Yesterday we started a series of guides for the amazing tool .htaccess. For those who did not read it first part, .htaccess is a small configuration file Apache web server. Σήμερα θα δούμε πως μπορούμε να το επεξεργαστούμε για να βελτιώσουμε την ασφάλεια σε μια installation WordPress.
We will mention once again the importance of processing all the files (.php, .sql) stored in a Linux environment, with the editor notepad ++ and not with the classic Windows notepad.
To start processing the file you need to download it to your computer. Immediately after, and after installing Notepad plus plus, a right click on it will give you the option: Edit with Notepad.
Before proceeding, you need to keep a backup of the file you downloaded.
After the file is processed, there are two different storage modes.
The easiest way is to use the floppy disk icon located in the upper left corner of the Notepad ++ application.
The second way you will need if you want to save .htaccess to a Windows environment with save as, or save as.
Because Windows considers that .htaccess is the file type suffix and that the missing name will prompt you to give a name to your file. B.C. name.htaccess. You can avoid using quotes.
So try saving your file as ".htaccess"
After the basics let's see how we can secure our WordPress site.
Let's start protecting the .htaccess itself You can use the same command to deny access to any file you want by simply changing the file name.
Block access to multiple files together (you can add more if you need)
Let's block access tourin the site folders
Options All -Indexes
- To enable it instead of - we use +
That is:
Options All + Indexes
Of course, since we talk about security, forget the above command
Exclude an IP
Let's close some gaps now
Block any scripts with encoded commands base64_encode
RewriteCond% {QUERY_STRING} base64_encode. * (. *) [OR]
Exclude the method proc/self/about
RewriteCond% {QUERY_STRING} proc / self / environ [OR]
Protect yourself from any script trying to change php globals values
RewriteCond% {QUERY_STRING} GLOBALS (= | [|% [0-9A-Z] {0,2}) [OR]
Protection from any script trying to change value in mosConfig
RewriteCond% {QUERY_STRING} mosConfig_ [a-zA-Z _] {1,21} (= |% 3D) [OR]
Exclude attempts to change the _request variables
RewriteCond% {QUERY_STRING} _REQUEST (= | [| \% [0-9A-Z] {0,2})
Disable ping in xmlrpc.php
Block access to debug.log
Block some SpyBot (you can add whatever you want)
Prohibition of running various scripts
AddHandler cgi-script .php .pl .py .jsp .asp .htm .shtml .sh .cgi Options -ExecCGI
Disable Trace Track
RewriteEngine On RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK) RewriteRule .* - [F]
Block proxy links trying to comment
RewriteCond %{REQUEST_METHOD} =POST RewriteCond %{HTTP:VIA}%{HTTP:FORWARDED}%{HTTP:USERAGENT_VIA}%{HTTP:X_FORWARDED_FOR}%{HTTP:PROXY_CONNECTION} !^$ [OR] RewriteCond %{HTTP:XPROXY_CONNECTION}%{HTTP:HTTP_PC_REMOTE_ADDR}%{HTTP:HTTP_CLIENT_IP} !^$ RewriteCond %{REQUEST_URI} !^/(wp-login.php|wp-admin/|wp-content/plugins/|wp-includes/).* [NC] RewriteRule .* - [F,NS,L]
Disable with redirect to 403 "bad" characters and known spy exploits
More specifically, Request Strings
Block SetEnvIfNoCase User-Agent
Redirect each blocked request to the original with an 403 error code
RewriteRule ^ (. *) $ Index.php [F, L]
Disable hotlinkng
RewriteEngine On # Change "mysite \ .com / with the domain of your RewriteCond% {HTTP_REFERER}! ^ Http: // (. + \.)? Mysite \ .com / [NC] RewriteCond% {HTTP_REFERER}! ^ $ # change /images/no-hotlinking.png with a photo of your own that discourages RewriteRule copycats. * \. (jpe? g | gif | bmp | png) $ /images/no-hotlinking.png [L]
We forgot something? You can add it to the comments and we will add it to the article.
End of the Second Part.