Graphic and Web Design + Development

Securing WordPress using .htaccess

Posted by on Jun 8, 2011 in Blog | 0 comments

Securing WordPress using .htaccess

Picked up a new tool to harden WordPress security through the htaccess file. Would like to thank the folks over at Blog Security for their work on this.

Important Note: Please ensure that your WordPress files and database are backed up before attempting any of these changes.

Step 1 – Restricting wp-content and wp-includes

Using htaccess <files> directive, we can restrict all files accept images, CSS and JavaScript.

The .htaccess file will look as follows:

Order Allow,Deny
Deny from all
<Files ~ ".(css|jpe?g|png|gif|js)$"> 
Allow from all
</Files>

If we want to allow certain plugins such as Democracy, we can append the following to our wp-content/.htaccess file:

<Files "democracy.php"> 
Allow from all
</Files>

Put this into your .htaccess file within your wp-content and wp-includes directories. As a side note, you can also allow specific files to get your plugins and/or templates to work, if needs be. This is a much cleaner method to do it then discussed in a previous version of this document.

If you got through that, well done.

Step 2 – Restricting access to wp-admin

Now to restrict wp-admin you have two choices. Put a .htaccess file into your wp-admin directory with one of the two choices below.

You can resrict it by IP:

order deny,allow
allow from a.b.c.d #This is your static IP
deny from all

The above code will prevent browser access to any file in these directories other than “a.b.c.d” which you should change to be your static IP address.

OR restrict the directory with a password:

AuthUserFile /etc/httpd/htpasswd
AuthType Basic
AuthName "restricted"
Order Deny,Allow
Deny from all
Require valid-user
Satisfy any

OR improved version:

There is a bug where the above rules will cause a password box to appear to the user if they submit a comment without an e-mail address. This occurs, because some CSS and image files are located inside the wp-admin directory. To get around this we can wrap the above rule set in a file directive which disallows .PHP files but permits the rest.

This still prevents alot of direct attacks and also provides alot of additional features.

<Files ~ ".(php)$">
AuthUserFile /etc/httpd/htpasswd
AuthType Basic
AuthName "restricted"
Order Deny,Allow
Deny from all
Require valid-user
Satisfy any</Files>

Thats it! you now have a more secure install and hopefully everything still works for you.

Leave a Comment