A few quick .htaccess tips to secure WordPress
Although this is far from being a complete list on how you can secure WordPress, it does add some decent security that's missing by default. Simply leverage the access permissions by writing some code in the Linux .htaccess files. These rules work great one sites that have only a single admin/writer, or a few writers. If your WP site lets anybody register, or requires registration to leave comments, then you'll have a much harder time locking down the site.
To increase your WordPress security, consider adding these access rules: Tip #1 - Prevent all access to the wp-config file Code:
# protect wp-config.php Code:
# protect wp-register.php These days, it's almost safer to just use a Facebook comments plugin, and skip WordPress native comments. Less spam, too! Tip #3 - Prevent all access to .htaccess: Code:
# protect htaccess Code:
<files wp-login.php> IP addresses are described as such: x. = /8 range 1.x. = /16 range 1.2.x. = /24 range 1.2.3.x = /32 range I'd never allow more than a /16 range. Use WhatIsMyIP.com to figure out all your possible IP addresses at home, work, mobile phones, favorite web cafes, etc. Then enter the /16 ranges for those places. This makes it so only you can access WordPress admin. It's hard to brute force WP when you can't even get to the backend! Tip #5 - Use the Login-Lockdown plugin, too, and tweak the values (the default ones suck). Note that it does work up to at least WordPress 3.3, regardless of the "up to 2.8.4" claimed on the official WordPress.org site, and probably will on future versions for the foreseeable future. (It was simply written when 2.8.4 was the current version, and then development seems to have stopped.) Tip #6 - Good password? Be sure the WordPress password isn't weak. USe-A-c0mpl3x-p4$S_!! -- not "atlanta" or "bravesrule" or whatever. ______________________ Also note that then #1 reason WP sites get hacked is because of exploited themes and plugins! It's not necessarily because anything is "outdated" as many lemmings (morons) claim, including quite a few web hosts, but simply that something (new or old) has been exploited. So always watch plugin/theme updates to see if security patches were made. Same for versions of WordPress -- newer isn't always "safer" and sometimes just breaks plugins/themes, so you don't have to be an upgrade junkie in the interest of security. It just doesn't work that way. Simply watch for security patches. Sometimes these can be applied manually (no update/upgrade required), and sometimes it does require an update. Be safe. :thumb: ______________________ Bonus tip: Be very sure to add anti-hotlinking in the root .htaccess, too: Code:
RewriteEngine on ______________________
|
If you're using Windows Server 2008 IIS7 instead of Linux, then you'll need to install Helicon APE or Micronovae IIS Mod-Rewrite to translate IIS rewrites to .htaccess syntax. --- Assuming the IIS rewrite module is installed! If not, installed it from http://www.iis.net/download/urlrewrite
While many people insist you cannot use .htaccess on Windows, that's a myth, and reflects that person's lack of knowledge on the subject. Using .htaccess was possible back in the days of IIS6, too, on Windows Server 2003. It may have even worked on IIS5, but it's not something that I had attempted prior to 2003. Helicon has long made htaccess-like software, though some of them were not 100% 1:1 on syntax. Modern ones are 1:1 for supported commands and variables. |
Hi @kpmedia
What is the purpose of Tip #5 - Use the Login-Lockdown plugin if you have Tip #4 - Deny access to wp-login based on IP ? (I'd like to know if the plugin serves a purpose if I am using Tip#4 so that I avoid having too much plugins) Also, what File Permissions would you recommend for WordPress? I stumbled on this but I'm not sure if this is the best permissions to use. Quote:
|
Site design, images and content © 2002-2024 The Digital FAQ, www.digitalFAQ.com
Forum Software by vBulletin · Copyright © 2024 Jelsoft Enterprises Ltd.