How to protect your wordpress from hacking

  • How I secure my wordpress websites

    I’ve been using the following aproach for a long time. It’s simple and secure enough for regular usage.

    1. make read-only all files in ./wp-content, ./wp-admin and ./wp-includes and root folder of website (.)
    2. make writable ./wp-content/upload and ./wp-content/upgrade and some specific plugins (e.g. cache folders of hypercache, etc) for php scripts

    3. put .htaccess files in all writable folders to restrict access to php script from those folders or allow accessing to particular “safe” type of files only (e.g. only images in ./wp-content/uploads)

    This is an example of .htaccess file which forbids .php files to open
    #######################################################
    Options -Indexes
    php_flag engine 0
    RemoveHandler .phtml .php .php3 .php4 .php5 .php6 .phps .cgi .exe .pl .asp .aspx .shtml .shtm .fcgi .fpl .jsp .htm .html .wml
    AddType application/x-httpd-php-source .phtml .php .php3 .php4 .php5 .php6 .phps .cgi .exe .pl .asp .aspx .shtml .shtm .fcgi .fpl .jsp .htm .html .wml
    #######################################################

    This is an example of .htaccess file which completely denies access to folder from web

    #######################################################
    deny from all
    #######################################################

    This is an example of .htaccess file which allows accessing only images and some allowed (safe) extensions:

    ########################################################
    order deny,allow
    deny from all
    <Files ~ “.(jpe?g|mp4|flv|png|bmp|BMP|gif|swf|ai|swf|zip|css|avi|ico|mpg|JPE?G|GIF|PNG|js)$”>
    Allow from all
    </Files>
    ########################################################

    4. restrict direct access to all .php files from ./wp-content and ./wp-include besides some special cases which are required for particular plugins.

    Add this to root .htaccess file

    #######################################################################
    RewriteEngine on
    RewriteRule ^wp-content/plugins/nextgen-gallery/admin/upload.php – [L]
    RewriteRule ^wp-content/plugins/secure-contact/mkimg.php – [L]
    RewriteRule ^wp-content/plugins/q2w3-yandex-speller/post-handler.php – [L]
    RewriteRule ^wp-content/plugins/q2w3-yandex-speller/q2w3-yandex-speller.php – [L]
    RewriteRule ^wp-includes/js/tinymce/plugins/spellchecker/rpc.php – [L]
    RewriteRule ^wp-includes/js/tinymce/wp-tinymce.php – [L]
    RewriteRule ^wp-content/.*\.php\d* – [F]
    RewriteRule ^wp-includes/.*\.php\d* – [F]
    #######################################################################

    5. add extra web-server authorization for /wp-admin/: e.g. restrict access for particular ip addresses or authorize admin using secret word in User Agent, etc

    I love this approach (authorization using secret word in UserAgent. Create ./wp-admin/.htaccess

    #######################################################################
    SetEnvIfNoCase User-Agent .*secret123450code.* admins

    order deny,allow
    deny from all
    allow from env=admins
    #######################################################################

    Then download https://chrome.google.com/webstore/detail/user-agent-switcher-for-c/djflhoibgkdhkhhcedjiklpkjnoahfmg or https://addons.mozilla.org/en-US/firefox/addon/user-agent-switcher/ extensions for your browser and append secret word to existing User Agent.

    Finally you should take care of your php settings.

    This is how I configure the php.ini:

    allow_url_fopen = Off
    allow_url_include = Off
    expose_php = Off
    magic_quotes_gpc = On
    register_globals = Off
    disable_functions = popen,exec,system,passthru,proc_open,shell_exec,ini_restore,dl,symlink,chgrp,ini_set,putenv,getmyuid,fsockopen,posix_setuid,posix_setsid,posix_setpgid,posix_kill,apache_child_terminate,chmod,chdir,pcntl_exec,phpinfo,virtual,proc_close,proc_get_status,proc_terminate,proc_nice,getmygid,proc_getstatus,proc_close,escapeshellcmd,show_source,pclose,safe_dir,dl,ini_restore,chown,chgrp,shown_source,mysql_list_dbs,get_current_user,getmyid,leak,pfsockopen,get_current_user, syslog
    open_basedir = path_to_your_user_folder
    upload_tmp_dir = path_to_your_user_folder/tmp

    Now your website is protected.

    If you have any questions just let me know.

    Safe wordpress!

    Greg

  • The topic ‘How to protect your wordpress from hacking’ is closed to new replies.