Day 3. Protect your WordPress Files and Dirs Carefully

At the beginning of this post I would like to clarify you why we do all of this. Some people say that the security tips like changing admin login, replacing database prefix, protection of wp-config.php is a waste of time and has no effect because eveything is already protected in WordPress by default.

/5 comments

And I want to say – yes – WordPress is very safe and in ordinary situation, when you use clean WordPress install with the default Twenty Seventeen theme you have nothing to worry about (unless your password is «querty» or «12345678»).

But there are no ordinary situations in life – you may use a plugin with vulnerabily or not good enough hosting — in this case any of security tips matter and could safe your website.

Step 1. Protect wp-config.php

First of all – place your wp-config.php in the directory above your installation folder. Do not worry – WordPress will find it without problems there.

Second – in the same directory create a file named .htaccess with the following content.

<files wp-config.php>
order allow,deny
deny from all
</files>

It may look something like this:

wp-config.php one level above the WordPress install

On the screenshot public_html is the directory with WordPress.

Third – set file permissions (chmod) to 400. You can do it in your FTP/SFTP client usually via right click on file.

wp-config.php chmod to 400

But what means 400 (or 440 and 444 as well) ? It means that nobody can edit this file. You can not even do it in your WordPress admin area (using a plugin for example).

I also recommend to set 444 chmod for every .htaccess file on your website. In addition, the official WordPess codex recommendation is 755 for all directories and 644 for files.

Step 2. Disable directory browsing

Try to open yourdomain/wp-content/plugins URL in your browser and this is something you shouldn’t see:

Disable plugins directory browsing in WordPress by placing empty index.php in plugins folder.

Usually WordPress already includes empty index.php file in /wp-content/plugins/, /wp-content/themes/ and /wp-content/uploads.

But what about all the other directories without index.php, even like /wp-content/uploads/2017?

Simple — just open .htaccess file which is in your WordPress installation folder and insert at the beginning of the file just this single line:

Options -Indexes

Now, when someone tries to access your dirs directly, he will receive «403 Forbidden».

Step 3. A special attention at uploads folder

Well, uploads directory is a very problematic place in WordPress. If it seems like your website is under attack, look into the uploads folder, I suppose you can find something interesting there.

Our task now is to disable PHP-execution there. There are two ways to implement it (I prefer the first way).

# Way 1
# at first we completely disable access to all the files
<Files ~ ".*..*">
	Order Allow,Deny
	Deny from all
</Files>
# after that add file extensions you want to allow access
<FilesMatch ".(jpg|jpeg|jpe|gif|png|mp4|pdf)$">
	Order Deny,Allow
	Allow from all
</FilesMatch>
# Way 2
# Kill PHP Execution
<Files *.php>
deny from all
</Files>

No matter what way you choose, you have to create another .htaccess in you uploads directory.

Step 4. /wp-admin/

By the password

In this method, by adding two simple files in your /wp-admin directory you will completely block everything inside it from unauthorized access.

First file is /wp-admin/.htaccess:

AuthType Basic
# Welcome message
AuthName "Hi, this area is protected!"
# Full path to .htpasswd file, you can use getcwd() function to find out it
AuthUserFile /home/rudrastyh.com/public_html/wp-admin/.htpasswd
require valid-user

This is the content of the /wp-admin/.htpasswd file, each line is the user:encrypted_password. To generate the passwords you can use my tool.

misha:$apr1$g1lm35sb$RxheEoFiPSbxJX3jqWY54.
user2:$apr1$mcp01ndw$vftDwmsIFlFmI53qOGFeS1

By the IP

Protection by the IP is better, but it doesn’t fit for me because I work from many different places and sometimes in my trips.

This code should be placed in /wp-admin/.htaccess

<limit GET>
satisfy any
order deny,allow
deny from all
allow from 213.21.33.55
allow from 213.21.34.
# add your own lines with allowed IP addresses here
require valid-user
</limit>

Issue with admin-ajax.php

The interesting thing is that when you block your /wp-admin directory, the admin-ajax.php file will be blocked as well. So, you can not run ajax scripts outside your admin area.

How to avoid this? — use custom ajaxurl instead, as an option you can add ajax.php file in your WordPress directory with the following content in it:

<?php
	require( dirname(__FILE__) . '/wp-admin/admin-ajax.php' );

#5DaysToProtectYourWordPress

Misha Rudrastyh

Misha Rudrastyh

I love WordPress, WooCommerce and Gutenberg so much. 10 yrs of experience.

Need some custom developer help? Let me know

Follow Misha

Need some help with WordPress?

If you need some professional developer help, I will be happy to assist you.

Contact me Who I am?

Comments — 5

Leave a comment

php js HTML CSS Code