Improving Your Google PageSpeed Score

You’d think with 94% of Americans having the option of Broadband Internet that things like site loading and page speed wouldn’t be that important. But given that 24% of all Internet traffic comes from Mobile, how long it takes your site to load is still a big factor of user satisfaction (and Google rankings).

Here’s how I improved my Google PageSpeed score by 40 points in 5 minutes.

1. Check your PageSpeed score

First, check your score by going to http://developers.google.com/speed/pagespeed/insights/

2. Make 2 tweaks to your .htaccess file

Add the following to your .htaccess file (assuming you are on an Apache server such as Dreamhost):


# Enable Caching for Speed


 ExpiresActive On
 ExpiresByType text/html M3600
 ExpiresByType text/css M3600
 ExpiresByType application/x-javascript M3600
 ExpiresByType image/bmp M3600
 ExpiresByType image/gif M3600
 ExpiresByType image/x-icon M3600
 ExpiresByType image/jpeg M3600


3. Install W3 Total Cache

Install W3 Total Cache and enable the following options: Page, Minify, Database, Object, and Browser, and then hit Save All Settings.

4. Check your PageSpeed score again

Submit your site again and see your improvements. You can also read the other tips provided by Google on how to make your site even faster.

And just like that, you’ve increased your PageSpeed score.

RESOURCES:

Tumblr vs WordPress: Benefits Comparison

Tumblr vs WordPress, the (only somewhat recent) age-old debate.

tumblr vs wordpress

Knowing which one to use ultimately comes down to the purpose of your site, but knowing the benefits of each platform can help you make that decision. For this post, we’re going to compare Tumblr vs WordPress using the following five criteria: usability, flexibility, shareability, searchability, and security.

Got it? Well let’s get started then.

Tumblr vs WordPress: Usability

Both Tumblr and WordPress are “CMS”s, aka Content Management Systems. They are ways of organizing webpages in a way that’s a lot more intuitive than the old standard of just having a bunch of HTML files.

I think both are pretty easy to use. Tumblr will get you setup straight away and it gives straight-forward prompts of what you can do (do you want to post a picture, a link, text, etc).

WordPress is also relatively straight forward but with more options right out of the gate–do you want to write a page or a post? They’ve also added options similar to tumblr but it’s not quite as straight forward.

Winner: Tumblr edges out WordPress. It’s more intuitive but that does come at a price, which leads me to…

Tumblr vs WordPress: Flexibility

The challenge for all web developers is balancing keeping things simple versus giving users flexibility to do whatever they want. It’s similar to the Mac vs PC (or iPhone vs Android) debate that has been going on for years.

Apple is all about making things simple and intuitive, but they do it at the cost of restricting their users from truly being able to manage their device how they want. PCs (and Androids) on the other hand are setup to give you a lot more control over what you can do, but at the cost of being a little harder to learn.

Tumblr is Apple and WordPress is PCs/Android. Tumblr is a intuitive and elegant–for the simple things. You can quickly and easily share or write a post and there are some custom themes you can use to add some personality to your page. Beyond that? Things get a little tougher.

WordPress, on the other hand, is designed for customization. There are countless themes out there and they are easier to tweak. In addition, and perhaps WordPress’ greatest strength, is the ability to install plugins. These are packaged solutions for all sorts of great web features: there are plugins for making fancy galleries, adding social media buttons, embedding videos, processing payments, and thousands-upon-thousands more.

Winner: WordPress (and it’s not even close).

Tumblr vs WordPress: Shareability

If WordPress’ greatest strength is flexibility, Tumblr’s greatest strength is shareability.

Tumblr is designed to be shared. There are reblog buttons on every page, the ability to “like” your favorite posts, and follow your favorite sites. And all of that shows up in your activity feed. And when you post/like/reblog something, all of the people who follow you can easily see it and then share it to the people who follow them, and on it and on it goes.

WordPress doesn’t have any that. Sure you can connect WordPress to Facebook or Twitter (just as you can with Tumblr), but there is no built-in community for liking or reblogging. And if you want to follow someone, you do it privately via RSS or good-ol-fashioned page stalking.

Winner: Tumblr by miles.

Tumblr vs WordPress: Searchability

But yet again, one of Tumblr’s strengths is also the reason for one of its downfalls–in particular: search.

