04-12-2012, 10:41 AM
kpmedia's Avatar
kpmedia kpmedia is offline
Site Staff | Web Hosting, Photo
Join Date: Feb 2004
Posts: 4,311
Thanked 374 Times in 341 Posts
Although this is far from being a complete list on how you can secure WordPress, it does add some decent security that's missing by default. Simply leverage the access permissions by writing some code in the Linux .htaccess files. These rules work great one sites that have only a single admin/writer, or a few writers. If your WP site lets anybody register, or requires registration to leave comments, then you'll have a much harder time locking down the site.

To increase your WordPress security, consider adding these access rules:

Tip #1 - Prevent all access to the wp-config file
# protect wp-config.php
<files wp-config.php>
order allow,deny
deny from all
Tip #2 - Prevent all access to wp-register
# protect wp-register.php
<files wp-register.php>
order allow,deny
deny from all
^ Only use this one one sites where nobody will register via WordPress. Do this in addition to disabling registrations in the wp-admin.
These days, it's almost safer to just use a Facebook comments plugin, and skip WordPress native comments. Less spam, too!

Tip #3 - Prevent all access to .htaccess:
# protect htaccess
<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
Tip #4 - Deny access to wp-login based on IP, due to not being listed as an allowed range:
<files wp-login.php>
order deny,allow
deny from all
allow from 1.
allow from 2.3.
allow from 4.5.6.
allow from
^ This rule needs customization. The numbers are examples. What it does is prevent any access to IP addresses (full or partial) NOT listed. You generally want to use a few as possible. For example, 24. is all AT&T networks in North America, and could be safely added.

IP addresses are described as such:
x. = /8 range
1.x. = /16 range
1.2.x. = /24 range
1.2.3.x = /32 range

I'd never allow more than a /16 range. Use WhatIsMyIP.com to figure out all your possible IP addresses at home, work, mobile phones, favorite web cafes, etc. Then enter the /16 ranges for those places. This makes it so only you can access WordPress admin. It's hard to brute force WP when you can't even get to the backend!

Tip #5 - Use the Login-Lockdown plugin, too, and tweak the values (the default ones suck). Note that it does work up to at least WordPress 3.3, regardless of the "up to 2.8.4" claimed on the official WordPress.org site, and probably will on future versions for the foreseeable future. (It was simply written when 2.8.4 was the current version, and then development seems to have stopped.)

Tip #6 - Good password? Be sure the WordPress password isn't weak. USe-A-c0mpl3x-p4$S_!! -- not "atlanta" or "bravesrule" or whatever.


Also note that then #1 reason WP sites get hacked is because of exploited themes and plugins!

It's not necessarily because anything is "outdated" as many lemmings (morons) claim, including quite a few web hosts, but simply that something (new or old) has been exploited. So always watch plugin/theme updates to see if security patches were made. Same for versions of WordPress -- newer isn't always "safer" and sometimes just breaks plugins/themes, so you don't have to be an upgrade junkie in the interest of security. It just doesn't work that way. Simply watch for security patches. Sometimes these can be applied manually (no update/upgrade required), and sometimes it does require an update.

Be safe.


Bonus tip: Be very sure to add anti-hotlinking in the root .htaccess, too:
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?mydomain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ - [NC,F,L]
"RewriteEngine on" is probably already there, if using custom permalinks in WordPress. Save your bandwidth.


Need a good web host? — Read our 2018 Review of the Best Web Hosts
Quite often, problems with web sites are caused by having a rotten web host. Worse yet, many hosts try to blame you (the customer) for the problems! So dump that lousy company. Say goodbye to slow sites, unresponsive support techs, and downtime. Find yourself a new host today. Whether you need shared, reseller, VPS, semi-dedicated, cloud, or dedicated hosting, something on our list should be a good upgrade for you.

- Did my advice help you? Then become a Premium Member and support this site.
- Please Like Us on Facebook | Follow Us on Twitter

- Need a good web host? Ask me for help! Get the shared, VPS, semi-dedicated, cloud, or reseller you need.
Reply With Quote
Someday, 12:01 PM
admin's Avatar
Ads / Sponsors
Join Date: ∞
Posts: 42
Thanks: ∞
Thanked 42 Times in 42 Posts
04-12-2012, 12:20 PM
admin's Avatar
admin admin is offline
Site Staff | Web Development
Join Date: Jul 2003
Posts: 4,318
Thanked 653 Times in 457 Posts
If you're using Windows Server 2008 IIS7 instead of Linux, then you'll need to install Helicon APE or Micronovae IIS Mod-Rewrite to translate IIS rewrites to .htaccess syntax. --- Assuming the IIS rewrite module is installed! If not, installed it from http://www.iis.net/download/urlrewrite

While many people insist you cannot use .htaccess on Windows, that's a myth, and reflects that person's lack of knowledge on the subject. Using .htaccess was possible back in the days of IIS6, too, on Windows Server 2003. It may have even worked on IIS5, but it's not something that I had attempted prior to 2003. Helicon has long made htaccess-like software, though some of them were not 100% 1:1 on syntax. Modern ones are 1:1 for supported commands and variables.

- Did this site help you? Then upgrade to Premium Member and show your support!
- Also: Like Us on Facebook for special DVD/Blu-ray news and deals!
Reply With Quote
09-04-2014, 01:33 AM
Leah Leah is offline
Free Member
Join Date: Jun 2014
Posts: 17
Thanked 2 Times in 2 Posts
Hi @kpmedia

What is the purpose of Tip #5 - Use the Login-Lockdown plugin
if you have Tip #4 - Deny access to wp-login based on IP ?
(I'd like to know if the plugin serves a purpose if I am using Tip#4 so that I avoid having too much plugins)

Also, what File Permissions would you recommend for WordPress? I stumbled on this but I'm not sure if this is the best permissions to use.

The file permissions for wordpress files/folders should be:

File/Folder Name___________ Directory _______________ Correct Permission
Root Directory ______________ / _______________________ 0755
.htaccess ___________________ /.htaccess ______________ 0644
wp-admin/index.php _______ /wp-admin/index.php ___ 0644

Depending on what operating system you are using there are many ways to change these permissions
Reply With Quote

Similar Threads
Thread Thread Starter Forum Replies Last Post
How to disable root logins to secure SSH on Linux server (or VPS) kpmedia SSH for VPS/Dedicated (CLI) 0 01-10-2012 07:00 AM
How to password protect a folder with .htaccess/.htpasswd kpmedia Website and Server Troubleshooting 0 10-18-2010 04:41 AM
Htaccess, ModRewrite, ISAPI Rewrite admin Website and Server Troubleshooting 0 08-12-2009 11:13 PM
ATI installation tips admin Capture, Record, Transfer 0 05-21-2005 08:13 PM
ATI MMC VCD settings tips admin Capture, Record, Transfer 0 02-15-2005 10:35 AM

Thread Tools

All times are GMT -5. The time now is 08:33 AM