Some htaccess hack for WordPress security

Posted 29 November 2017

Security in wordpress is taken very seriously by WordPress Core team. But with any other system they are potential security issue that may arise if some basic security precautions aren’t taken. So now we are going to take look some htaccess hack for WordPress security it will reduce some specific type of security issues

Prevent Execution and access of WP-Includes

WordPress is Open source so everyone knows the file structure of the WordPress. So we have to prevent access of not intended to be access by any user. One way to do that is to block those scripts with mode rewrite in .htaccess file

Please add your code outside of # BEGIN WordPress and # END WordPress because WordPress anything rewrite within these tags

This won’t work well on Multisite, as RewriteRule ^wp-includes/[^/]+\.php$ – [F,L] would prevent the ms-files.php file from generating images. Omitting that line will allow the code to work.

# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
# BEGIN WordPres

Prevent Execution of PHP Files in WP-Contents/uploads folder

Almost Upload directory is writable in server it’s where all files uploaded remotely. Must prevent upload PHP files and execution in this directory

You can do this by placing .htaccess file at the root of uploads directory with below code

Note: This can break your theme if it requires PHP execution in UPLOADS. If you apply it and the site breaks, remove it and the site will reappear.

# Kill PHP Execution
<Files ~ "\.ph(?:p[345]?|t|tml)$">
   deny from all

Prevent accessing WP-Config file

WP-Config contains all sensitive data including Database username password and etc so must prevent access. If you use server with .htaccess you can put this in that file deny access to anyone

<files wp-config.php>
  order allow,deny
  deny from all

Block Black list IPs and Bots

Block all dangerous and black listed IP with .htaccess. You able to track all visited IP with PHP. Save in database or Log in to files to later use Then check with Different Services like Project Honey Pot or Use Safe Browsing APIs (v3) – Legacy . Then just add in the .htaccess file to avoid visit from these IPs. Replace your blacklisted IPs with example IPs in the below code

order allow,deny
allow from all
deny from 123.456.789
deny from 93.121.788
deny from 223.956.789
deny from 128.456.780

Block Comment spammers on your site

Below code block comments without refer .replace your site URL Instead of example URL

RewriteEngine On
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.** [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

Try Above things will not secure 100% but will help you to improve some security issues.



Leave a Reply

Your email address will not be published. Required fields are marked *