If you want your website to rank well for search, you’re going to have an easier time doing it via WordPress. Why? Partially because there are a number of great plugins to help with important search settings such as Meta tags and sitemap files, but mostly because of how Tumblr is set up.

Search engines like, among others, 2 things: original content and specific content. First, original content is key. Google doesn’t want to show you 10 different pages with the exact same content on it; you only care to see it once. And yet Tumblr is designed specifically to have duplicate content out there–if you reblog a post, that’s the same content in two spots, which can impact search results.

Second, Google tries to find the best pages for the search that was entered by the user. One way they determine how close a specific page is to matching your query is through the URL (in addition to things like keywords, anchor text, and more). So when the URL of your post matches what people typed, that’s a good thing.

The problem with Tumblr is that every post URL contains a random string of numbers in it (to uniquely identify the post). That’s great for Tumblr’s back-end, but not great for search. After all, who includes a random string of numbers in their searches (well, maybe if you’re trying to guess someone’s phone number).

Does that mean you’ll never show up in Google results using Tumblr? No. But it won’t be as easy as if you were using WordPress.

Winner: WordPress.

Tumblr vs WordPress: Security

The last category we’ll talk about is security, an important factor for any website, but particularly for any site that will gain a lot of views or be used for business.

This is where WordPress’ flexibility can be a bad thing, as a WordPress site is only as secure as its weakest plugin. All it takes is one plugin to get exploited and it can bring your entire site down or turn it into a spam-sending crapbag.

Tumblr doesn’t have this concern. All of their features are locked down and you can’t run your own scripts, so the only security concern is your username and password.

But don’t let that scare you, there are a number of things you can do to improve WordPress security, but as you can read about in one of my other posts, just know that it’s no fun to clean up after a WordPress hack.

Winner: Tumblr.

So which one should you use? Well if you simply did a count, you’d assume Tumblr (three is bigger than two), but you’re smart enough to know that it’s not that simple. Why? Because it depends on what you want to do with your site.

So how do you choose? Well that will be the topic of the next post. Stay tuned.

10 Basic Steps for Self-Publishing a Book

Last year I published my very first book, 50 Quotations on Humor, mostly as a way to learn about the self-publishing process. After tons of research and actually doing it, I’ve boiled down the process to these steps.

Note: This assumes you already have a book idea / content ready. Also this is for self-publishing a physical copy of the book.

10 Basic Steps for Self-Publishing a Book

Step 1: Purchase Your Own ISBNs

Most book-publishing services will create ISBNs for you, but if you do that, you lose control over who the imprint is. If you want a more official publisher name, and not SELF-PUBLISHING-COMPANY X, you can purchase your own ISBNs and define the imprint (maybe something like “DREW’S PUBLISHING HOUSE”).

To purchase ISBNs, I used myidentifiers.com. I bought 10 ISBN’s for $250 (and you’ll want to buy in bulk as you should have different ISBNs for digital and print versions of your book).

Step 2: Assign Your ISBNs

After you’ve purchased your ISBNs, you’ll have to assign one to your print book. Using myidentifiers.com, you fill out the pertinent details such as Title, Author, Summary, etc. This information is used when booksellers are listing your book.

You may not know all of this information until after you finish the other steps, so you may have to come back to it. The important step right now is assigning the ISBN to this particular book.

Step 3: Choose a Publisher

There are a number of great Print-On-Demand publishers out there, including Lulu, LightningSource and Blurb. However I personally went with CreateSpace because of it’s direct connection to Amazon. With CreateSpace, as soon as you approve your book for publishing, it gets listed on Amazon.com, as well as a few other places.

Step 4: Create a Book / Choose a Size

One of the first things you have to decide on with your publisher is the size of your book. There are number of standard sizes but CreateSpace also allows you to create your own.

Note: If you create your own size your book won’t be distributed to bookstores, it’ll only be available in the eStore and on Amazon.com.

Step 5: Design Your Interior

Once you have the size, you can design the interior of the book and fill it with content. Another advantage to using a standard size is that CreateSpace has templates you can download so all you have to do is Copy/Paste and format the text you want (no messing with margins, etc).

If you decide to go with a custom trim size, using a program like Adobe InDesign might be easier to use for formatting.

