Day 3. Protect your WordPress Files and Dirs Carefully
And I want to say – yes – WordPress is very safe and in ordinary situation, when you use clean WordPress install with the default Twenty Seventeen theme you have nothing to worry about (unless your password is «querty» or «12345678»).
But there are no ordinary situations in life – you may use a plugin with vulnerabily or not good enough hosting — in this case any of security tips matter and could safe your website.
Step 1. Protect wp-config.php
First of all – place your wp-config.php in the directory above your installation folder. Do not worry – WordPress will find it without problems there.
Second – in the same directory create a file named .htaccess with the following content.
<files wp-config.php>
order allow,deny
deny from all
</files>
It may look something like this:
On the screenshot public_html is the directory with WordPress.
Third – set file permissions (chmod) to 400. You can do it in your FTP/SFTP client usually via right click on file.
But what means 400 (or 440 and 444 as well) ? It means that nobody can edit this file. You can not even do it in your WordPress admin area (using a plugin for example).
I also recommend to set 444 chmod for every .htaccess file on your website. In addition, the official WordPess codex recommendation is 755 for all directories and 644 for files.
Step 2. Disable directory browsing
Try to open yourdomain/wp-content/plugins URL in your browser and this is something you shouldn’t see:
Usually WordPress already includes empty index.php file in /wp-content/plugins/, /wp-content/themes/ and /wp-content/uploads.
But what about all the other directories without index.php, even like /wp-content/uploads/2017?
Simple — just open .htaccess file which is in your WordPress installation folder and insert at the beginning of the file just this single line:
Options -Indexes
Now, when someone tries to access your dirs directly, he will receive «403 Forbidden».
Step 3. A special attention at uploads folder
Well, uploads directory is a very problematic place in WordPress. If it seems like your website is under attack, look into the uploads folder, I suppose you can find something interesting there.
Our task now is to disable PHP-execution there. There are two ways to implement it (I prefer the first way).
# Way 1
# at first we completely disable access to all the files
<Files ~ ".*..*">
Order Allow,Deny
Deny from all
</Files>
# after that add file extensions you want to allow access
<FilesMatch ".(jpg|jpeg|jpe|gif|png|mp4|pdf)$">
Order Deny,Allow
Allow from all
</FilesMatch>
# Way 2
# Kill PHP Execution
<Files *.php>
deny from all
</Files>
No matter what way you choose, you have to create another .htaccess in you uploads directory.
Step 4. /wp-admin/
By the password
In this method, by adding two simple files in your /wp-admin directory you will completely block everything inside it from unauthorized access.
First file is /wp-admin/.htaccess:
AuthType Basic
# Welcome message
AuthName "Hi, this area is protected!"
# Full path to .htpasswd file, you can use getcwd() function to find out it
AuthUserFile /home/rudrastyh.com/public_html/wp-admin/.htpasswd
require valid-user
This is the content of the /wp-admin/.htpasswd file, each line is the user:encrypted_password. To generate the passwords you can use my tool.
[htpasswd-tool]
By the IP
Protection by the IP is better, but it doesn’t fit for me because I work from many different places and sometimes in my trips.
This code should be placed in /wp-admin/.htaccess
<limit GET>
satisfy any
order deny,allow
deny from all
allow from 213.21.33.55
allow from 213.21.34.
# add your own lines with allowed IP addresses here
require valid-user
</limit>
Issue with admin-ajax.php
The interesting thing is that when you block your /wp-admin directory, the admin-ajax.php file will be blocked as well. So, you can not run ajax scripts outside your admin area.
How to avoid this? — use custom ajaxurl instead, as an option you can add ajax.php file in your WordPress directory with the following content in it:
<?php
require( dirname(__FILE__) . '/wp-admin/admin-ajax.php' );
Misha Rudrastyh
Hey guys and welcome to my website. For more than 10 years I've been doing my best to share with you some superb WordPress guides and tips for free.
Need some developer help? Contact me
Awesome article with very practical .htaccess codes!
Hey Misha really helpful article but I have some trouble to implement step 3 to hide/protect the WordPress Upload folder.
I’ve tryed to write htaccess rule like this:
1) Options All -Indexes
2)
Order Allow,Deny
Deny from all
but I can still see them with google dev tool
Any help will be appreciated
Hey Alex,
Did I understand correctly – you would like to block all the files in your uploads directory?
yes
Just place
.htaccessfile with the following content in your uploads directoryIt will take some time to disappear from Google.
Misha,
thanks for your post!
Maybe you can help me with that one:
I want to embed/display a video within my wordpress site (to be viewed by everyone) but I want to deny direct access to that file via URL (www.xxx.mp4). I tried different htaccess-options, but either the video is shown and can be accessed or the access is denied but also not shown within wordpress. Any idea?
Help ist appreciated!
Mat
Hi Mat,
Hmm, I think you could try htaccess authorization with the login / password for these files.
Hi Misha,
Thank you for your post. Very neatly written with easy to understand language. I have book marked your website. Cheers !!
Hi and thank you very much! :)
Won’t be able to use this on PHP 7.4