Locking Down wp-content With .htaccess, Thoughts?

Hi all,

I recently installed the Sucuri plugin for a client. One of the tools they have for hardening is an option to add a .htaccess file to the wp-content directory with the following code

<Files *.php>
deny from all

Long story short, it broke a shortcode plugin. Upon writing the theme author, I received a rather nasty response stating that doing this was totally uneccessary. All that was needed was an index.php file. He went on to say that he’d never seen anyone do such a thing, but if I were ‘paranoid’ I could delete the file while working with the text editor & replace it afterward.

Both Sucuri & BulletProof have a feature to add this file to the wp-content directory, as well as the wp-admin & wp-includes directory. I’m not sure if other plugins do this or not.

The rub is that there was recently a hack where base64 code was injected into the index.php file which *was* located in the wp-content directory and a couple others. Interestingly, there were only 3 files which had this injection and all of them were index.php files that were there to protect the very directories that wound up with the infection.

I’m interested in knowing if others here protect wp-content with .htaccess – and if you all think this will help prevent another hack from occurring. The theme author effectively scolded me and told me I would have to choose one or the other.

I’ve written Sucuri & haven’t heard back yet, but I wanted to get some unbiased opinions on this.

Thanks in advance for any replies.

~ Corey