Step 6: Design Your Cover

Once you have your interior set, you can create a design for the cover. Once again, standard sizes have templates, custom sizes require you do some math to get things right. Be sure to leave the correct space for where the barcode will go and pick print-safe colors for the cover.

Step 7: Upload Your Content

Once you have the interior and cover completed, you’ll save them as PDFs and upload them to the publisher. CreateSpace has an electronic checker that will review for any formatting issues such as incompatible fonts. Be sure to clear any errors (or actively decide to ignore them like I did when an error about spacing came up).

Step 8: Order a Proof

Once everything looks good in the previewer, it’s a good idea to order a physical proof. This will take a little bit of time as every time you submit something to be available as a proof, it takes a day or so to be reviewed by a human to make sure everything is OK. Then you can order the proof (which is usually pretty cheap although they get you with shipping costs, especially if you want it rushed).

Step 9: Publish Your Book

After you’ve received and reviewed your book, it’s time to make it available to the world. You can approve your book on the site and also enter your distribution details: price of the book, distribution outlets, etc. Be sure to also go back to myidentifiers.com and update any information you left out earlier.

Note: For pricing, CreateSpace will tell you the minimum you can sell the book for. Anything over that minimum is how much you make on the book. The price varies from book-to-book based on size, number of pages, color or black & white interior, etc.

Step 10: Fill Out Your Amazon Author Information

Once you approve your proof it’ll take 5-7 business days for it to show up in Amazon. Once it’s there, you’ll want to make sure you fill out your Amazon Author information so people can learn more about who you are (and you can add your blog, twitter, etc).

BONUS: Publish to Kindle

If you also want to publish to Kindle, CreateSpace now has a conversion tool that will get you started. Whether you use that or create a new document yourself, you’ll manage the Kindle version of the book at kdp.amazon.com. More tips on this process in a future blog post.

There you have it, the 10 Basic Steps for Self-Publishing a Book. Got questions? Leave ‘em in the comments.

3 Shell Commands to Help Recover from WordPress Malware

I recently posted some tips on how to clean up your WordPress installation if you’ve been hacked (see further reading below). Sadly, I didn’t do completely remove the malware from my server and all of my websites were once again infected.

In addition to creating different sFTP accounts for each of my websites (which I should have done a long time ago), there were 3 commands I ran when connecting through shell that really helped me out.

1. Who’s been logging in?

This command will tell you the IP addresses that have logged into your FTP site:

last -i | grep yourusername

I used this to verify that my sFTP login wasn’t compromised. It wasn’t so I knew there had to be malicious code still sitting on my site somewhere.

2. Are there any world-writable directories?

There’s never really any reason for a directory to be writable by everyone. If you have a folder with those permissions, it either means you have a poorly coded plugin or a WordPress virus.

To search for any world-writable directories, enter this command in shell:

find . -type d -perm o=w

In my case, it returned a folder hidden deep within nested folders. I browsed to the folder and sure enough there was a fake WordPress file that was installing all of the malicious Base64 code into all of my php files.

3. What’s the fastest way to delete a directory?

Because so many of my sites were infected, I knew I had to find a faster way to delete files–sFTP was just to slow.

One way that’s definitely faster is to delete using the shell. Here’s the code to delete the entire contents of a directory.

rm -rf -- directorynametodelete

Further Reading

Sources

Tumblr: How to Make a Secondary Blog a Primary Blog

I recently shared a post about how to move a tumblr blog to a new owner. Unfortunately that only works for secondary blogs. It may be the case that either on your current account, or possibly a new one created specifically for your blog, you want your secondary blog to actually be your primary blog.

Sadly, this isn’t possible from tumblr’s perspective (nor does it seem like they’ll be changing it any time soon). However, you can “trick” the system into treating your secondary blog as your primary blog.

Note: This process renders your current primary blog pretty much useless. That’s why I transferred my secondary blog to a new account I created specifically for that blog.

