Published by John Hoff on 28 Aug 2008 at 09:00 pm
Securing Your WordPress Blog: Post 4 - Setting Up .htaccess
|
| Locking Down WordPress |
Thus far in our securing your WordPress blog series we have seen:
- Fluffy’s helpful tips and a security login plugin - post 1
- How to change your username for added security - post 2
- How to obscure your database tables - post 3
Today I want to talk about one of the most important security features you can set up for your blog - the .htaccess file.
Why This Is Important
I bet many bloggers and some home-schooled web developers have seen this file mentioned before and know it’s good, but it frightens the heck out of them. This is probably because the code is foreign to them and they know messing it up can limit access to their websites, so they just avoid it all together.
Not good.
If you’re like me, you’ve devoted a lot of your time and effort into creating a nice website and a blog with 100 to over 1000+ articles. It’s not unreasonable then to set aside a little time and try and figure this stuff out, because it is important.
What is it in our nature that makes us wait until something happens before we take any action or worry? Do we buy car alarms only after our car has been broken into? Must we wait for our house to burn down before we install smoke detectors?
Ok, enough with the pep talk and on with the tutorial.
What The Heck Is A .htaccess File Anyway?
The name .htaccess comes from “hypertext access” and is a hidden file in your website’s directory (Unix / Linux hosting). You can think of it like a muscle-bound t-shirt stretching security guard named Brutus that stands guard at your website’s front door.
Our buddy Brutus can do such things as (but not nearly limited to):
- limit spammers to your website
- redirect urls
- password protect directories
- make directories unreachable other than by you
That’s some pretty powerful stuff! Hey Brutus might not be such a bad guy after all.
It is that last point I want to expand on today and show you how to turn away anyone other than you and maybe a few others who share your IP address from two of some of the most important places an intruder would want access to.
Protecting Your wp-admin Using .htaccess
As with the other tutorials in this series, we are going to do this one step-by-step and in real time.
Keep in mind, although I’m showing a bunch of steps below, all you’re really doing is simply creating a file named .htaccess in a specific directory and pasting in some code. That’s it. Keep it simple.
I will use an eVentureBiz Web Hosting Demo Account for this tutorial. If you haven’t done so yet, click the demo link and log into the demo account. We will set up a .htaccess file together step-by-step. Once you’ve generated the file, you can copy the code from the demo file to your own .htaccess file.
Step 1: What’s Your IP Address?
The very first thing you need to do is find out what your IP address is from your internet service provider (not your web hosting company). We only want your computer to have access to the wp-admin directory.
Tip: If you have a Contact Us form on your website and have “show IP address enabled”, you can send yourself a message and note your IP address.
In this example, we’ll assume your IP address is
21.154.35.0
Step 2: Log into your web hosting account (or the demo account) and navigate to your wp-admin directory.
Which ever web hosting control panel you use, there should be a way to edit files directly from your hosting account (below is how you can edit a file through an eVentureBiz hosting account). Alternatively, you could create a .htaccess file on your computer using a word processor, paste in the code, and save it as a .htaccess file name.
Note however in the last scenario of creating the file on your computer that your word processor will probably give your .htaccess file an extension like: .htaccess.txt or .htaccess.doc
Make sure to remove the .txt, .doc or whatever extension your word processor adds to the end of your file. Then simply upload your .htaccess file into the wp-admin folder.
Paste into your .htaccess file the following code:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^21\.154\.
RewriteRule .* http://your-blogs-address.com/ [R,L]
</IfModule>
Save and close.
If by chance you happen to be on a static IP address (rare), you’d want to enter in your entire IP address since your IP never changes. Here’s the code:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^21\.154\.35\.0
RewriteRule .* http://your-blogs-address.com [R,L]
</IfModule>
Congratulations, you’ve just taken another step closer to better protecting your WordPress files from possible intruders.
A Quick Test
To see how this works, go back to your .htaccess file and change one of the numbers in the IP.
For example, change:
RewriteCond %{REMOTE_ADDR} !^21\.154\.
– To –
RewriteCond %{REMOTE_ADDR} !^25\.154\.
Now try to access http://your-blog.com/wp-admin. If all goes well, you will not have access to that folder and will be redirected to the page you specified in your .htaccess file.
Restricting Access To wp-login.php & wp-register.php
By now you’re either toying around with your .htaccess file thinking how cool this stuff is, telling yourself “Umm, I’ll come back to this” but in reality the odds are 50/50, or your stretching your neck and massaging your temple trying to wrap your brain around this.
If you’re serious about adding multiple levels of protection for your blog, here are two more powerful pieces of code you can use to drop into a .htaccess file to steer intruders away from your login and register pages.
Go back to your WordPress root directory and create a .htaccess file like above if there isn’t one there already. Chances are if you have custom permalinks set up then you’ll already have one there.
Open the file and add these to pieces of code to restrict access to the login and register files (replace http://eventurebiz.com/blog with whichever website you want to redirect someone to who tries to access these files):
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_URI} wp-login.php
RewriteCond %{REMOTE_ADDR} !^21\.154\.
RewriteRule .* http://eventurebiz.com/blog/ [R,L]
</IfModule>
<IfModule mod_rewrite.c>
RewriteCond %{REQUEST_URI} wp-register.php
RewriteCond %{REMOTE_ADDR} !^21\.154\.
