Blog

How To Buff Your WordPress Security Using .htaccess

Having WordPress as your main engine for your blog is a good thing, but there are some security settings you need to take care of. In this tutorial we will show you how to buff your WordPress security using .htaccess file. Before we proceed, we urge you to make a backup of your full website (files and database).

.htaccess is a configuration file for Apache that allows you to control the access to the current directory. It is used to redirect to another web page, to allow/deny traffic from an IP and many more setting. In today’s tutorial we discuss the security settings that you can make to buff your WordPress installation. These settings are highly effective for your blog’s security. If you have a hosting plan, you can use the File Manager from cPanel account to make the modification needed to increase your WordPress security.

1. Prevent any access and execution of php script files in wp-content/uploads folder

Your uploads folder is public. That’s where WordPress uploads all your media that you put in your posts. If it’s insecure, then it represents a threat to your blog installation.

# Deny access to any php files 
<Files *.php>
deny from all
</Files>

First, you need to log in to your cPanel account and then go to File Manager. Navigate to wp-content folder and go to uploads. If there is no .htaccess file, create it by clicking the “+ New File“, name it “.htaccess“. Now that the file is in uploads directory, we now need to copy paste the code above and click “Save Changes“.

2. We Deny Any Exterior Acces To wp-config.php

wp-config.php is a core WordPress configuration file that stores sensitive information regarding your MySQL Database. Therefore it is important to secure it so no one from exterior can access it. We will do that by modifying the .htaccess file in WordPress installation root folder. We just need to add these few line in the file.

<files wp-config.php>
order allow,deny
deny from all
</files>
3. Let’s Protect Our .htaccess file!

Typically the root directory’s .htaccess file should have 644 permission. This means it is only accessible for server user. It doesn’t allow access from nobody else, except the server side programs. If this file accidentally gets 777 permission then the code below rewrites the permissions as it should be. Just copy paste the code and then press “Save Changes“.

<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</files>
protect htaccess file by copy paste code

protect htaccess file by copy paste code

4. Let’s block any cross-site scripting (XSS)

Cross-site scripting (XSS) is a type of computer security vulnerability typically found in web applications. XSS enables attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. Cross-site scripting carried out on websites accounted for roughly 84% of all security vulnerabilities documented by Symantec as of 2007.  To secure it we need to add some lines of code to .htaccess file located under root’s folder which will make sure that every input will be secured.

# Blocks XSS attacks
<IfModule mod_rewrite.c>
RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule .* index.php [F,L]
</IfModule>
block xss cross-site scripting

block xss cross-site scripting

5. Block any access from outside to wp-includes folder

wp-includes folder has some important WordPress core files and it is important to secure it, so outside access will be denied. We do this by adding some security code lines in our .htaccess root file.

# Blocks all wp-includes folders and files
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
block access to wp-includes folder

block access to wp-includes folder

6. Restrict any direct access to plugins and theme’s php files and folders

This needs to have security codes. We make sure we restrict any direct outside access to these important WordPress folders. It’s best to delete those plugins and themes that aren’t used, because they might have vulnerabilities flaws and can act as a backdoor for anybody to take control and gain access to your website. IF you want to exclude some files and/or folders from direct access make sure you modify file/to/exclude and directory/to/exclude with the path to exclude.

RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/
RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L]
RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php
RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/
RewriteRule wp-content/themes/(.*\.php)$ - [R=404,L]
restrict any direct acces to plugins and themes folders

restrict any direct acces to plugins and themes folders

Don’t forget that if you want to exclude some files and folders, you can modify the lines file/to/exclude and directory/to/exclude with the path of those files and directories. If you don’t need to exclude anything then add a # at the begining of the lines.

7. If You Have A Fixed IP Then Allow Access To /wp-admin Only For Your IP (Optional)

Access to /wp-admin is available for everyone. It is public and everyone can access it. So if you have a fixed IP from your ISP (Internet Service Provider) it is better to allow access only from that IP. If you don’t have a fixed IP, then you should use Google Authenticator – WordPress Two Factor Authentication (2FA) plugin.

In case you don’t know your IP address, you can find it by accessing showip.net. Replace xxx.yyy.zzz with your IP.

order deny,allow
allow from xxx.yyy.zzz.www (your ip1)
allow from xxx.yyy.zzz.www (your ip2)
deny from all
allow access from fixed IP

allow access from fixed IP

8. Let’s Block MySQL Injection, RFI, base64

MySQL Injection is a high level hacking method. If a WordPress plugin is not secured, these lines of code will make it so. Essentially every input will be secured. It will help your website to be safe from any attempts of hacking, even if you have a plugin that is not secured. These lines of code will be added to the root’s .htaccess file (under the public html folder).