How to Make a Secondary Tumblr Blog a Primary Tumblr Blog

  1. Log into your tumblr account and go to your current Primary blog.
  2. Click on Customize theme, then Edit HTML.
  3. Right after where it says <head> put the following code, where “http://inserttumblrurl.tumblr.com/” is the address of the Secondary blog that you want to be the Primary blog.
    <script type="text/javascript">
    window.location.href = "http://inserttumblrurl.tumblr.com"
    </script>
  4. Click Update Preview, then Appearance, then Save, then Close.
  5. Your old Primary blog will now always redirect to your Secondary blog. That means whenever you follow someone or ask a question, they’ll be directed to your Secondary blog if they click on your name.
  6. Optional: You may want to change the URL of your old Primary blog to something similar to your Secondary blog so that the name that appears when following people seems related to your blog. The easiest solution is adding a hyphen (‘-‘) in the name.

Sources:

How to Move a Tumblr Blog to a New Owner

While I’m mostly a WordPress guy, my blog on Understanding Comedy uses Tumblr. Unfortunately I knew very little about tumblr before starting and as a result created the comedy blog as part of my personal account, thinking I could just move it later. Well with tumblr, moving a blog isn’t all that easy to do (and if you ask tumblr support, they’ll tell you it’s not possible at all).

But, there is a way to “move” a secondary tumblr blog. Here’s how:

How to move a tumblr blog to a new owner.

  1. Create a NEW tumblr account (you have to use a new email address).
  2. Log out of the NEW tumblr account.
  3. Log into the OLD tumblr account and select the blog you want to transfer from the Dashboard menu.
  4. On the right hand side, click where it says Members.
  5. Add the NEW tumblr account as a member by inviting it using the new email address.
  6. Log out of the OLD tumblr account.
  7. Check your new email address inbox for an invitation from tumblr to join the OLD blog. Click join and log into the NEW tumblr account.
  8. Log out of the NEW tumblr account.
  9. Log into the OLD tumblr account. Go back to the Members page for the blog you want to move and change the NEW account to be an admin.
  10. Log into the NEW tumblr account and confirm you can post, change settings, etc. You’ve now transferred the blog to your NEW tumblr account.
  11. Optional: From the OLD account, you can choose to leave the blog now if you’d like, your posts will still remain on the blog.
Note: This only works for secondary blogs (not primary ones). Check out another recent post if you want to make a secondary tumblr blog a primary blog.

Sources

20 Steps to Cleaning Up WordPress After Being Hacked

One of the disadvantages (OK, it’s not a disadvantage but it is a consequence) of being ranked well in Google and getting a lot of traffic is that you are more prone to hack attempts.

One of my blogs was hacked for the third time in 12 months, this time being worse than before (and what prompted me to really improve my WordPress security). It was a painful process, but I was finally able to clean up my wordpress installation.

If you find yourself in a similar situation, here are 20 Steps to Cleaning Up WordPress After Being Hacked.

