Securing WordPress – Part 2

After talking about the article on blogsecurity.net about securing WordPress and giving you some errata on the article I spend a little more time to enhance the security.

htaccess enhancements

Blogsecurity suggest to put in the directories /wp-content/ and /wp-includes/ a htaccess file with the following content:

Order Allow,Deny
Deny from all
<Files ~ ".(css|jpe?g|png|gif|js)$">
Allow from all
</Files>

And they note: You may want add “specific” PHP file(s) access for certain templates and plugins.

That’s quiet a pain if you have several plugins running, you’ll have to use something like firebug to see which files aren’t found and add them because it’s not only PHP files that plugins use, something like Advanced TinyMCE also uses htm files. So I decided to take a different route. I don’t use htaccess files in those directories.

If you don’t want people to browse your themes or plugins it’s a whole lot easier to add the following line in the htaccess file in the root of your WordPress directory:

Options All -Indexes

This will disable directory browsing.

Somebody can still access the files directly. If they look at your source code they can see where your css files are located, copy that address in the address bar and they see your css file. We can prevent this as well. All files in the wp-content and wp-includes directory will only be called on by the blog itself, never directly from the browser. We can add the following code to the htaccess in the root of your WordPress installation:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{THE_REQUEST} /(wp-includes|wp-content)/.*\ HTTP/
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain\.com/.*$ [NC]
RewriteRule .* - [F]
</IfModule>
# END WordPress

If you enabled permalinks it would look something like this:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{THE_REQUEST} /(wp-includes|wp-content)/.*\ HTTP/
RewriteCond %{HTTP_REFERER} !^http://
(www\.)?yourdomain\.com/.*$ [NC]
RewriteRule .* - [F]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

The entire htaccess file will look like this:

Options All -Indexes
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{THE_REQUEST} /(wp-includes|wp-content)/.*\ HTTP/
RewriteCond %{HTTP_REFERER} !^http://
(www\.)?yourdomain\.com/.*$ [NC]
RewriteRule .* - [F]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

This article is filed under the category WordPress and has the following tags associated with it: , , , .