In Part 3 of this WordPress Security Guide we’re going to learn how to limit access to your web site. If you’re new, please visit the WordPress Security Guide home to view all the sections of the guide.
Now that you know why Wordrpess security is important, and you’ve found some exploits in your blog – we’re going to learn how to do probably the most important thing to prevent attackers from compromising your site – LIMIT ACCESS. Let’s face it, if those guys can’t get into your site then they can’t hack it. Most people don’t realize that the chances of getting hacked by a real live person are pretty minimal. Odds are much greater of being the victim of an automated attack.
Hackers write automate web bots and software to scan web sites night and day, scouring the web looking for old outdated versions of open source software they can attack. Staying up to date is important, making sure that you have the latest versions of WordPress and your plugins at all times. There are ways to limit access to your wordpress site, so hackers know less about what you have installed.
Limiting Access with an .htaccess file
First – let me say that there are two wordpress plugins that say they can limit access for you – but presently both are outdated and don’t play nice with wordpress 2.8+. I’m going to list the URL’s only so that you know what they are and can look for a newer version (if you so choose):
WordPress Guard
htaccess Password Protect
As I said – those links were provided just in case you ran across them one day and thought “wow – I should try one of those”. Make sure they’ve been updated if you do, and know that your mileage may vary. Lots of comments and support posts indicated some people experienced major problems once they were installed (on the right wordpress versions) including being locked out of their own blogs. .htaccess files are a very tricky thing, since there are all kinds of things they can do – and some web hosts have different configurations and setups than others.
What you can do with .htaccess
- Rewriting URL’s: you know that little thing in WordPress called “permalinks”? An .htaccess file rewrites pages from URL’s like “/?p=106” to “/this-is-the-title-of-my-post”
- 301 Redirects: You can setup permanent 301 redirects to redirect incoming request to a new page if the URL has changed. This is handy if you change your permalink structure
- Limit access by IP Address: You can limit access by the IP address of your computer (or a ‘range’ of IP addresses)
- Limit access by Password: You can limit access by a password you set.
- Stop Directory Indexing: You can stop people from traversing directories without an index file
- Show a Different index file: Although not pertinent to WordPress, you can use an .htaccess file to show a different index file than your web site default. In other words, you could use index.htm, index.html, index.php, etc.
My advice to you would be to limit access to your WordPress admin directory either by password, IP address, or both. Just remember, if you limit by access by IP address – you won’t be able to access your admin when on the road, roaming wifi, or at another location (unless you add in that IP as well). By locking down your /wp-admin directory with a password – you will have “double lockdown” protection (in combination with the WordPress login).
Because of the different configurations of apache and setup of web hosts, I can’t give you definitive instructions that will absolutely work in every situation for everyone. Even though you can add password protection to an .htaccess file, you still to add users and passwords to an “.htpasswd” file. Users are easy to add, but passwords have to be encrypted in that file. This .htaccess password tutorial can help you with that, but my recommendation is to use your “web control panel” if you have one, and add your password protection there (because it’s automatic). You could also use the previously mentioned .htaccess file generator and upload the files manually. Here is the Official cPanel documentation for password protecting directories. If you’re unsure, submit a ticket to your web host for help password protecting your /wp-admin directory.
Another thing you could consider is limiting access to your /wp-admin directory by allowing access to specific (or a range of) IP addresses. This way you don’t have to remember a password, and you could limit access to multiple groups of people easily. Once again, if you have problems doing this, submit a support ticket to your web host for assistance.
Consider setting up a double login for WordPress by password protecting your /wp-admin directory (using an .htaccess file). Nearly all web hosts have a web control panel that allows you to password protect directories with no technical knowledge. Use that to0l to password protect your /wp-admin folder, just be aware that to get to the WordPress dashboard you’ll need to login twice, once in a popup for the server, and then for wp-admin. Doing this is extra security against automated bots trying to access your admin files.
Limiting Access through file permissions
The vast majority of web hosts for WordPress blog owners are Linux, and access to files within your site is controlled by UNXI based file permissions. Basic permissions are assigned in 3 areas “read, write, and execute”. Permissions can be assigned to 3 groups “owner, group, and world”. The WordPress Codex has an entire page dedicated to Changing File Permissions. Essentially, it’s dangerous to assign “write” permissions to the world from a web browser when it’s not necessary. It’s a loophole hackers can potentially use to write files and gain access to your site. 755 (and below) file permissions are best whenever possible for directories because this removes “write” access from the group and the world. Ideally 644 permissions are best for files on most web hosts.
Often you can change file pemissions in your FTP program, such as right clicking a file in “Filezilla” as in this image:
You can also do it in “telnet” (command line, or shell) if you have that kind of access, and on some web hosts you can change file permissions from your web based control panel using a web based file editor or FTP program.
Limit Access through robots.txt
There’s an old saying that “an ounce of prevention is worth a pound of cure”, and there’s a lot of truth to that. By limiting access to your site using a robots.txt file, you can prevent certain items from accidentally getting indexed in search engines – and the less hackers can find in your site, the less your chances of getting hacked are. You should limit access to your 3 wordpress install directories, and any additional directories you have (if you don’t want them indexed).
For example, these lines could be in your /robots.txt file:
User-agent: *
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins
Disallow: /wp-content/cache
Disallow: /wp-content/themes
Disallow: /trackback
Disallow: /feed
Disallow: /comments
Disallow: /category/*/*
Disallow: */trackback
Disallow: */feed
Disallow: */comments
Disallow: /*?*
Disallow: /*?
Allow: /wp-content/uploads
That example from the WordPress Codex page on SEO limits access to your wp-admin, wp-includes, and wp-content directories, as well as your feed, trackbacks, comments, category pages, and comments. Visit the web robots pages to learn more about robots.txt files and web robots and crawlers. By limiting access to certain sections of your site via robots.txt you ensure they don’t inadvertently get indexed in search engines, making it even easier for hackers to easily search for things they can exploit!
In part 4 of this guide we’ll talk about the security of your web host, and how to make usernames and passwords more secure.
Good post!
In the robots.txt I’ve put:
Disallow: /wp-*
Thanks for this series. I’m just wondering how the hackers managed to come into my blogs? Through admin? Is that the most important thing to add extra protection to? What happened is that they put a wp file in one of the directories. And somehow that file created all kinds of links which looked like they were part of my site. The actual posts could not be found in the blog.
.-= Sylvia´s last blog ..How to rank high in Google with the use of SEO =-.
It could be any number of ways, but more than likely it was through an old version of wordpress or an old plugin combined with bad permissions (to write the file). It also could happen through other outdated scripts installed in the same site or hosting account.
Thanks for reply. I’ve put some of your suggestions into place so let’s see if that works. Just wondering.. Why don’t you put a tweet button with your articles so I can easily tweet it? Any reason for that?
.-= Sylvia´s last blog ..How to rank high in Google with the use of SEO =-.
I didn’t mess around with twitter much on this blog – but did just add a button for that! Thanks for the suggestion.
This is very useful. I am constantly worried that my blog is going to get hacked into, but the information you’ve given here looks really useful in keeping it safe. Thanks a lot.
Thanks for these great tips! I mostly use these rules in my .htaccess:
Options -Indexes
ServerSignature Off
Options +FollowSymLinks
I like the ServerSignature option. Gives any hacker less information about your system. Makes it way harder to hack into your website.
.-= Martijn van Turnhout´s last blog ..Lokale zoekmachine optimalisatie voor 7 Days More Living =-.