You may or may not already know that the grand majority of WordPress hacks begin with Google. You see hackers use search engines like Google to find vulnerable WordPress websites. If you do not apply the latest WordPress security standards, you may find your website is being indexed for such terms as “WordPress Dashboard” or worse yet, wp-content/plugins/vulnerable-plugin/
This is why it is critical that you hide your “WP Assets”, as seen in the screenshot there are nearly 200,000 searches for WordPress vulnerabilities by hackers. Here is a template I use for the robots.txt file of every WordPress site I build;
User-Agent: *
Disallow: /wp-content/
Disallow: /wp-includes/
Disallow: /wp-admin/
Disallow: /wp-login.php
Now I know some of you are thinking “Hey, I get a lot of my images indexed and I don’t want to lose that SEO juice”. Personally I think you may want to reconsider and try to drive traffic directly to the page the image is hosted on rather than a direct link to the image itself. However, there are certain circumstances where a direct link to the image works just as well, i.e. you are a photographer and watermark all your photos
If that’s the case, then add the following line above the first line of the template above;
User-Agent: *
Allow: /wp-content/uploads/
Disallow: /wp-content/
Disallow: /wp-includes/
Disallow: /wp-admin/
Disallow: /wp-login.php
For more details about the robots.txt file please visit WikiPedia.org
There have been some upgrades made to WordPress which now no longer require blocking your wp-admin directory as it now contains a noindex meta tag within it’s header. Another upgrade to Google search known as Panda has also required access to your wp-includes and wp-content directory to render a preview of your pages (that’s where all your css and javascript is located). For more current information, please read this article by the makers of the WordPress SEO Plugin