Securing your Wordpress installation

October 11, 2013     0 comments

‚ÄčThese days it is important to secure your Wordpress installations, we recommend these steps:

1. Useful Plug-In's:
http://wordpress.org/plugins/bulletproof-security/
http://wordpress.org/plugins/hc-custom-wp-admin-url/
http://wordpress.org/plugins/rename-wp-login/

2. Add a .htaccess in your root Wordpress directory with:

<IfModule mod_rewrite.c>

RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

# redirect_to= string fix - fixes issues with plugins that use the redirect_to= string
RewriteCond %{QUERY_STRING} redirect_to=(.*) [NC]
RewriteRule . - [S=30]

# Login Plugins Password Reset And Redirect Conflicts Fix 1
RewriteCond %{QUERY_STRING} action=resetpass&key=(.*) [NC]
RewriteRule . - [S=30]

# Login Plugins Password Reset And Redirect Conflicts Fix 2
RewriteCond %{QUERY_STRING} action=rp&key=(.*) [NC]
RewriteRule . - [S=30]

# BuddyPress Logout Redirect fix - skip BPS Filters on Logout link Redirect
# WordPress 3.0.4 or higher must be installed for this fix to work
RewriteCond %{QUERY_STRING} action=logout&redirect_to=http%3A%2F%2F(.*) [NC]
RewriteRule . - [S=30]

# Ozh' Admin Drop Down Menu Display Fix
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/ozh-admin-drop-down-menu/ [NC] 
RewriteRule . - [S=30]

# ComicPress Manager ComicPress Theme Image Fix
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/comicpress-manager/ [NC] 
RewriteRule . - [S=30]

# TimThumb and all other Thumbnailer Images not displaying - Red X instead of Images
# If your theme uses an image thumbnailer script file this fix will work to display images correctly
# as long as thumb is part of the file name like timthumb.php, thumb.php, thumbs.php or phpthumb.php
RewriteCond %{REQUEST_FILENAME} ^(.*)thumb(.*)$ [NC]
RewriteRule ^(.*)$ - [S=30]

# YAPB Image Display fix
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/yet-another-photoblog/ [NC] 
RewriteRule . - [S=30]

# WordPress.com Stats Flash SWF Graph Does Not Load Fix
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/stats/ [NC]
RewriteRule . - [S=30]

# Status Updater plugin fix
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/fb-status-updater/ [NC] 
RewriteRule . - [S=30]

# wp-extplorer login fix
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/wp-extplorer/ [NC] 
RewriteRule . - [S=30]

# Adminer MySQL management tool fix
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/adminer/ [NC] 
RewriteRule . - [S=30]

# Peters Custom Anti-Spam Image fix
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/peters-custom-anti-spam-image/ [NC] 
RewriteRule . - [S=30]

# Stream Video Player - Adding FLV Videos is Blocked By BPS
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/stream-video-player/ [NC]
RewriteRule . - [S=30]

# FeedWordPress - ?update_feedwordpress= String Blocked
RewriteCond %{QUERY_STRING} update_feedwordpress=(.*) [NC]
RewriteRule . - [S=30]

# XCloner 404 or 403 error when updating settings
RewriteCond %{REQUEST_URI} ^/wp-content/plugins/xcloner-backup-and-restore/ [NC]
RewriteRule . - [S=30]

# podPress rewrite ?feed=podcast as /feed/podcast
# If you are using a custom slug then add the slug name to the rewriterule
# RewriteRule (.*) /feed/custom-slug-name/$1? [R=301,L]
RewriteCond %{QUERY_STRING} feed=podcast [NC]
RewriteRule (.*) /feed/podcast/$1? [R=301,L]

# podPress rewrite ?feed=enhancedpodcast as /feed/enhancedpodcast
# If you are using a custom slug then add the slug name to the rewriterule
# RewriteRule (.*) /feed/custom-slug-name/$1? [R=301,L]
RewriteCond %{QUERY_STRING} feed=enhancedpodcast [NC]
RewriteRule (.*) /feed/enhancedpodcast/$1? [R=301,L]

# podPress rewrite ?feed=torrent as /feed/torrent
# If you are using a custom slug then add the slug name to the rewriterule
# RewriteRule (.*) /feed/custom-slug-name/$1? [R=301,L]
RewriteCond %{QUERY_STRING} feed=torrent [NC]
RewriteRule (.*) /feed/torrent/$1? [R=301,L]

# podPress rewrite ?feed=premium as /feed/premium
# If you are using a custom slug then add the slug name to the rewriterule
# RewriteRule (.*) /feed/custom-slug-name/$1? [R=301,L]
RewriteCond %{QUERY_STRING} feed=premimum [NC]
RewriteRule (.*) /feed/premium/$1? [R=301,L]

# FILTER REQUEST METHODS
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
RewriteRule ^(.*)$ - [F,L]

# QUERY STRING EXPLOITS 
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR] 
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR] 
RewriteCond %{QUERY_STRING} tag\= [NC,OR] 
RewriteCond %{QUERY_STRING} ftp\:  [NC,OR] 
RewriteCond %{QUERY_STRING} http\:  [NC,OR] 
RewriteCond %{QUERY_STRING} https\:  [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR] 
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR] 
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR] 
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR] 
RewriteCond %{QUERY_STRING} ^.*(execute|exec|sp_executesql|request|select|insert|union|declare|drop|delete|create|alter|update|order|char|set|cast|convert|meta|script|truncate).* [NC] 
RewriteRule ^(.*)$ - [F,L]

# To allow ONLY yourself access to these files add your current IP address below to the 
# Allow from line of code and remove the # sign in front of Allow from to uncomment it
<FilesMatch "^(wp-config\.php|install\.php|\.htaccess|php\.ini|php5\.ini|readme\.html|bb-config\.php)">
 Deny from all
# Allow from 000.000.000.000
</FilesMatch>

2. Add a .htaccess in your root Wordpress' wp-admin directory with:

# FILTER REQUEST METHODS
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
RewriteRule ^(.*)$ - [F,L]

# QUERY STRING EXPLOITS 
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR] 
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR] 
RewriteCond %{QUERY_STRING} tag\= [NC,OR] 
RewriteCond %{QUERY_STRING} ftp\:  [NC,OR] 
RewriteCond %{QUERY_STRING} http\:  [NC,OR] 
RewriteCond %{QUERY_STRING} https\:  [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR] 
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR] 
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR] 
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR] 
RewriteCond %{QUERY_STRING} ^.*(execute|exec|sp_executesql|request|select|insert|union|declare|drop|delete|create|alter|update|order|char|set|cast|convert|meta|script|truncate).* [NC] 
RewriteRule ^(.*)$ - [F,L]

These steps will help a lot

How helpful was this article to you?

FraudLabs Pro Secured Seal