In part 6 of the WordPress Security Guide you’re going to learn wpconfig security and more htaccess magic! I will be shocked if the majority of you have seen these little helpful tips before – and if you would have implemented them a long time ago – your blog would have been much more secure!
wpconfig.php Security
Use the 4 secret keys
You may not know this but there are ways to give extra security to your wp-config file. The first is by using the included “secret key”, and most people I’ve encountered aren’t taking advantage of it – even though it’s been available since WordPress 2.6. All you have to do is open up your wp-config.php file in a text editor and edit the following lines:
WordPress even has it’s own Secret Key Generator you can use to create strong and unique keys. Save the file and then upload back to the root of your WordPress site!
Move wpconfig.php out of the public HTML area
The other thing you can do is actually move your wp-config.php outside of your public WordPress site into a more protected area of your web hosting account. This is called moving it “outside of the root”, or out of the “public_html” or “www” portion of your site. It makes sense to do this since it contains the most sensitive information (your connection info), and it’s very difficult for a potential hacker to access the server level directory structure outside of your web site (unless he has already compromised your server). To do this, your web hosting account has to have access at least one level “above the root” of your web site (public html), and all you have to do to take advantage of this added security is to move wp-config.php to that one level above, WordPress will automatically look for it there and your web site will function normally as it did before. WordPress has an offcial page in the Codex on editing your wp-config.php file, if you need more information.
More .htaccess magic
Check out Part 3 of our WordPress Security Guide to read our first installment about the .htaccess file and how you can use it to limit access to your web site. In case you haven’t read it, we’ll go over those things again here – along with a few more wicked ninja moves you can use!
Limit access to wp-config.php
We actually saved this for Part 6 because you’re actually going to use your .htaccess file to limit access to your wpconfig.php. This is something you want to make sure you do, because there are lots of WordPress hacks designed to take the contents of your wp-config file (username and password) and dump them to a text file a spambot can pickup and send to a hacker. If you block access to wp-config file in your .htaccess using this method, you block those hackers from getting your database login information. Just add this code to your .htaccess file in the root of your wordpress site:
Order deny,allow
deny from all
Turn off Directory Indexing
Options All -Indexes
Deny access to known bad IP’s and spammers
Also mentioned in Part 3 – you can limit access to IP addresses or stop entire IP blocks from accessing your site. I personally use WordPress firewall (Read Part 5), and it sends me email every time I have an attack on my this site. If I get more than a half dozen attacks from the same IP I just ban them from accessing my blog by adding their IP address (which comes in the WP firewall emails) to the .htaccess file in the root of my wordpress site like this (just add a line for each one you want to block):
order allow,deny
deny from 206.126.97.25
deny from 65.182.185.214
deny from 119.148.69.90
allow from all
Block known spambots and crawlers
Your mileage may vary with this, but from a forum thread long ago I got the following code to block most spambots and crawlers from your site that were designed to just rip off all your posts and images (and cost you bandwidth in the process). It’s served me well, and still seems to work. Just add the following code to your .htaccess file in the root of your wordpress site:
RewriteEngine On
RewriteBase /
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR]
RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR]
RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR]
RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR]
RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR]
RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR]
RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR]
RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR]
RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR]
RewriteCond %{HTTP_USER_AGENT} ^HMView [OR]
RewriteCond %{HTTP_USER_AGENT} HTTrack [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR]
RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR]
RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR]
RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR]
RewriteCond %{HTTP_USER_AGENT} ^larbin [OR]
RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR]
RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR]
RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR]
RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR]
RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR]
RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR]
RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR]
RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR]
RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR]
RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR]
RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebWhacker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget [OR]
RewriteCond %{HTTP_USER_AGENT} ^Widow [OR]
RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus
RewriteRule ^.* - [F,L]
Add an .htaccess file to your wp-content uploads directory
Here’s one I’m sure you’re not already doing – securing your /wp-content/uploads directory. Did you know that you could setup an .htaccess file there as well? Why you ask? Well, to limit access to only graphics files of course! If you store other files there (like mp3’s), you can add their extensions as well. Your wp-content/uploads dir usually has to be writable, or at least 775 – by restricting access if a hacker gets a file in there somehow – he can’t access it to hack your site because you limited access to only graphics files. Just add the following code to a file named “.htaccess” and drop it in your /wp-content/uploads folder:
Order Allow,Deny
Deny from all
Allow from all
Give yourself a double WordPress login
Create yet another .htaccess file and add it to your /wp-admin folder and limit access to just your IP address. Don’t know your IP address? Just visit What is My IP.com to find out. If you access your wordpress site from both work and home, add in both IP’s – and be sure add in your new IP when travelling. This keeps about a BAZILLION hackers from trying to compromise your site through wordpress plugin and admin files. Add this code to a file, save it as “.htaccess”, and upload it to your /wp-admin folder (change the localhost IP to your real one first!):
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny,allow
deny from all
allow from 192.168.1.1
Stay tuned, because in Part 7 we’re going to talk about the various types of hacks that are used to attack WordPress sites, and what you can do to clean up your blog if someone gets in. I hope all the free information in my WordPress Security Guide helps you to secure and harden your site on your own, but if you need immediate assitance or help – I am for hire, please use the link on the image below.
Nice post JT. On my ‘list of things to do’ is modifying my htaccess file. I listened and watched the presentation Matt Cutts gave (search ‘matt cutts wordcamp video’) at the most recent Wordcamp. He also mentioned (and provided the code) modifying the htaccess file to make WordPress more secure.
.-= Colleen´s last blog ..Kennewick Real Estate Listings =-.
Thanks JT for this Helpful post! One of my friends just had some of his sites hacked into. And it’s absolutely painful to fix up. Now I know I need to use all the tools available to secure my sites.
.-= Emile´s last blog ..Guidelines On Remodelling Your Bathroom =-.
Thank you very much for your guide – it’s sad that people start thinking about security only after something bad happened.
Thanks for section, will gonna do it on my blog as well!
.-= Golf club complete sets´s last blog ..Golf Apparel For Sale – Tips You Need To Know Before You Buy =-.
These are some really cool HTACCESs magic tricks I have not seen before…Thanks
.-= shaunjudy´s last blog ..Knockout Thursday 09-24-09 =-.
Thanks for the informative posts so far. Most of it I already knew, but it isn’t bad to read stuff again.
I was wondering, when I put all the example htacces info in one file (just all the info you’re giving about the main domain folder) I get an internet server error 500.
I think some formatting rules must be applied, but which?
My gut reaction is that you uploaded your .htaccess file in binary mode instead of ascii. Some web hosts don’t allow some .htaccess functionality – or use a web server that requires different formatting. Contact your webhost to be sure if it still doesn’t work after your upload method.
JT,
This is good info I wish I would have read about a month ago. I never had WP on lock down like you show here and it cost me big time! Got hacked and lost years of postings!
.-= Ryian Crusher´s last blog ..Fluorescent Light Bulb Grinder =-.
Thanks JT for all this incredibly helpful information. For the last 3 weeks I have been dealing with my WP sites getting hacked every 2-3 days. Having to rebuild them has been a giant pain in the a**. I’ve implemented practically all your suggestions here, especially the htaccess tricks you mentioned. Genius sir, genius!
If I have multiple WP sites in sub-directories of my root, how can I secure the wp-config.php files for each of those sites? If I place them all one level above won’t I get an error when I try to upload as they would each have the same file name? Any help with this would be appreciated.
That aside, thank you very much for your helpful posts!!!