  1. Check to see if you’ve been hacked. The first step is to find out / confirm you’ve been hacked. I’ve talked about how I check if WordPress has been hacked before.
  2. Change your passwords. To ensure all of your clean-up efforts aren’t in vain, change the passwords for your site login, FTP and your database. These will be temporary passwords till you clean everything up.
  3. Backup your posts. Log in to WordPress and do a back up of all of your posts (Tools -> Export).
  4. Backup your uploads. To make sure you don’t lose images or other uploads, backup your uploads folder. You can do this by downloading the uploads folder (typically wp-content -> uploads) using FTP.
  5. Backup or make note of any custom changes. If you don’t want to lose any custom code changes you’ve made (such as custom functions, css or even wp-config settings), make sure you backup those individual files. This is critical if you’re using the Thesis theme (consider backing up the entire /custom folder).
  6. Backup your database. You definitely want back up your database as this will allow you to get up and running much quicker.
  7. Make a list of plug-ins and themes. Your plugins and themes may also be infected so you’ll be getting fresh copies of those. Make a list of all the plugins and the theme you actually use (now’s a good time to purge the ones you don’t) so you can download fresh copies of those.
  8. Make sure everything you backed up is clean. It doesn’t matter what you do to clean a site if the backup you use to restore it has malicious code. Check the uploads folder you downloaded to make sure there are no .php files in it and run a virus scan on it. For any custom files you downloaded, open each one and make sure there’s no malicious code in it. For the database, run SQL statements to see if there’s anything in the posts themselves (follow Step 8 of this guide).
  9. Delete everything from your site. Depending on how bad the infection, it may be easier to delete everything from the site and start fresh. You don’t always have to do this, but it’s the only way to ensure you don’t miss any malicious code. You can do this by going into FTP and deleting the wordpress files.
  10. Download and install a fresh copy of WordPress. Get the newest version of WordPress and install it on your site. Be sure to get a fresh set of security keys for your wp-config file.
  11. Connect WordPress to a database. If you know your database is clean, change the wp-config file to connect to your already existing database (just copy the database name from the old wp-config file). This is a huge help as all of your posts will be there. If it’s not clean, you’ll have to create a new database and import your posts from the backup you made in Step 3.
  12. Change your passwords (again). Now that you’ve removed all of the malicious code, change all of your passwords again (site, FTP and database) to make sure the hacker doesn’t have access to your fresh installations.
  13. Update permalinks and other settings. If you connected the new install to your old database, you’ll likely notice your posts don’t show up. Go into the Settings -> Permalinks and hit save to update the htaccess file and you should start seeing your posts. Update your other settings to your preferences if need be.
  14. Download and install your theme and plugins. Using the built-in theme / plugin manager (or from the sites themselves) download the newest version of the theme and plugins you actually use. If you re-connected your old database, your settings should be saved, but you may still have to hit the “save” button for each plugin for them to be activated.
  15. Re-upload your uploads. After you’ve ensured they are clean, you can add your “uploads” folder back into wp-content so your images and other files are available.
  16. Add back any text widgets. You’ll notice that you’re likely missing any HTML/Text widgets you created. You’ll have to manually add those back in, but you can find their contents if search your database for widget text.
  17. Clean up weird characters. While you’re working with your database, you may notice weird characters in place of things like quote marks and dashes. You’ll have to do a find/replace in your database to clean up the weird characters.
  18. Scan your website. After you’ve made all these changes, you want to make sure no malicious code remains. You can use the scanners you used in Step 1 to confirm. If your site has been blacklisted by Google, you’ll have to let them know your site is now clean.
  19. Improve your WordPress security. Take steps now to prevent a future attack, including: 4 Ways to Improve WordPress Security with htaccess and Securing WP-Admin with htpasswd.
  20. Go outside. It’s been a long process, get away from the computer and do something fun.

Sources / Further Reading

Securing WP-Admin with .htpasswd

I recently had yet another malware attack on one of my sites (this one was a doozy, a redirect script was installed in nearly every single php file on the site). Cleaning up WordPress after being hacked was a huge pain and made me want to be more proactive about my WordPress security.

In the past, I’ve followed many of the steps in Hardening WordPress from the WordPress Codex, including always trying to stay up-to-date with updates, using only sFTP and recently improving WordPress Security with htaccess. I decided that now was the time to try the additional step of securing WP-Admin.

Securing WP-Admin with htpasswd

The explanation for securing WP-Admin on the Codex page is lacking, so I followed the slightly less complicated tutorial on how to password protect directories in the resources section.

Even with the less complicated tutorial, I was still confused on exactly what I was supposed to be doing and what benefit it provided. A little more Googling lead me to this post on htaccess Files and WordPress Security.

From there I was able to finally piece together that “securing WP-admin” meant adding an additional HTTP-based login prompt whenever you try to access your Admin Panel. Basically it means another layer that someone has to hack in order to access many of your files (which will throw off a lot of hackers and, perhaps more importantly, many bots trying to get in).

To actually set it up, it requires two three steps:

1. Create a htpasswd file.

The first step is to create an htpasswd file that contains the usernames and passwords (encrypted) you want to have access to the wp-admin folder. Included in the above tutorial was a link to a great tool for generating your htpasswd file. Using that, I was able to create my htpasswd file, which I uploaded to the root directory of my hosting account (not of my site, but the home of my entire hosting account).

2. Add a htaccess file to wp-admin.

The second step was to add an htaccess file to the wp-admin folder of my WordPress installation, the content of which I pulled from this post on password protecting directories from DreamHost (my hosting provider):

AuthType Basic
AuthUserFile /home/USERNAME/.htpasswd
AuthName "My Private Area"
require valid-user

The AuthUserFile line specifies the location of the htpasswd file and is going to vary based on who your webhost is. Try browsing to your root directory using FTP, or search your webhosts support pages to find the directory.

AuthName just specifies the test you want to pop-up in the login box.

