Make your WordPress site more secure – part 3


This is the final in a set of three posts detailing steps that you can take to tighten security on your WordPress site. (Read part 1 and part 2 first.)
 
11. Use .htaccess to tighten your security
The .htaccess file is a configuration file accessed by the Apache web server. You will almost definitely have an .htaccess file in your base WordPress directory; by default, it stores your permalink structure. Optionally, .htaccess files might also be present in other directories. The settings listed below can be added to your base-directory .htaccess file to tighten security. (Note that they should be added outside the # BEGIN WordPress and # END WordPress tags.)
 
a) Protect your wp-config.php file
The wp-config.php file is located in the base WordPress directory and contains sensitive configuration details, including WordPress security keys and database connection information. While no-one will ever be able to see your wp-config.php file on the screen (unless they’ve circumvented the server’s PHP interpreter, in which case they’re probably able to do all sorts of additional damage), it’s still worth restricting access to it (just in case…):
<files wp-config.php>
order allow,deny
deny from all
</files>

Make sure also that only you (and the web server) can read this file (probably a 400 or 440 permission).
 
b) Disable directory browsing
Options All -Indexes
This will hide your files from view, preventing unauthorised visitors from browsing through your directories.
 
c) Prevent image hot-linking
Hot-linking isn’t really hacking, but you probably don’t want it done to your site. It’s when another website links to your images and files: your site ends up serving the requests for them, thus using up your precious bandwidth. This code-snippet will prevent hotlinking:
RewriteEngine On
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC]
RewriteRule \.(gif|jpg)$ http://www.yoursite.com/hotlink.gif [R,L]

(where yoursite.com should be changed to your domain name and hotline.gif should refer to an image file that explains that hotlinking is disabled.)
 
d) Secure your .htaccess file
There’s little point securing your site with .htaccess while leaving .htaccess itself open to attack.
<files .htaccess>
order allow,deny
deny from all
</files>

 
12. Install a website firewall
There are many plugins and services that can act as a firewall for your website. Some of them work by modifying your .htaccess file (probably including some of the suggestions in 11, above) and restricting access at the Apache level. Others, such as WordFence Security, act at the WordPress level.
I’ve written about WordFence in a previous post. One of its many excellent features is a login limiter, which can thwart brute-force login attacks by blocking an IP address that has entered invalid login credentials; for example, an IP address that enters an incorrect username/password five times can be locked out for an hour. So long as you have a strong password, a successful brute-force attack effectively becomes impossible. Another useful feature, available with the Premium version of WordFence, is country-level blocking of IP addresses.
 
13. Make sure your PC/laptop is free of spyware, malware, and virus infections
All of your security measures are worthless if there is a keylogger on your computer. Install some good anti-virus software. Always keep your operating system and the software on it, especially your web browser, up to date to minimise security vulnerabilities.
 
14. Finally, take backups!
If the worst comes to the worst and your site is hacked, you’ll probably want to restore from a backup. You should be taking regular backups of your database and all of your files (theme, plugin, uploads, etc).
 
See also:
Make your WordPress site more secure – part 1
Make your WordPress site more secure – part 2
 
If you’d like help with making your WordPress site more secure, or if you’d like a review of your site’s current security set-up, please get in touch.