• How to setup internal protection for .htaccess

    Posted on February 4, 2016 by in Web Blog

    This part is applicable only for cases, when you wish manually set up all the necessary settings and rules. All these settings can be done automatically with secure plugins (especially BulletProof Security). We recommend using the secure plugins first and only if they fail to deliver necessary control, perform manual configuration. If you do need to make specific changes to the .htaccess file manually, kindly use the guide provided below:

    .htaccess (hypertext access) is the default name of directory-level configuration file specific for web servers running Apache

    It is the one most often modified when dealing with redirects and is often used to change file types to make them executable. It is also the one you will be using to harden your environment.

    To protect it you apply a few simple rules:
    Set Low Permissions
    Deny Access

    Apply Low Permissions
    The basic guidance for permissions is simple, the lower the number the harder access becomes. Good rule of thumb is keep the number as low as possible where the performance or functionality is not impacted. For most users, setting it to 640 will grant level of access that you need.
    Add .HTACCESS Directives
    What’s important to note here is that this only works if the attack is external. This won’t protect you from internal attacks (if entire cPanel accout is hacked, for example)
    This is the .htaccess directive you can use:

    #PROTECT HTACCESS
    <Files .htaccess>
    Order Allow, Deny
    Deny from all
    </Files>

    Note: this only protects the file from external access.

    • Disable directory browsing

    If you do not want to allow your visitors to browse through your entire directory, simply add the piece of 2 lines in your .htaccess in the root directory of your WordPress blog:

    # disable directory browsing
    Options All –Indexes

    • wp-config file protection

    Wp-config.php is important because it contains all the sensitive data and configuration of your blog and therefore it should be locked through .htaccess. Add the code below to the .htaccess file in the root directory:

    # protect wp-config.php
    <files wp-config.php>
    Order deny,allow
    Deny from all
    </files> 

    The code denies access to the wp-config.php file to everyone.

    • Access to wp-content directory

    Wp-content contains all content for your WordPress installation. This is a very important folder and it should be secured. Users should be only able to view and access certain file types like images (jpg, gif, png), Javascript, css and XML.

    Place the code below in the .htaccess file within the wp-content folder (not the root):

    Order deny,allow
    Deny from all
    <Files ~ “.(xml|css|jpeg|png|gif|js)$”>
    Allow from all
    </Files>

    • wp-admin files

    Wp-admin should be accessed only by you and your fellow bloggers (if any).  You may use .htaccess to restrict access and allow only specific IP addresses to this directory.
    If you have static IP address and you always blog from your computer, then this can be a good option for you. However, if you run a multiple user blog then either you can opt out from this or you can allow access from a range of IPs.

    Copy and paste the code below to the .htaccess in wp-admin folder (not root folder):

    # deny access to wp admin
    order deny,allow
    allow from xx.xx.xx.xx # This is your static IP
    deny from all 

    The above code will prevent browser access to any file in these directories other than “xx.xx.xx.xx” which should be your static IP address.

    • Prevent script injection

    To protect your WordPress blog from script injection, and unwanted modification of _REQUEST and/or GLOBALS copy and paste the code below to your .htaccess in the root:

    # protect from sql injection
    Options +FollowSymLinks
    RewriteEngine On
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
    RewriteRule ^(.*)$ index.php [F,L]

    That’s it!

Comments are closed.