Wordpress Security

Just like we can deny access to readme.html, it’s possible to deny public access to wp-config.php using the .htaccess file. But, before doing this, ask yourself this question:

Is your blog installed in the /public_html folder?

If it is, then instead of using .htaccess to prevent public access to the file, it’d probably be better to move the wp-config.php file.

For everyone else, add the following code to the .htaccess file thats in the same directory as your wp-config.php file.

# protect wp-config.php
<files wp-config.php>
Order deny,allow
deny from all
</files>

The 3G Blacklist is a block of code put together by Jeff Starr that you drop into your .htaccess file to fight the majority of common security exploits. While not strictly a Wordpress-related .htaccess hack it’s a must have for anyone running on an Apache-based server (which would be most people reading this guide).

To find out how to make use of this brilliant resource visit the official site.

Here’s a quick summary from Jeff:

Work on the 3G Blacklist required several weeks of research, testing, and analysis. During the development process, five major improvements were discovered, documented, and implemented. Using pattern recognition, access immunization, and multiple layers of protection, the 3G Blacklist serves as an extremely effective security strategy for preventing a vast majority of common exploits.

The list consists of four distinct parts, providing multiple layers of protection while synergizing into a comprehensive defense mechanism. Further, as discussed in previous articles, the 3G Blacklist is designed to be as lightweight and flexible as possible, thereby facilitating periodic cultivation and maintenance.

One of the first steps a malicious hacker has to take when trying to “invade” your Wordpress blog is discover what version of the software you’re running. Unfortunately Wordpress makes this a tad too easy by placing the version number right in the public_html directory in the readme.html file. And even if you delete it once the file comes back next time you upgrade.

Place this code in your .htaccess file and no one will be able to access the readme.html file if you forget to delete it.

# protect readme.html
<files readme.html>
Order deny,allow
deny from all
</files>

If you’re a blogger that generally stays put and has a static IP address then there’s a simple and effective way to block the rest of the world from accessing your administration area, and if they can’t access it, then you’re protected from brute force attacks and any intrusion that involves navigating to /wp-admin.

There’s all the added benefit of blocking intruders from accessing your admin area even if they do somehow get your login details. Of course there’s still the chance of them fooling this method with IP spoofing but it might just hold them off long enough for you to lock them out.

Anyways, login to your server via FTP (or SFTP if you want to be extra awesome) and navigate to /wp-admin folder. If you haven’t done so already, create a .htaccess file and place this code in there:

order deny, allow
allow from xxx.xxx.xx
deny from all

But wait! You’re not done yet…

Head over to whatismyip.com and find out what your IP address is. Replace xxx.xxx.xx with your IP address and save the file.

The problem with this method is not all bloggers work from the same computer or IP address all the time. For those folk you’ll want to read the section about the AskApache Password Protect plugin.