In part 6 of the WordPress Security Guide you’re going to learn wpconfig security and more htaccess magic!  I will be shocked if the majority of you have seen these little helpful tips before – and if you would have implemented them a long time ago – your blog would have been much more secure!

wpconfig.php Security

Use the 4 secret keys

You may not know this but there are ways to give extra security to your wp-config file. The first is by using the included “secret key”, and most people I’ve encountered aren’t taking advantage of it – even though it’s been available since WordPress 2.6. All you have to do is open up your wp-config.php file in a text editor and edit the following lines:

secret-key

WordPress even has it’s own Secret Key Generator you can use to create strong and unique keys. Save the file and then upload back to the root of your WordPress site!

Move wpconfig.php out of the public HTML area

The other thing you can do is actually move your wp-config.php outside of your public WordPress site into a more protected area of your web hosting account. This is called moving it “outside of the root”, or out of the “public_html” or “www” portion of your site. It makes sense to do this since it contains the most sensitive information (your connection info), and it’s very difficult for a potential hacker to access the server level directory structure outside of your web site (unless he has already compromised your server). To do this, your web hosting account has to have access at least one level “above the root” of your web site (public html), and all you have to do to take advantage of this added security is to move wp-config.php to that one level above, WordPress will automatically look for it there and your web site will function normally as it did before. WordPress has an offcial page in the Codex on editing your wp-config.php file, if you need more information.

More .htaccess magic

Check out Part 3 of our WordPress Security Guide to read our first installment about the .htaccess file and how you can use it to limit access to your web site.  In case you haven’t read it, we’ll go over those things again here – along with a few more wicked ninja moves you can use!

Limit access to wp-config.php

We actually saved this for Part 6 because you’re actually going to use your .htaccess file to limit access to your wpconfig.php.  This is something you want to make sure you do, because there are lots of WordPress hacks designed to take the contents of your wp-config file (username and password) and dump them to a text file a spambot can pickup and send to a hacker.  If you block access to wp-config file in your .htaccess using this method, you block those hackers from getting your database login information.  Just add this code to your .htaccess file in the root of your wordpress site:

    

Order deny,allow
deny from all

Turn off Directory Indexing Options All -Indexes

Deny access to known bad IP’s and spammers

Also mentioned in Part 3 – you can limit access to IP addresses or stop entire IP blocks from accessing your site. I personally use WordPress firewall (Read Part 5), and it sends me email every time I have an attack on my this site. If I get more than a half dozen attacks from the same IP I just ban them from accessing my blog by adding their IP address (which comes in the WP firewall emails) to the .htaccess file in the root of my wordpress site like this (just add a line for each one you want to block):


order allow,deny
deny from 206.126.97.25
deny from 65.182.185.214
deny from 119.148.69.90
allow from all

Block known spambots and crawlers

Your mileage may vary with this, but from a forum thread long ago I got the following code to block most spambots and crawlers from your site that were designed to just rip off all your posts and images (and cost you bandwidth in the process). It’s served me well, and still seems to work. Just add the following code to your .htaccess file in the root of your wordpress site:




RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR] 
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Custo [OR] 
RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR] 
RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR] 
RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR] 
RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR] 
RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR] 
RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR] 
RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR] 
RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR] 
RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR] 
RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR] 
RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR] 
RewriteCond %{HTTP_USER_AGENT} ^HMView [OR] 
RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR] 
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR] 
RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR] 
RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR] 
RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR] 
RewriteCond %{HTTP_USER_AGENT} ^larbin [OR] 
RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR] 
RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR] 
RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR] 
RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR] 
RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR] 
RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR] 
RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR] 
RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR] 
RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR] 
RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR] 
RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR] 
RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR] 
RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR] 
RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR] 
RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR] 
RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR] 
RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR] 
RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR] 
RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR] 
RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR] 
RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR] 
RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR] 
RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR] 
RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR] 
RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR] 
RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR] 
RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Wget [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Widow [OR] 
RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR] 
RewriteCond %{HTTP_USER_AGENT} ^Zeus 
RewriteRule ^.* - [F,L]


Add an .htaccess file to your wp-content uploads directory

Here’s one I’m sure you’re not already doing – securing your /wp-content/uploads directory. Did you know that you could setup an .htaccess file there as well? Why you ask? Well, to limit access to only graphics files of course! If you store other files there (like mp3’s), you can add their extensions as well. Your wp-content/uploads dir usually has to be writable, or at least 775 – by restricting access if a hacker gets a file in there somehow – he can’t access it to hack your site because you limited access to only graphics files. Just add the following code to a file named “.htaccess” and drop it in your /wp-content/uploads folder:


Order Allow,Deny
Deny from all

Allow from all

Give yourself a double WordPress login

Create yet another .htaccess file and add it to your /wp-admin folder and limit access to just your IP address. Don’t know your IP address? Just visit What is My IP.com to find out. If you access your wordpress site from both work and home, add in both IP’s – and be sure add in your new IP when travelling. This keeps about a BAZILLION hackers from trying to compromise your site through wordpress plugin and admin files. Add this code to a file, save it as “.htaccess”, and upload it to your /wp-admin folder (change the localhost IP to your real one first!):


AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic

order deny,allow
deny from all
allow from 192.168.1.1

Stay tuned, because in Part 7 we’re going to talk about the various types of hacks that are used to attack WordPress sites, and what you can do to clean up your blog if someone gets in. I hope all the free information in my WordPress Security Guide helps you to secure and harden your site on your own, but if you need immediate assitance or help – I am for hire, please use the link on the image below.

Visit the WordPress Security Guide home to skip to other sections

JTPratt Media offers Malware Removal and WordPress Security Services