This is a good way to protect ourselves from hackers. Woe to hackers. Another nice thing from Google!

Maybe if Anonymous hacked you're blog..... They can hacked it.... Just a matter of seconds

0 people hates Google

Thumbs Up

Nice feature of WP 3.0 is Admin doesn't have to be Admin anymore - change the Admin Login to some other name and improve your security by a magnitude.

Protecting Wordpress admin is just one small step.

There are more hacks on host than on the wordpress admin.

Protecting web hosting is more importat as well.

What I do is I block all open ports such as ftp etc. I use SSH (with Auth key) on different port. All IPs are also blocked except few from which I access host.

And so on...

Above steps are for dedicated servers or the servers which you have full control.

For shared hosting you have no option than just protecting WP admin.

That's a good tip. Add to that, having a backup so you can restore your site if it is hacked, as there are so many ways to exploit popular platforms like WordPress, Joomla etc. searchenginefriendlyhosting com DO allow you to add your own custom .htaccess files, php.ini and have one click backup.

What about Blogger? I guess the long and complicated password is the best way of protecting an account.

Very good tips, I also run a full weekly backup of all my databases, files and directories! ;)

Are you gaining weight, old man? ;-) lol

i like the new hair dew, but it would be a little smarter to remove the readme.html and turn user registration off

"Home IP address"?! OK Matt, now people will break into your home to spam your high PR blog.

@adrianTNT To do what Mattr has suggested regarding IP's, you'll need a static IP, otherwise each time you connect to the internet it'll be different, therefore blocking you from your admin directory! ;)

and what about blogger ?

give us some tips

thumbs up if you want to get blogger security tips from Matt

I think one of the problems people maybe having is their host does not allow you to edit or move your .htaccess. With that said just call up your hosting company if your having trouble they might have certain rules about how your .htaccess can be editted.

But like Matt said this does not protect it 100%. If your using wordpress then simply type in your find plugin page the words login security. You will get a bunch of addons that are rated.

To block people from other IP's, add this to an htaccess file and upload to your /wp-admin/ folder. (of course replace the ##.##.##.## with your actual IP, or Range you want to allow.

order allow,deny

allow from ##.##.##.##

@bcnorth you should escape the periods in your IP rules... ##\.##\.##\.##

For me I can not "whitelist" so to speak my htacess but then again I used a very cool tool on my login page that stops hackers from accessing my login multiply times. If they put the wrong username and password in it automatically denies them access for a hour.

Hey Matt, the tactics you suggested is nice, but I really not able how to figure how to bind htaccess to a folder and to a specific IP.

Have you a sample on how to do that?

Thanks.

does anyone know if the ip authentication he mentioned with .htaccess can be obfuscated by hacker so they have access?

Well, yeah ok. What about the SLQ injections? I had a friend that was doing remote SQL queries without having any admin access. He said that was a server hack (had to deal with the Apache server) not a script hack.So:

Duble ckeck your Server settings! Upgrade your server software as well.

Another good way is to protect your file and folder permissions.

@ANDiTKO you do sql injections through a vulnerable script, a script that doesn't sanitize data being input the data from the client. your friend is, sorry to say it, a wannabe hacker. apache has nothing to do with mysql and will never have anything to do with it.

there is a wordpress automatic update plugin, this combined with pinging wp-cron.php using wget in the crontab file will keep everything up to the latest version

Yeah, they released 3.0 on the 17th. UPDATE!