After setting this up, I went to my WordPress Admin screen expecting a login prompt to appear. Sadly that didn’t happen, but instead I was hit with a 404 error, which led me to discovering the third step.

3. Modify the htaccess file in the your site’s root directory.

After more Google hunting and pulling hair out, I found this explanation from the same password-protecting directories post from Step #2. The explanation is that WordPress will show your wp-admin page as a 404 error unless you add some additional directives to your htaccess file in your site’s root directory.

To make the changes, I made sure I downloaded the existing htaccess file from site directory (so as not to lose previous changes I’ve made), and quickly opened the hidden file on a Mac.

I added the following lines at the top of the file (above the #Begin WordPress comment):

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} ^/(failed_auth\.html).*$ [NC]
RewriteRule . - [L]
</IfModule>

I’ll be honest, I don’t exactly what this does but it works. I don’t know if this is needed for all installs of WordPress or just the ones on Dreamhost, but after adding the additional directives in my htaccess file, I was finally up and running.

How to Check If WordPress Has Been Hacked

Sometimes it’s easy to know when you’ve been hacked. In my most recent instance, every page on my site redirected to a spam site. But, it’s not always that obvious. In the past I’ve been the victim of hacks that only redirect a percentage of visits, or only visits from certain browsers or Operating Systems.

So, how do you know if you’ve been hacked?

How to Check if WordPress Has Been Hacked

For me, I use a couple of different online scanners on my site to confirm. I use all of the below because sometimes what is missed in one scan is picked up in another. I’ve ranked these in order of how good I think they are:

  1. LookForBadGuys — This isn’t a traditional online scanner; it requires you to upload a file to your website, but as a result seems to find things other scanners don’t. It’s also more confusing to know what is valid and what isn’t, so read the page for ideas or search Google for anything you’re unsure of. For me any “base64_decode” lines have been a bad sign.
  2. Sucuri – This scanner is easy to use, just put your URL in the box and hit scan. It gives you a quick checklist of how things look and will tell you if your site has been blacklisted for spam from Google.
  3. Wepawet — This is a streamlined site just for scanning. It’s not as pretty as Sucuri but is a great place to check to see if either of the other two missed anything.

If you want to be proactive about it, there are sites out their (including Sucuri) that offer site monitoring for a monthly or yearly fee. I typically just check my site on my own and also monitor analytics traffic. If my traffic drops suddenly for some reason, it’s usually an indication of a hack.

If you have been hacked, consider checking out these posts on Cleaning Up WordPress After Being Hacked, 4 Ways to Improve WordPress Security with htaccess and Securing WP-Admin with htpasswd.

Have a better way of proactively monitoring your sites? Share it in the comments.

4 Ways to Improve WordPress Security with htaccess

Unfortunately in my time working with WordPress, I’ve been hacked on more than one occasion. Each time involved malicious code being added to some of my files that either showed spam on my site or redirected visitors to who-knows-where.

In order to improve the security of my WordPress sites, I started digging around to see what changes I should make, which led me to various tips on improving wordpress security using an enhanced htaccess file. Here are 4 Ways to Improve WordPress Security with htaccess.

1. Secure the htaccess file

Typically the only changes you’ll make to the htaccess file come from you directly uploading a new version through FTP. As a result, there’s no reason not to block any other type of access to the file. The following code blocks access to the htaccess file.

# protect the htaccess file
<files .htaccess>
order allow,deny
deny from all
</files>

2. Secure wp-config

Most of the time, you only make changes to wp-config when you first set up WordPress. After that, you don’t really have any reason to allow people to change / see it (it just allows people to see your database username and password). The following code blocks access to the wp-config file.

# protect wpconfig.php
<files wp-config.php>
order allow,deny
deny from all
</files>

3. Block the Include-Only Files

Some files should never need to accessed by a user. For wordpress, everything in wp-include is used by the site itself, not other users. The following code blocks any scripts coming from wp-include.

# Block the include-only files.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

4. Disable Directory Browsing

This isn’t necessarily limited to just WordPress, but in general you don’t want visitors to be able to browse through your web directories. The following code prevents them from doing so.

# disable directory browsing
Options All -Indexes

htaccess Sources

UPDATE February 2012: For additional security, you may also considering securing wp-admin with htpasswd.