digitalFAQ.com Forum

digitalFAQ.com Forum (https://www.digitalfaq.com/forum/)
-   Website and Server Troubleshooting (https://www.digitalfaq.com/forum/web-tech/)
-   -   A few quick .htaccess tips to secure WordPress (https://www.digitalfaq.com/forum/web-tech/4107-few-quick-htaccess.html)

kpmedia 04-12-2012 10:41 AM

A few quick .htaccess tips to secure WordPress
 
Although this is far from being a complete list on how you can secure WordPress, it does add some decent security that's missing by default. Simply leverage the access permissions by writing some code in the Linux .htaccess files. These rules work great one sites that have only a single admin/writer, or a few writers. If your WP site lets anybody register, or requires registration to leave comments, then you'll have a much harder time locking down the site.

To increase your WordPress security, consider adding these access rules:

Tip #1 - Prevent all access to the wp-config file
Code:

# protect wp-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>

Tip #2 - Prevent all access to wp-register
Code:

# protect wp-register.php
<files wp-register.php>
order allow,deny
deny from all
</files>

^ Only use this one one sites where nobody will register via WordPress. Do this in addition to disabling registrations in the wp-admin.
These days, it's almost safer to just use a Facebook comments plugin, and skip WordPress native comments. Less spam, too!

Tip #3 - Prevent all access to .htaccess:
Code:

# protect htaccess
<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</Files>

Tip #4 - Deny access to wp-login based on IP, due to not being listed as an allowed range:
Code:

<files wp-login.php>
order deny,allow
deny from all
allow from 1.
allow from 2.3.
allow from 4.5.6.
allow from 7.8.9.10
</Files>

^ This rule needs customization. The numbers are examples. What it does is prevent any access to IP addresses (full or partial) NOT listed. You generally want to use a few as possible. For example, 24. is all AT&T networks in North America, and could be safely added.

IP addresses are described as such:
x. = /8 range
1.x. = /16 range
1.2.x. = /24 range
1.2.3.x = /32 range

I'd never allow more than a /16 range. Use WhatIsMyIP.com to figure out all your possible IP addresses at home, work, mobile phones, favorite web cafes, etc. Then enter the /16 ranges for those places. This makes it so only you can access WordPress admin. It's hard to brute force WP when you can't even get to the backend!

Tip #5 - Use the Login-Lockdown plugin, too, and tweak the values (the default ones suck). Note that it does work up to at least WordPress 3.3, regardless of the "up to 2.8.4" claimed on the official WordPress.org site, and probably will on future versions for the foreseeable future. (It was simply written when 2.8.4 was the current version, and then development seems to have stopped.)

Tip #6 - Good password? Be sure the WordPress password isn't weak. USe-A-c0mpl3x-p4$S_!! -- not "atlanta" or "bravesrule" or whatever.

______________________

Also note that then #1 reason WP sites get hacked is because of exploited themes and plugins!

It's not necessarily because anything is "outdated" as many lemmings (morons) claim, including quite a few web hosts, but simply that something (new or old) has been exploited. So always watch plugin/theme updates to see if security patches were made. Same for versions of WordPress -- newer isn't always "safer" and sometimes just breaks plugins/themes, so you don't have to be an upgrade junkie in the interest of security. It just doesn't work that way. Simply watch for security patches. Sometimes these can be applied manually (no update/upgrade required), and sometimes it does require an update.

Be safe. :thumb:

______________________

Bonus tip: Be very sure to add anti-hotlinking in the root .htaccess, too:
Code:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?mydomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]

"RewriteEngine on" is probably already there, if using custom permalinks in WordPress. Save your bandwidth. :)

______________________


Need a good web host? — Read our 2018 Review of the Best Web Hosts
Quite often, problems with web sites are caused by having a rotten web host. Worse yet, many hosts try to blame you (the customer) for the problems! So dump that lousy company. Say goodbye to slow sites, unresponsive support techs, and downtime. Find yourself a new host today. Whether you need shared, reseller, VPS, semi-dedicated, cloud, or dedicated hosting, something on our list should be a good upgrade for you.




admin 04-12-2012 12:20 PM

If you're using Windows Server 2008 IIS7 instead of Linux, then you'll need to install Helicon APE or Micronovae IIS Mod-Rewrite to translate IIS rewrites to .htaccess syntax. --- Assuming the IIS rewrite module is installed! If not, installed it from http://www.iis.net/download/urlrewrite

While many people insist you cannot use .htaccess on Windows, that's a myth, and reflects that person's lack of knowledge on the subject. Using .htaccess was possible back in the days of IIS6, too, on Windows Server 2003. It may have even worked on IIS5, but it's not something that I had attempted prior to 2003. Helicon has long made htaccess-like software, though some of them were not 100% 1:1 on syntax. Modern ones are 1:1 for supported commands and variables.

Leah 09-04-2014 01:33 AM

Hi @kpmedia

What is the purpose of Tip #5 - Use the Login-Lockdown plugin
if you have Tip #4 - Deny access to wp-login based on IP ?
(I'd like to know if the plugin serves a purpose if I am using Tip#4 so that I avoid having too much plugins)

Also, what File Permissions would you recommend for WordPress? I stumbled on this but I'm not sure if this is the best permissions to use.

Quote:

The file permissions for wordpress files/folders should be:

File/Folder Name___________ Directory _______________ Correct Permission
Root Directory ______________ / _______________________ 0755
.htaccess ___________________ /.htaccess ______________ 0644
wp-admin/index.php _______ /wp-admin/index.php ___ 0644

Depending on what operating system you are using there are many ways to change these permissions


All times are GMT -5. The time now is 02:14 PM

Site design, images and content © 2002-2024 The Digital FAQ, www.digitalFAQ.com
Forum Software by vBulletin · Copyright © 2024 Jelsoft Enterprises Ltd.