# Block MySQL injections, RFI, base64, etc.
RewriteEngine On
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F,L]
block mysql injection RFI base64

block mysql injection RFI base64

9. File Injection Protection

File Injection is a hacking method used to gain access and take control over your site. If your website allows file uploads (like images), then this can be a vulnerability for your website. With these lines of code we make sure that you’ll be protected against file injection methods.

# File injection protection
RewriteCond %{REQUEST_METHOD} GET
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http%3A%2F%2F [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC]
RewriteRule .* - [F]
file injection protection

file injection protection

10. Block user/author list

Sometimes a hacker can try a brute-force attack by knowing the username (author name or user name). So to prevent a hacker to find out that information we add some code lines in our root’s folder .htaccess file to protect the user/author list, even if you don’t have a multi user website. To do that, replace the http://example.com with your domain address (in our case it will be https://ducadu.com!

# Block User list Phishing Requests
<IfModule mod_rewrite.c>
RewriteCond %{QUERY_STRING} ^author=([0-9]*)
RewriteRule .* http://example.com/? [L,R=302]
</IfModule>
block user author list

block user author list

11. X-Security Headers & Clickjacking Protection

This type of hacking is quite common online. Basically by adding these lines to your root’s folder .htaccess file you will be protected against these types of hacking.

Header set X-Frame-Options SAMEORIGIN
Header set X-XSS-Protection "1; mode=block;"
Header set X-Content-Type-Options nosniff
x-security headers and clickjacking protection

x-security headers and clickjacking protection

In Conclusion

Although it’s easy to have a WordPress site, in a matter of minutes, to make it secured can be really time consuming. These lines of code can buff your WordPress security in a matter of minutes. If you have any question please follow us on Facebook, we respond as fast as we can!

How to redirect from http to https [TUTORIAL]

Hello, in this tutorial we will show you how to force URL redirection from http to https on your website/WordPress or any other CMS (Content Management System) so that your website would be in compliance with Google guidelines for security and SEO. As you know, Google Chrome will start to mark non-HTTPS sites as “not secure” starting July 2018.

July 2018 is right around the corner and so is Google Chrome update no. 68. In this update, Google announced that it will mark all non-HTTPS site as “non-secure” which means that all users visiting your website, will see a message that “this website is insecure“.

Non SSL Site Warning

Non SSL Site Warning

Google has started implementing this since last year and also has said that the HTTPS sites will be favored in their Ranking Algorithm. As you know Ducadu offers free SSL Certificate to all Cloud Hosting plans. The SSL Certificate is signed by Let’s Encrypt. In almost all cases, as soon as you buy a cloud hosting plan with a new domain, the SSL Certificate will be available right away. There are some exceptions like firewall plug-ins found on WordPress/ Joomla/ OpenCart installations that will block the script that generates the SSL Certificate. This happens if you already have a website with that firewall plug-in. If it’s a default installation then you won’t have any problems.

How to force SSL Certificate on your website

To force the SSL Certificate on your website you will need to edit the file .htaccess and add these three lines on top. To do this you have to log in into your cPanel account, usually found at https://yourwebsite.com/cpanel and then search for “File Manager“. A new tab will open and you will have access to all of your files. Be careful what you modify because it might damage your website.

  1. After you’ve logged in and opened the “File Manager” search for “public_html” folder and enter it.

    Enter the "public_html" folder

    Enter the “public_html” folder

  2. Look for the file .htaccess, select it and then click the “Edit” button

    cPanel .htaccess edit buton

    cPanel .htaccess edit buton

  3. If you can’t see the .htaccess file, make sure to click on the top-right corner the “Setting” button and then check “Show Hidden Files (dotfiles)” and after that click on “Save” button.

    cPanel setting show hidden files check

    cPanel setting show hidden files check

  4. Copy and paste the code below in you .htaccess file and then click on “Save Changes” button
    RewriteEngine On
    RewriteCond %{HTTPS} !on
    RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
    

    cPanel copy-paste code and save

    cPanel copy-paste code and save

After you’ve done all the steps above, you should look for a plugin that will look into your database for all the links that contains “http://” and change it to “https://“. You can also do this by using the “phpmyadmin” in you cPanel account. But be aware, before you start this, you should do a full backup of your site and database.

That’s it! This is all you have to do to force-rewrite http to https on your website no matter what CMS are you using. The level of difficulty is low, but you have to be careful what file are you modifying. Now you can go to your  website and check if the https redirection is functional. Just open a new tab in your browser and type http://yourwebsite.com and it should redirect you to https://yourwebsite.com.

Congratulations, now you are ready for Google Chrome Update no. 68 in July. If you find this tutorial interesting, please share it across your Social Media profiles.