

Tips For Wordpress Secure Blogs - basdog22
http://jeez.eu/2009/10/04/12-easy-tips-for-wordpress-secure-blogs/

======
ionfish
I have seen this list of suggestions repeated on different blogs for the last
several years, with only minor differences. They are always heavy on security-
by-obscurity tactics and light on serious suggestions.

This article is even worse than the usual ones. For example, it makes no
mention of securing access to the admin area by forcing SSL connections.

The plugin mentioned, AskApachePassword, relies on your Apache config files
being writable by the Apache user. It also only creates one user/password
combination, which rather contradicts the purpose of an authentication scheme
(although it does use Digest, rather than Basic authentication, if it's
available, which is something I suppose).

Point 6 recommends explicitly denying access to the WordPress config file.
Why, I have no idea—after all, since that file doesn't print anything, if
someone tries to view it in a browser they'll just get an empty page.

I could go on, but it's starting to get depressing. It's good that people are
concerned about security, but I wish they'd do better research before going
round acting like an authority on the subject.

