Skip to main content

Simply secure your WordPress via .htaccess

As a system administrator I see on regular base sites being hacked and when you analyse the webserver log files most sites are being hacked through insecure scripts.

A lot hacking and sniffing scripts are scanning for vulnerabilities in WordPress. You can try to block those scanning scripts with plugins, but I don’t think that is the correct way to block those scanners. The scripts are extra vulnerabilities, because you have more code in your WordPress install. Most of the time have no idea who wrote te code and how secure the code is.

My own way of blocking most of those scripts is by using the .htaccess file. This is a file that changes the configuration of your Apache webserver and is therefore running before your WordPress code is reached.
So if you are using an other server than Apache (e.g. NginX or ISS) webserver you can apply all those rules, but none will apply.
The code in the following block doesn’t make the code of your site better. It gives other people no access to your to try if they can find a Vulnerabilities that they can exploit.

Block some default files

First block the files that are not needed for the public to run your WordPress install. People can only use them to gather more info about your site.

# Rules to block access to WordPress specific files
<files .htaccess>
	Order allow,deny
	Deny from all
</files>
<files readme.html>
	Order allow,deny
	Deny from all
</files>
<files readme.txt>
	Order allow,deny
	Deny from all
</files>
<files install.php>
	Order allow,deny
	Deny from all
</files>
<files wp-config.php>
	Order allow,deny
	Deny from all
</files>

Directory listing

Disable directory listing, probably your webhoster has this disabled by default, but if not. Add this line to your .htaccess
With this line you are not able to list files in folders, where no index files are (index.php, or index.html)(e.g. the uploads folder of WordPress)

# Rule to disable directory browsing
Options -Indexes

Prevent access to php files

The following block is a way to block execution of php files, in several folders. This means that webserver is able to use all the files in thos folders, but the files aren’t reachable from the webbrowser.

Especially  php prevention script in uploads is a great tool, because most of the time when a WordPress Site gets Hacked, the hackers place nasty php scriptsin the uploads folder.

<IfModule mod_rewrite.c>
RewriteEngine On
# Rules to protect wp-includes
RewriteRule ^wp-admin/includes/ - [F]
RewriteRule !^wp-includes/ - [S=3]
RewriteCond %{SCRIPT_FILENAME} !^(.*)wp-includes/ms-files.php
RewriteRule ^wp-includes/[^/]+\.php$ - [F]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F]
RewriteRule ^wp-includes/theme-compat/ - [F]

# Rule to prevent php execution in uploads
RewriteRule ^(.*)/uploads/(.*).php(.?) - [F]
</IfModule>

Prevent access to php files in plugins and themes

The next one is a risky one, Especially when you use plugins of themes that directly load php files from there folder.WordPress is Build in a way that all code is requested through the index.php and you don’t need access to other php files, (excluding admin-ajax.php, xmlrpc.php and maybe som API urls). The risky part is that a lot of developers putting their plugin and theming code online but require direct access to some files. when you enable the line below, your site will probably not function correct.

# block direct access to all php files under /wp-content and further
RedirectMatch 403 ^.*/wp-content/.*\.php$

Enable the default WordPress code

Finally place the WordPress Permalink code block back to keep nice Urls. Below you see the default, but use your own version, It is possible that your site is running from a differnt folder and then your site isn’t working anymore.

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

I haven’t written those lines my self, these lines I found on all kind of websites, I only collected them to 1 single .htaccess file. Hopefully you can use them as well.

Pep

How about No.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.