker will not be able to read the names of the files in your wp-admin folder, and thus not be able to access them. If the hacker software attempts access, it will “see” either a real Apache ’403 Forbidden’ error page, or just a blank page.

Technorati Tags: deny access, exploits, hackers, htaccess, WordPress