More Security Tips for WordPress – WP-Config & .HTACCESS

I feel safer already now that I have a green lantern... wait a sec...

[This post is part of the Ultimate Guide to Launching a WordPress-Powered Blog series.]

I’ve been asked to provide even more security tips for WordPress blogs over the last few months and here are a few that can take your blog to the next level in terms of security.

Now I’ve already covered a few security-related tips in the series so don’t forget to check those out first!

I’d probably recommend most of these for those that feel confident enabling them but if you don’t then please don’t feel pressured – most bloggers do not have these precautions in order and they do just fine. But, there’s nothing wrong with being overly cautious!

Without further ado, a few more WordPress security-related tips that you might want to implement:

Protect wp-config.php

Your wp-config.php file is pretty much the most important file in your root directory as it has your database information as well as your username and password to access it. If someone’s going to hack your site then they’re going to try to get into this file first (among other things).

It’s quite easy to give an additional level of security to this file – all you have to do is add a few lines to your already-existing .htaccess file:

[cc]

Order Allow,Deny
Deny from all

[/cc]

Don’t forget to CHMOD both your wp-config.php file and your .htaccess file to 640!

Done and done.

Relocate Your wp-content Folder

Your content files (theme, plugins, uploads, and more) are all housed in your wp-content folder off your root directory. This is also a place that is subject to hacks and malicious attacks quite often. If you want to up the security here you could easily move the wp-content folder to another place instead of the root.

Just add these few lines into your wp-config.php file:

[cc]
// full local path of current directory (no trailing slash)
define(‘WP_CONTENT_DIR’, $_SERVER[‘DOCUMENT_ROOT’].’/another-folder-or-location/wp-content’);

// full URI of current directory (no trailing slash)
define(‘WP_CONTENT_URL’, ‘http://your-domain-name.com/another-folder-or-location/wp-content’);
[/cc]

You’ll also want to add the following so plugins and themes can communicate to the wp-content folder correctly:

[cc]
// full local path of current directory (no trailing slash)
define(‘WP_PLUGIN_DIR’, $_SERVER[‘DOCUMENT_ROOT’].’/another-folder-or-location/wp-content/plugins’);

// full URI of current directory (no trailing slash)
define(‘WP_PLUGIN_URL’, ‘http://your-domain-name.com/another-folder-or-location/wp-content/plugins’);
[/cc]

Obviously the “another-folder-or-location” and “your-domain-name” needs to change to those respective values for your blog!

Easy.

Managing Proxy Connections

This is most likely for advanced users but sometimes you want to limit how your WordPress blog communicates with other sites, especially if you’re in a unique environment like an company intranet or other such situation. You can define what to block and what connections to whitelist at will in your wp-config.php file.

The first one blocks all external requests while allowing access from the local system itself in the first definition. The last one allows you to whitelist hosts. If you do this always make sure to whitelist api.wordpress.org so your core files can operate as they need to.

[cc]
define(‘WP_HTTP_BLOCK_EXTERNAL’, true); // block external requests
define(‘WP_HTTP_BLOCK_EXTERNAL’, false); // allow external requests
define(‘WP_ACCESSIBLE_HOSTS’, ‘api.wordpress.org’); // whitelist hosts
[/cc]

Again, this is for advanced users who know what they are doing.

Canonicalization via HTACCESS

Not only will the following stop a lot of malicious behavior via automated bots and evil scripts it’ll also help your SEO! Imagine that, a two-for-one deal!

All you have to know about “canonicalization” is that it helps the right bots find the files that they need and keeps all the rest from snooping around. All you have to do is edit your .htaccess file for all of these updates and security measures.

Let’s start with your favicon.ico:

[cc]

RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} !^/favicon.ico$ [NC]
RewriteCond %{REQUEST_URI} /favicon(s)?\.?(gif|ico|jpe?g?|png)?$ [NC]
RewriteRule (.*) http://your-domain-name.com/favicon.ico [R=301,L]

[/cc]

This redirects bots to get your favicon every single time in the right place.

Next up is your robots.txt file which is a file that you can use to help crawlers determine what to index and what to skip. Most people have a robots.txt file that looks like this:

[cc]
User-agent: *
Allow: /
[/cc]

In fact, you can see mine right here. Nothing too special (for now).

But, you want to make sure that bots can get to it every single time, just like your favicon:

[cc]

RewriteBase /
RewriteCond %{REQUEST_URI} !^/robots.txt$ [NC]
RewriteCond %{REQUEST_URI} robots\.txt [NC]
RewriteRule .* http://your-domain-name.com/robots.txt [R=301,L]

[/cc]

That was easy.

Next up is your sitemap.xml file which we talked about in this post here. Make sure you have one as it’s got some serious advantages for your blog in regards to SEO!

All you need is the following code to stop bots from banging on your blog looking for non-existent sitemaps while wasting resources and bandwidth:

[cc]

RedirectMatch 301 /sitemap\.xml$ http://your-domain-name.com/sitemap.xml
RedirectMatch 301 /sitemap\.xml\.gz$ http://your-domain-name.com/sitemap.xml.gz

[/cc]

Not too bad, right?

Next up is helping robots deal with /category, /tag, and /search.

Why? Because for some reason WordPress has decided that the following will force a 404 error:

  • http://your-blog-name.com/category/
  • http://your-blog-name.com/tag/
  • http://your-blog-name.com/search/

Weird, right? go ahead and try it for yourself.

So, what we have to do is just redirect the bots to your homepage:

[cc]

RedirectMatch 301 ^/tag/$ http://your-domain-name.com/
RedirectMatch 301 ^/search/$ http://your-domain-name.com/
RedirectMatch 301 ^/category/$ http://your-domain-name.com/

[/cc]

Now, if you use a sub-directory you’ll want to just add the sub-directory name like so:

[cc]

RedirectMatch 301 ^/sub-directory-name/tag/$ http://your-domain-name.com/
RedirectMatch 301 ^/sub-directory-name/search/$ http://your-domain-name.com/
RedirectMatch 301 ^/sub-directory-name/category/$ http://your-domain-name.com/

[/cc]

And that’s all you’ve gotta do. This one is especially good for SEO because it saves your site heading to 404’s all the time.

Hope that helps! Enjoy!

[This post is part of the Ultimate Guide to Launching a WordPress-Powered Blog series.]

%d bloggers like this: