WordPress HTACCESS And Why You Need It

This entry is part 2 of 6 in the series WordPress Hacks

Time and time again I am contacted by National Association of Mortgage Field Services (NAMFS) Members due to either their website being hacked — a very costly endeavor to have me fix — and others whom simply want me to do penetration testing — a far less expensive endeavor — and present a Report so that they may fix issues. About a month or so ago, Foreclosurepedia began doing a Security Audit of NAMFS Regime Members websites whom utilize WordPress as a Content Management System (CMS) along with other Open Source flavors. Many remember the horrific security breaches we documented pertaining to NAMFS Regime Board Member Joel McCall of McCall Field Services and how he had released both NAMFS Academy material along with just about every Manual available for his Clients. We ended up archiving everything over on the ISTAR Repository and it saved literally months of work we normally would have had to do.

WordPress, today, powers nearly 20 percent of all websites on the Internet are powered by WordPress. Created in 2003, WordPress is still a teenager and today delivers well over 4 Billion Page Views per year. The reality is that WordPress, with its ease of installation — generally a one click install — and the plethora of Plug and Play Plugins make WordPress the choice bar none for even Enterprise Level Corporations.

Today, we are going to talk about .htaccess and why it is important. So, to understand WordPress or any CMS for that matter, the easiest way to conceive things is to understand that you have a skeleton upon which things operate much like the Central Nervous System (CNS) in the human body. The .htaccess is the core file that allows certain things to happen and in certain fashions. The abbreviation htaccess is actually a misnomer in that it stands for hypertext access — this is a story for another day in that the reality is you are only going to see it on shared hosting, generally. Or, in the alternative, it prohibits things from happening. It is the base level of security. The .htaccess file is a configuration file for use on web servers running the Apache Web Server software. When a .htaccess file is placed in a directory which is in turn “loaded via the Apache Web Server”, then the .htaccess file is detected and executed by the Apache Web Server software. It is often used to specify the security restrictions for the particular directory. Here is the basic WordPress .htaccess when you first install WordPress,

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress

Securing the .htaccess and wp-config.php

<Files ~ “^.*\.([Hh][Tt][Aa])”>
order allow,deny
deny from all
satisfy all
</Files>
<files wp-config.php>
order allow,deny
deny from all
</files>

Clean your WordPress Permalinks for Better SEO

RewriteEngine On
RewriteCond %{QUERY_STRING} .
RewriteCond %{QUERY_STRING} !^(s|p)=.*
RewriteCond %{REQUEST_URI} !.*wp-admin.*
RewriteRule ^(.*)$ /$1? [R=301,L]

Improve WordPress Speed with .htaccess

Header unset Pragma
FileETag None
Header unset ETag

<FilesMatch ".(ico|jpg|jpeg|png|gif|js|css|swf|pdf|flv|mp3)$">
<IfModule mod_expires.c>
 ExpiresActive on
 ExpiresDefault "access plus 14 year"
 Header set Cache-Control "public"
</IfModule>
</FilesMatch>
<FilesMatch ".(html|htm|xml|txt|xsl)$">
 Header set Cache-Control "max-age=7200, must-revalidate"
</FilesMatch>
<h4>I'm using NGINX, how can I enable it?</h4>
The corresponding settings in NGINX would look something like this:
<pre lang="apache">location ~* .(jpg|png|gif|jpeg|css|js)$ {
        expires 1m;
}

Compress the data served to your visitors

<FilesMatch "\\.(js|css|html|htm|php|xml)$">
SetOutputFilter DEFLATE
</FilesMatch>
 
<IfModule mod_gzip.c>
mod_gzip_on Yes
mod_gzip_dechunk Yes
mod_gzip_item_include file \.(html?|txt|css|js|php|pl)$
mod_gzip_item_include handler ^cgi-script$
mod_gzip_item_include mime ^text/.*
mod_gzip_item_include mime ^application/x-javascript.*
mod_gzip_item_exclude mime ^image/.*
mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
</IfModule>

Hardening WordPress

Options +Includes
Options +FollowSymLinks -Indexes

Deny Access to Spam-Bots Leaving Comments

<IfModule mod_rewrite.c>
# Stop spam attack logins and comments
	RewriteEngine On
	RewriteCond %{REQUEST_METHOD} POST
	RewriteCond %{REQUEST_URI} .(wp-comments-post|wp-login)\.php*
	RewriteCond %{HTTP_REFERER} !.*(yourdomain.com|yourdomain.org).* [OR]
	RewriteCond %{HTTP_-- USER_AGENT} ^$
	RewriteRule (.*) http://%{REMOTE_ADDR}/$ [R=301,L]
</ifModule>

These are some of the most basic settings. Over the next several weeks, I will begin to include some features to show you how to lock down access to other themes and plugins you may have installed, but deactivated. I generally keep everything either active or simply not installed at all. As in all things dealing with .htaccess or any other WordPress file, ALWAYS BACK UP THE FILE(S) YOU ARE ALTERING! Additionally, nothing EVER replaces keeping everything updated! Finally, look into a good WordPress Security Plugin like WordFence!

Series Navigation<< WordPress Author Page 404 ErrorsWordPress Live Chat: Why You Need It As A Consultant >>

Search

Click To Advertise

Click To Apply

Credible Application

You must be logged in to post a comment Login