Using .htaccess File to secure Wordpress Blog
A lot of wordpress blogs got hacked due to the less security or the Admin is using the old version, Wordpress Experts are working day and night to improve this platform of blogging and they have succeeded in making a lot of patches for such holes. Today i will show you on how to secure your own hosted wordpress blog by some simple steps of modifying the .htaccess file. Well creating a .htaccess file may cause some problems but its very easy to edit it, and it will help you in restricting access to many important content of you wordpress blog.In your computer you may face problems in saving the file with .htaccess name since its strange, But don't worry save it as htaccess.txt and upload to your hosting by using ftp and rename is to .htaccess simply. Use any trick you want. Or google it.
You can do a lot of things with .htaccess file but i will focus mainly on securing a wordpress self-hosted blog, Lets start.The basis theme of this is that you can make 404 error wherever you want. For making this just use a notepad and write commands given below, So, simple.
1. Protect the .htaccess itself (security). This prevents users from reading/writing the file and hence, changing security settings.
2. Limit file upload size. This will help you to prevent DoS attacks (users uploading huge files that may crash the server) and saves bandwidth too giving a quick user access to website.
3. Disable mod_security (info mod_security: It can also be called an web application firewall. It operates embedded into the web server, acting as a powerful umbrella, shielding applications from attacks.) filtering. This is an optional setting and must be handled with great care. This directive tells the server not to use mod_security’s filters, which, for instance won’t allow users to post a text with the words “curl”, “lynx” or “wget” in them. While this might seem trivial, it can be a headache in a site like this one, where these words are typed almost on a daily basis.
4. Protect wp-config.php (Never chmod it to 777 after installation just change back to normal). Just as with .htaccess, we prevent users from reading/writing WordPress’ configuration main configuration file. This directive assumes WordPress is setup on the site’s root folder.
5. Specify custom error documents at your own. Its not for security purpose basically but for site usability I must say. They determine which pages will be displayed in case of server errors, such a Page not Found (code 404), Forbidden access (code 403), etc.
6. Disable directory browsing. This prevents the server from displaying folder contents when no index file (index.html, index.php, etc.) is found.(incase if your index.php or index.html is taken down) This prevents users from seeing the folder contents and makes it harder to mount an attack against the site.
10. Disable Image hotlinking. This prevents other sites from linking to our site’s images, forcing them to either point to the entire page or host the image somewhere else by just copying the image source code. This saves precious bandwidth and may increase traffic (just a tiny bit). The code below will display image donnotsteal.gif whenever someone tries to display our images by hotlinking to our site.
11. Sets the canonical or standard for every URL at your site. This helps improving the site’s usability and also helps in improving the site’s Search Engine rankings. In short, it redirects all requests of the form: http://yourdomain.com to http://www.yourdomain.com/.
12. Protect the blog from Spam comments (and spam form submission in general and even sometimes to get your cookies). This last directives will prevent users from posting forms (such as comment forms) directly from other sites. Although this is hardly a catch-all antispam measure, it helps.
So, here is a short guide and most common methods on how to secure your blog and also how to secure and save your bandwidth, If you don't have unlimited plan. Don't forget to check the settings which you have made using the .htaccess file. and also try accessing those zones which you have blocked by this file. If you are done then congrats.
Note: If you are already using a custom permalink structure to format page names, you’ll need to keep that code in the htaccess file in order for that to continue functioning. To see your htaccess file in WordPress go: Manage>Files>.htaccess (for rewrite rules).
You can do a lot of things with .htaccess file but i will focus mainly on securing a wordpress self-hosted blog, Lets start.The basis theme of this is that you can make 404 error wherever you want. For making this just use a notepad and write commands given below, So, simple.
1. Protect the .htaccess itself (security). This prevents users from reading/writing the file and hence, changing security settings.
<files .htaccess>
order allow,deny
deny from all
</files>
2. Limit file upload size. This will help you to prevent DoS attacks (users uploading huge files that may crash the server) and saves bandwidth too giving a quick user access to website.
LimitRequestBody 10240000
# limit file uploads to 10mb
3. Disable mod_security (info mod_security: It can also be called an web application firewall. It operates embedded into the web server, acting as a powerful umbrella, shielding applications from attacks.) filtering. This is an optional setting and must be handled with great care. This directive tells the server not to use mod_security’s filters, which, for instance won’t allow users to post a text with the words “curl”, “lynx” or “wget” in them. While this might seem trivial, it can be a headache in a site like this one, where these words are typed almost on a daily basis.
SecFilterInheritance Off
4. Protect wp-config.php (Never chmod it to 777 after installation just change back to normal). Just as with .htaccess, we prevent users from reading/writing WordPress’ configuration main configuration file. This directive assumes WordPress is setup on the site’s root folder.
<files wp-config.php>
order allow,deny
deny from all
</files>
5. Specify custom error documents at your own. Its not for security purpose basically but for site usability I must say. They determine which pages will be displayed in case of server errors, such a Page not Found (code 404), Forbidden access (code 403), etc.
#custom error docs
ErrorDocument 404 /notfound.php
ErrorDocument 403 /forbidden.php
ErrorDocument 500 /error.php
6. Disable directory browsing. This prevents the server from displaying folder contents when no index file (index.html, index.php, etc.) is found.(incase if your index.php or index.html is taken down) This prevents users from seeing the folder contents and makes it harder to mount an attack against the site.
# disable directory browsing
Options All -Indexes
10. Disable Image hotlinking. This prevents other sites from linking to our site’s images, forcing them to either point to the entire page or host the image somewhere else by just copying the image source code. This saves precious bandwidth and may increase traffic (just a tiny bit). The code below will display image donnotsteal.gif whenever someone tries to display our images by hotlinking to our site.
#disable hotlinking of images
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
#RewriteRule \.(gif|jpg|png)$ http://www.yourdomain.com/donnotsteal.gif [R,L]
11. Sets the canonical or standard for every URL at your site. This helps improving the site’s usability and also helps in improving the site’s Search Engine rankings. In short, it redirects all requests of the form: http://yourdomain.com to http://www.yourdomain.com/.
# set the canonical url
RewriteEngine On
RewriteCond %{HTTP_HOST} ^yourdomain\.com$ [NC]
RewriteRule ^(.*)$ http://www.yourdomain.com/$1 [R=301,L]
12. Protect the blog from Spam comments (and spam form submission in general and even sometimes to get your cookies). This last directives will prevent users from posting forms (such as comment forms) directly from other sites. Although this is hardly a catch-all antispam measure, it helps.
# protect from spam commentsNow again i repeat, once you’ve created your master piece of an .htaccess file upload the htaccess.txt file to your web server via ftp (in ASCII mode) and rename the file to .htaccess. Once it’s been renamed change the file permissions of the .htaccess file to 644 to further protect it from malicious hacker types.
RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*yourdomain.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]
So, here is a short guide and most common methods on how to secure your blog and also how to secure and save your bandwidth, If you don't have unlimited plan. Don't forget to check the settings which you have made using the .htaccess file. and also try accessing those zones which you have blocked by this file. If you are done then congrats.
Note: If you are already using a custom permalink structure to format page names, you’ll need to keep that code in the htaccess file in order for that to continue functioning. To see your htaccess file in WordPress go: Manage>Files>.htaccess (for rewrite rules).
Tags: Internet, Security Section, Wordpress Tricks
