Hardening Wordpress with Mod Rewrite and htaccess

Reaper-X | Sep, 1 2007 6 Comments Related Posts Share RSS Feed

It’s been a while since the last time i wrote tips or whatever you called it :P … so i decided to write some tips on how to hardening your wordpress installation. As as you already guessed, this tips might be useful if you’re using Wordpress as your platform (blog, etc)

But first as a reminder, this is not a perfect way to secure your wordpress installation (because of various reasons / factors), but at least it’s going to harden your wordpress installation

And as a note, this is tested only on Apache Web server, and you’re allowed to override the configurations using .htaccess file and lastly … you need to have mod rewrite installed and activated (don’t worry if you can use Custom Permalinks that mean you’ve mod rewrite enabled on your hosting / server)

Okay without further ado … here are the tips :

1. Disable Directory Indexing

By disabling directory indexing, you can prevent people seeing through your directory structure

Step to Disable it :

Create or edit .htaccess file on your public_html directory and add this into your htaccess :

Options -Indexes

2. Removing Wordpress version number

Some people think that hiding your wordpress version number is not necessary, so feel free if you want to implement it or not

Step to Remove it :

Remove this line from the header.php file of your currently used theme :

<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" />

also if you’re feeling a little bit adventurous, you can also remove the generator line from wp-includes/feed-*.php. Because by default wordpress is going to show your wordpress version number from your blog feed

3. Protecting WP-Admin Directory

In this example i’m going to tell you how to protect your wp-admin directory by checking your IP Address (it can be used even on dynamic ip address)

Step to Protect it :

3.1 If you’re using Static IP Address

Create new .htaccess file inside your wp-admin directory and add these lines into the newly created .htaccess file


<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^123\.456\.789\.0
RewriteRule .* http://www.domain.com/ [R,L]
</IfModule>


3.2 If you’re using Dynamic IP Address

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^123\.456\.
RewriteRule .* http://www.domain.com/ [R,L]
</IfModule>

What the above configuration does, is checking your IP Address first to see if you’re allowed to any file inside the wp-admin directory or not and if you’re not allowed to view it, you’ll be redirected automatically to specified address (you can use any address) by using 302 Found Header (Temporarily Moved)

As a side note, if you want the easiest way to password protect your wp-admin directory you can use this plugin by askapache or if you prefer to do it using the manual way … you can check blogsecurity website

4. Protecting wp-login.php and wp-register.php or any file you choose

Now you’ve protected your admin directory … but there’s one more step to do, especially if you’re the only person on your blog and also disabling user registration.

So this time we’re going to protect wp-login.php and wp-register.php, and here are the step to protect it :

Step to do it :

– Open the .htaccess file on the root of your public_html directory and choose which method that you like

4.1 Deny Access to wp-login.php by showing forbidden message


<Files wp-login.php>
Order deny,allow
Deny from All
Allow from 123.456.789.0
</Files>


4.2 Deny Access to wp-login.php by redirecting it to the specified address :


<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_URI} wp-login.php
RewriteCond %{REMOTE_ADDR} !^123\.456\.789\.0
RewriteRule .* http://www.domain.com/ [R,L]
</IfModule>


As a note, you can also use Dynamic IP Address just like on Protecting WP-Admin Directory Method

That’s it … you’re done … hope this small wordpress tips can be useful for you