- Joined
- Feb 22, 2013
- Messages
- 170
- Points
- 0
WordPress is without doubt the most popular CMS at this moment in time, dwarfing other options such as Joomla and Drupal.
While this is a good thing for WordPress, it now has a very large and active community contributing plug-ins, themes and fixes, but with this growth it now also has its bad points … When anything becomes this big, people will find ways to attack the CMS in question for whatever reason they see fit.
Our job as WordPress users (aside from contributing to the WordPress community) is keeping our installs safe from people we do not want to access our sites.
There are numerous plug-ins to help shore up our WordPress defenses such as Login LockDown which records IP address and blocks them after a set number of login attempts which helps against brute force attacks.
Another is WP Security Scan which checks your install for vulnerabilities and suggests possible methods for fixing anything it may find.
One of the most ignored methods of keeping your install safe is updating your install when updates become available which ensures all of the latest patches and fixes are applied to your site. (You can also remove the readme.html and license.txt files from the root directory as they display the version number of WordPress you have installed.)
Configuring the .htaccess file
Aside from plug-ins there are a number of additions you can make to your .htaccess file which in conjunction with plug-ins and regular updates will tighten up your site's security and give you that extra level of protection.
I'm going to cover a few of these that I feel protect some of the essentials in your WordPress install and show you how and where to add the code snippets; you don't have to use every single one, just whatever you feel would help you secure your site.
The typical WordPress .htaccess file looks similar to this:
Protect wp-config.php
wp-config.php is the file in your root directory that stores information about your site as well as database details, this file in particular we would not want to fall into the wrong hands.
In your .htaccess add the following to prevent any access to the wp-config.php file:
Admin access from your IP only
You can limit who can access your admin folder by IP address, to do this you would need to create a new .htaccess file in your text editor and upload to your wp-admin folder.
The following snippet denies access to the admin folder for everyone, with the exception of your IP address, but please note if you have a dynamic IP, you might have to regularly alter this file otherwise you will be denied access yourself!
If you have the same IP address trying to access your content or trying to brute force your admin pages, you can ban this person using .htaccess with this simple snippet:
This person will now not be able to access your site. You can add more by replicating the deny line, for example:
As WordPress is now so popular many people know the structure of a WordPress install and know where to look to discover what plug-ins you may use or any other files that might give away too much information about your site, one way to combat this is to prevent directory browsing.
The wp-content folder contains images, themes and plug-ins and it's a very important folder within your WordPress install, so it makes sense to prevent outsiders accessing it.
This requires it's very own .htaccess file which must be added to the wp-content folder, it allows users to see images, CSS etc … but protects the important PHP files:
Individual File Protection
There are certain files you might want to protect individually rather than blocking a whole folder or selection. The example snippet shows how you would prevent access to the .htaccess file and will throw a 403 if accessed by anyone. The file name can be changed to whatever file you wish to protect:
Protect .htaccess
Sounds crazy, huh? We spend so much time worrying whether we have the right plug-ins and fixes installed, we overlook the fact the .htaccess file is still open to attack.
This snippet basically stops anyone viewing any file on your site that begins with "hta", this will protect it and make it somewhat safer.
We have covered how to ban users, prevent anyone but you accessing your admin folder, how to prevent directory browsing, protecting your wp-config.php file, protecting your wp-content folder, protecting individual files and even protect your .htaccess file.
This list of snippets is by no means exhausted, there are a number of other things you can do to protect your site via .htaccess, but the items I have covered help to protect some of the key files and folders on your site and keep them away from prying eyes.
OFF OUR TUTORIAL SITE
While this is a good thing for WordPress, it now has a very large and active community contributing plug-ins, themes and fixes, but with this growth it now also has its bad points … When anything becomes this big, people will find ways to attack the CMS in question for whatever reason they see fit.
Our job as WordPress users (aside from contributing to the WordPress community) is keeping our installs safe from people we do not want to access our sites.
There are numerous plug-ins to help shore up our WordPress defenses such as Login LockDown which records IP address and blocks them after a set number of login attempts which helps against brute force attacks.
Another is WP Security Scan which checks your install for vulnerabilities and suggests possible methods for fixing anything it may find.
One of the most ignored methods of keeping your install safe is updating your install when updates become available which ensures all of the latest patches and fixes are applied to your site. (You can also remove the readme.html and license.txt files from the root directory as they display the version number of WordPress you have installed.)
Configuring the .htaccess file
Aside from plug-ins there are a number of additions you can make to your .htaccess file which in conjunction with plug-ins and regular updates will tighten up your site's security and give you that extra level of protection.
I'm going to cover a few of these that I feel protect some of the essentials in your WordPress install and show you how and where to add the code snippets; you don't have to use every single one, just whatever you feel would help you secure your site.
The typical WordPress .htaccess file looks similar to this:
Code:
BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
wp-config.php is the file in your root directory that stores information about your site as well as database details, this file in particular we would not want to fall into the wrong hands.
In your .htaccess add the following to prevent any access to the wp-config.php file:
Code:
order allow,deny
deny from all
You can limit who can access your admin folder by IP address, to do this you would need to create a new .htaccess file in your text editor and upload to your wp-admin folder.
The following snippet denies access to the admin folder for everyone, with the exception of your IP address, but please note if you have a dynamic IP, you might have to regularly alter this file otherwise you will be denied access yourself!
Code:
order deny,allow
allow from 202.090.21.1 (replace with your IP address)
deny from all
Banning bad users
Code:
order allow,deny
deny from 202.090.21.1
allow from all
Code:
order allow,deny
deny from 202.090.21.1
deny from 204.090.21.2
allow from all
No directory browsing
Code:
# directory browsing
Options All -Indexes
Prevent Access To wp-content
This requires it's very own .htaccess file which must be added to the wp-content folder, it allows users to see images, CSS etc … but protects the important PHP files:
Code:
Order deny,allow
Deny from all
Allow from all
There are certain files you might want to protect individually rather than blocking a whole folder or selection. The example snippet shows how you would prevent access to the .htaccess file and will throw a 403 if accessed by anyone. The file name can be changed to whatever file you wish to protect:
Code:
# Protect the .htaccess
order allow,deny
deny from all
Sounds crazy, huh? We spend so much time worrying whether we have the right plug-ins and fixes installed, we overlook the fact the .htaccess file is still open to attack.
This snippet basically stops anyone viewing any file on your site that begins with "hta", this will protect it and make it somewhat safer.
Code:
order allow,deny
deny from all
satisfy all
This list of snippets is by no means exhausted, there are a number of other things you can do to protect your site via .htaccess, but the items I have covered help to protect some of the key files and folders on your site and keep them away from prying eyes.
OFF OUR TUTORIAL SITE