.htaccess tips to securing WordPress


Be very, very careful when making changes to your .htaccess file. If you aren’t extremely comfortable with code test this on a development site thoroughly. Some of these options might break some sites and work on others, depending on your server configuration.  WordPress creates a .htaccess file during the installation process. Anything inside of the WordPress section can and will be overwritten during updates. Some items will need to go before the WordPress section, and some after. The collection of options I have listed are ones I have used in some of my application along with some great ideas I found on the internet…..

This first bit of code helps to prevent errors on some Apache servers, and activates the rewrite engine (which many of these commands require to function):

	## Include this at the start of your .htaccess file ##
	Options +FollowSymlinks
	RewriteEngine On

This next bit turns off the server signature, making it harder for anyone to know about the system you are running:

	## Disable the Server Signature ##
	ServerSignature Off

This bit of code will prevent bots with no user agent from hitting your site. Just change out mywebsite.com to the actual URL before adding this in your .htaccess:

	## Protect from spam bots ##
	<IfModule mod_rewrite.c>
		RewriteCond %{REQUEST_METHOD} POST
		RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
		RewriteCond %{HTTP_REFERER} !.mywebsite.com.* [OR]
		RewriteCond %{HTTP_USER_AGENT} ^$
		RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
	</IfModule>

Now lets resist some basic types of SQL injection (resistance is not futile):

	## SQL Injection Resistance ##
	<IfModule mod_rewrite.c>
		RewriteBase /
		RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
		RewriteRule ^(.*)$ - [F,L]
		RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
		RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
		RewriteCond %{QUERY_STRING} tag\= [NC,OR]
		RewriteCond %{QUERY_STRING} ftp\:  [NC,OR]
		RewriteCond %{QUERY_STRING} http\:  [NC,OR]
		RewriteCond %{QUERY_STRING} https\:  [NC,OR]
		RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]
		RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
		RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
		RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)||ê|"|;|\?|\*|=$).* [NC,OR]
		RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR]
		RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
		RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
		RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
		RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC]
		RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
		RewriteRule ^(.*)$ - [F,L]
	</IfModule>

Restrict login pages to be reached from IP addresses you specify, and block access from all other IP addresses. Adjust the allow from lines to the actual IP addresses (you can get your IP addresses by Googling “What is my IP”).

	## Restrict WordPress Login Pages to Your Own IPs ##
	<Files wp-login.php>
		order deny,allow
		deny from all
		allow from 192.168.1.1
		allow from 192.168.1.2
		</Files>
		<Files login>
		order deny,allow
		deny from all
		allow from 192.168.1.1
		allow from 192.168.1.1
	</Files>

There are a number of files that nobody but you should ever be accessing, and this bit of code will block them from being accessed via a browser:

## Block Sensitive Files ##
Options All -Indexes
<files .htaccess>
	Order allow,deny
	Deny from all
</files>
<files readme.html>
	Order allow,deny
	Deny from all
</files>
<files license.txt>
	Order allow,deny
	Deny from all
</files>
<files install.php>
	Order allow,deny
	Deny from all
</files>
<files wp-config.php>
	Order allow,deny
	Deny from all
</files>
<files error_log>
	Order allow,deny
	Deny from all
</files>
<files fantastico_fileslist.txt>
	Order allow,deny
	Deny from all
</files>
<files fantversion.php>
	Order allow,deny
	Deny from all
</files>

If you find your site being hit repeatedly with attack attempts from certain IP addresses, you can manually block certain IPs with the following bit of code. Just edit the deny from bit to include the offending IP, with one IP per line as follows:

## Malicious IP Blocking ##
order allow,deny
deny from 1.1.1.1
deny from 2.2.2.2
allow from all

If you have people hitting you really often from the same IP or IP block, you can redirect that IP/IP block to a nice rickroll video (just change the IP below to reflect the one that’s hitting you).:

## Redirect Devious IPs to Rickroll Video ##
RewriteCond %{REMOTE_ADDR} ^192\.168\.1\.1$
RewriteRule .* http://www.youtube.com/watch?v=oHg5SJYRHA0 [R=302,L]

If you have certain websites that are hitting you with referral traffic you don’t want (it can happen for various reasons), you can block those referring domains with this code:

## Block Certain Referring Domains ##
RewriteCond %{HTTP_REFERER} digg\.com [NC]
RewriteRule .* – [F]

Leave a Reply