21 Mar

More Security for your WordPress Blog

more security for your wordpress blog

In this section, we’ll talk about some tips to properly protect your WordPress blog : Using Apache .htaccess configuration file.

This file is used for many functions including security.

Start first with:

1.

<files wp-config.php>
order allow,deny
deny from all
</files>

The WordPress configuration file is really important. Protect the database and the credentials from possible attacks.

 

2.

order deny,allow
allow from XXX.XXX.XXX.XXX
deny from all

Create a .htaccess file in the wp-admin directory for only your IP address. So nobody else can access this directory. Naturally, if you have a dynamic address, you will need to adjust your .htaccess file via FTP sometimes.

 

3.

<Files .htaccess>
order allow,deny
deny from all
</Files>

Reinforce all your .htaccess files with this code, it prevents manipulation thereof by hackers or software.

 

4.

Options All -Indexes

Add this line to prevent directory listing of your folders.

 

5.

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

Protect the wp-includes folder from unauthorized access.

 

6.

order deny,allow
deny from all
<files ~ ".(xml|css|jpe?g|png|gif|js)$">
allow from all
</files>

Finally protect the wp-content folder with this code.

 

Last tip:

In addition to these methods, I recommend installing another .htaccess file in the /uploads folder. This is to prevent malicious code that can be found in plugins or themes. No one is safe from a distracted developer who made a mistake and that its code could lead to hack your site by an “exploit”.

Most of these “exploit”, use a program included in a file that may seem normal at first sight. For sure, the “exploit” will create other files in order to better spread in your website and the /uploads folder is targeted because often the permissions of this directory are low.

So include a .htaccess file in the / uploads:

<Files *.php> 
deny from all 
</Files> 

This code will prevent malicious code to create .php files in your folder.

Share this

Leave a reply