Bài viết này thực hiện (hoặc lụm bài về đăng câu like từ các trang khác) bởi Việt Lâm Coder một YOUTUBER có tâm và đẹp trai siêu cấp vô địch zũ trụ. Các bạn đi ngang nếu được cho Lâm 1 like và 1 đăng ký kênh Youtube nhé !!
And I want to say – yes – WordPress is very safe and in ordinary situation, when you use clean WordPress install with the default Twenty Seventeen theme you have nothing to worry about (unless your password is «querty» or «12345678»).
But there are no ordinary situations in life – you may use a plugin with vulnerabily or not good enough hosting — in this case any of security tips matter and could safe your website.
Step 1. Protect wp-config.php
First of all – place your wp-config.php
in the directory above your installation folder. Do not worry – WordPress will find it without problems there.
Second – in the same directory create a file named .htaccess
with the following content.
1 2 3 4 5 6 |
<files wp-config.php> order allow,deny deny from all </files> |
It may look something like this:
On the screenshot public_html
is the directory with WordPress.
Third – set file permissions (chmod) to 400. You can do it in your FTP/SFTP client usually via right click on file.
But what means 400 (or 440 and 444 as well) ? It means that nobody can edit this file. You can not even do it in your WordPress admin area (using a plugin for example).
I also recommend to set 444 chmod for every .htaccess
file on your website. In addition, the official WordPess codex recommendation is 755 for all directories and 644 for files.
Step 2. Disable directory browsing
Try to open yourdomain/wp-content/plugins
URL in your browser and this is something you shouldn’t see:
Usually WordPress already includes empty index.php
file in /wp-content/plugins/
, /wp-content/themes/
and /wp-content/uploads
.
But what about all the other directories without index.php
, even like /wp-content/uploads/2017
?
Simple — just open .htaccess
file which is in your WordPress installation folder and insert at the beginning of the file just this single line:
1 2 3 |
Options -Indexes |
Now, when someone tries to access your dirs directly, he will receive «403 Forbidden».
Step 3. A special attention at uploads folder
Well, uploads directory is a very problematic place in WordPress. If it seems like your website is under attack, look into the uploads folder, I suppose you can find something interesting there.
Our task now is to disable PHP-execution there. There are two ways to implement it (I prefer the first way).
1 2 3 4 5 6 7 8 9 10 11 12 |
# Way 1 # at first we completely disable access to all the files <Files ~ ".*..*"> Order Allow,Deny Deny from all </Files> # after that add file extensions you want to allow access <FilesMatch ".(jpg|jpeg|jpe|gif|png|mp4|pdf)$"> Order Deny,Allow Allow from all </FilesMatch> |
1 2 3 4 5 6 |
# Way 2 # Kill PHP Execution <Files *.php> deny from all </Files> |
No matter what way you choose, you have to create another .htaccess
in you uploads directory.
Step 4. /wp-admin/
By the password
In this method, by adding two simple files in your /wp-admin
directory you will completely block everything inside it from unauthorized access.
First file is /wp-admin/.htaccess
:
1 2 3 4 5 6 7 |
AuthType Basic # Welcome message AuthName "Hi, this area is protected!" # Full path to .htpasswd file, you can use getcwd() function to find out it AuthUserFile /home/rudrastyh.com/public_html/wp-admin/.htpasswd require valid-user |
This is the content of the /wp-admin/.htpasswd
file, each line is the user:encrypted_password
. To generate the passwords you can use my tool.
By the IP
Protection by the IP is better, but it doesn’t fit for me because I work from many different places and sometimes in my trips.
This code should be placed in /wp-admin/.htaccess
1 2 3 4 5 6 7 8 9 10 |
<limit GET> satisfy any order deny,allow deny from all allow from 213.21.33.55 allow from 213.21.34. # add your own lines with allowed IP addresses here require valid-user </limit> |
Issue with admin-ajax.php
The interesting thing is that when you block your /wp-admin
directory, the admin-ajax.php
file will be blocked as well. So, you can not run ajax scripts outside your admin area.
How to avoid this? — use custom ajaxurl
instead, as an option you can add ajax.php
file in your WordPress directory with the following content in it:
1 |
<?php require( dirname(__FILE__) . '/wp-admin/admin-ajax.php' ); |
Bài viết này thực hiện (hoặc lụm bài về đăng câu like từ các trang khác) bởi Việt Lâm Coder một YOUTUBER có tâm và đẹp trai siêu cấp vô địch zũ trụ. Các bạn đi ngang nếu được cho Lâm 1 like và 1 đăng ký kênh Youtube nhé !!