RewriteRule .* http://eventurebiz.com/blog/ [R,L]
</IfModule>
Again, to test this, go back to your .htaccess file and change one of your IP numbers and then try going to your WordPress login page. If all went well, you will be redirected to whatever web page you specified.
Can you see how this is a powerful tool? If intruders use a program such as brute force to discover your password, they’re going to have a hard time hacking your system if they can’t even reach those pages and files.
Example .htaccess File In The Root Directory
Here’s something similar to what I have in my WordPress blog’s root directory:
Just remember, this really is simple. All we’re doing is creating a file named .htaccess and pasting in some code. That’s it. If you’re a web hosting customer of eVentureBiz and have recently set up a WordPress blog, feel free to message me; I’d be happy to have someone from eVentureBiz set this all up for you free of charge.
Related Posts
- Securing Securing Your WordPress Blog: Post 6 - Protecting The wp-config.php File
- Securing Your WordPress Blog: Post 2 - How To Change Your Username
- Securing Your WordPress Blog: Post 5 - What To Do If Your Blog Is Cracked
- Securing Your WordPress Blog: Post 3 - Obscuring Your Database Tables
- Fluffy’s Guide To Securing Your WordPress Blog - Post 1
|
|
Linda Abbit
on 29 Aug 2008 at 2:55 pm #
Hi John,
I’ve just read — OK, some skimming too
— this series of posts. It is fabulously put together and I so appreciate the amount of time and effort you put into each post. . . . and it terrifies me to even think about doing any of these things!
I know they’re important however, and once I’m a little more comfortable with even the basic WP.org dashboard, I will attempt these. I read in one of the comments that Barbara Swafford wishes she knew all of this from the start. If I knew all of this had to be done, I might never have started blogging! I’m afraid to even touch any of the plug-ins my designer set up for me, which I know isn’t a good thing, but that’s where I’m at so far in my learning curve. I wish there were a WP.org school that I could go to in person and ask all of my zillion of questions at once every other week or so (that’s my best learning style!). If you know of one, please let me know. The help section and forum on the WP site is way over my head.
One thing you mentioned that gives me great peace of mind is that our hosting company (GoDaddy in my case) has a backup of our blog. At least I hope they do . . . that I can and will check on!
I am using the Automatic backup plug in, and have it emailing me a file daily. Is that too often — is once a week enough? It comes in a .sql.gz format — will I be able to use that to recover my blog if necessary. It’s all Greek to me! My blog designer sent me a zip file with my template and ??? in it, so that’s good, but I was wondering about this part. Is emailing it to myself better than downloading it to my computer? I chose the email route, not sure of the other.
I’m subscribing to your blog now via RSS.
Thanks again & enjoy your long weekend with your family!
Linda Abbit’s last blog post..Tender Loving Eldercare Goes Back to School
John Hoff
on 29 Aug 2008 at 4:07 pm #
Hello Linda, welcome to my blog
Thanks for noticing about the posts. Yes, they’ve been taking a long time to write. That’s ok though, it’s important for people to learn.
About the backups - no problem about the email backups, that’s what I do. I do it just once a week. I suppose if you post every day then maybe 3 times a week would be fine.
I’m sure there are some YouTube videos out there that can help you learn WordPress. Maybe what you should do is set up a free WordPress account on WordPress.com and use it to toy around. Upload and activate plugins, etc.
Well I’m always here if you have a question you gotta know the answer to. Either use the contact form or post in our community forums.
Talk to you later and have a great weekend yourself!
Barbara Swafford
on 30 Aug 2008 at 1:11 am #
Hi John,
I’m happy Linda Abbit found you, as I know she’s taking time off to work behind the scenes of her blog.
I’ve made some changes to my .htaccess file, but you’ve reminded me to double check it. I’ll be back later to reread this and make sure I have my bases covered.
This series is totally awesome. Thank you for sharing and for all of your hard work.
Have a great weekend. I hope you’re getting three days off.
Barbara Swafford’s last blog post..Plugins, Questions and Open Mic
John Hoff
on 30 Aug 2008 at 7:00 am #
Hi Barbara. Let me tell ya, I love making “totally awesome” posts! LOL. It’s my pleasure.
Speaking of the .htaccess file, there’s one more piece of code I’d like to share which I forgot to mention.
Insert this into all of your .htaccess files. What it will do is prevent web browsers from being able to access it. The file permission 644 does the same thing, however, why not add one more layer of protection?
<Files .htaccess>
order allow,deny
deny from all
</Files>
Hope you have a good weekend, too.
Linda Abbit
on 30 Aug 2008 at 4:37 pm #
Thanks, John, for your suggestions re learning more about WP.
I did find you through Barbara’s BWAB btw. She has mentioned her “practice” blog before and I had wondered about it.
If I set up a free Wordpress.com blog as a sample blog, does it use the same dashboard as wp.org does so I’d be learning the same “system” basically?
I did make progress on my “behind the scenes” projects for my blog the past two weeks. But I really miss posting on my blog, plus reading and commenting on other blogs!
Thanks again for your help! I will check YouTube for WP lessons — great idea!
Cheers!
John Hoff
on 30 Aug 2008 at 7:19 pm #
Hi Linda.
I’m not sure about the WordPress question. Sounds like you’re using a free account right now? If so, you wouldn’t be able to implement some of these suggestions I’ve made as they pertain to a hosted account of your own.
If you’re using a free WordPress account, just set up another one with a new username and password (i.e. a new account).
If you have a hosted one, I think the dashboard is pretty much the same.