Securing WMS against unauthorized access?

The OGC spec only mandates the use of http. If it is compliant http it should be okay.

Some possible methods:

• HTTP Basic Authentication (password sent as plain text, may have limited client support)
• HTTP Digest Authentication (more secure, may have limited client support)
• Filter IP address of client (easy to implement but not particularly secure).
• Secret URL. Use a GUID to generate an un-guessable URL. Assumes that clients will keep URL secret. Much simpler for user to use than password entry. Guaranteed client support.

This OGC post from 2005 says:

There are no specific security aspects that are part of the OGC WMS/WFS/WCS Interface Specifications. Instead, security and authentication is best handled at another layer in the processing stack.

If security through obscurity is enough for your purposes you might configure a false extend for the layer :

Just use coordinates on the other side of the Earth. The layer will still appears in the layer list, requests will still be possible but if a user simply select it in a GIS software and choose "zoom to layer" he will not see anything and might think that this layer is simply empty or does not work. An application knowing the correct extend of the layer should still be able to access it.

I have already seen this solution applied on some WMS sites, but it is probably not completly conform to OGC-standards as the server returns an incorrect extend.