One of the recommended ways to upgrade WordPress these days is with SVN. This is a convinient way of updating that is a lot quicker than the previous method. One of the problems with WordPress I’ve found over 4 years of running the software is that it has required many updates — I’ve almost never wanted any additional features, but there always seem to be new security holes. So a quicker way of updating is nice.
One of the things about updating with SVN, which does not appear to be discussed, is that it leaves a plethora of “.svn” directories on your webserver. Stored in these directories is the subversion source control info and backups of the working copy. By default, if you update with SVN, any user could browse the exact code that is running your blog. This sounds like a bad idea to me. While Wordpress is already open source, I don’t see any need to allow potential users/crackers/hackers/whatnot to browse through the exact code I’m running here.
.htaccess to the rescue.
You could configure your web servers config to deny access to any directory with “.svn” in it.
If you are only a user on a webserver with .htaccess, it gets a bit more tricky. You could put a .htaccess in each .svn directory. Easy with a script, but tough to maintain. Or you could use
mod_rewrite to make a simple rule that denies access to any pages with
/.svn in the path:
RewriteRule ^(.*\.svn.*)$ $1 [forbidden]