#disable XML-RPC with .htaccess | Explore Tumblr posts and blogs

wpmashin · 5 years ago

Text

متداول ترین روش های حمله به وردپرس

چگونه سایت وردپرس شما هک میشود؟! هدف این بخش ورود تخصصی به مباحث امنیتی نیست چراکه خود دنیایی بسیار پیچیده است، اما داشتن دانش عمومی امنیت و اشراف بر شیوه های متداول حمله به وردپرس ضمن افزایش آگاهی برای جلوگیری از نفوذ به سایت شما موثر است. با توجه به اینکه سیستم مدیریت محتوای وردپرس با زبان برنامه نویسی PHP کدنویسی شده است، بیشتر حملات به آن، روی سایر اسکریپت های مبنی بر پی اچ پی صورت می گیرد، در ادامه با بیان ساده و روان به بررسی برخی از متداول ترین نوع حملات می پردازیم. 1.حملات XSS XSS یا Cross - Site Scripting معروف به تزریق کد بوده و یکی از رایج ترین نوع حملات است. در این نوع حمله، کوکی و سشن کاربران به سرقت می رود و سپس نفوذگر قادر خواهد بود با نام کاربر لاگین کرده و به اطلاعات موردنظر دست یابد. شاید آن کاربر ادمین باشد. در حالت پیشرفته این نوع حمله، هکر تسلط کاملی بر صفحه وب خواهد داشت. در این روش نفوذ زمانی امکان پذیر خواهد بود که ضعف برنامه نویسی وجود داشته باشید. از آنجایی که وردپرس از نظر کدنویسی به صورت حرفه ای اجرا شده و برنامه نویسان خبرهای آن را نوشته اند، معمولا این حمله به وردپرس، به ندرت آسیبی در پی دارد، مگر اینکه از افزونه های نامطمئن استفاده کنید. 2.حملات Brute Force به جرات می توان گفت متداول ترین نوع حمله در وردپرس، حملات Brute Force است. در صورتی این حملات رخ خواهد داد که نفوذگر آدرس ورود به پنل مدیریت را بداند و در صورتی موفق خواهد شد که از نام کاربری پیش فرض مثل Admin و رمز عبور ساده مثلا با ترکیبی فقط از اعداد استفاده کنید، و هیچ تردیدی به خود راه ندهید که اگر این گونه باشد هک سایت ۱۰۰٪ قابل انجام است. گاهی این حملات به راحتی به بیش از هزار بار در ساعت می رسد. ساده ترین راه انتخاب رمز عبور قوی همان طور که ذکر شد، این است که حتما ترکیبی از کاراکترهای مختلف باشد، علاوه بر آن از نام کاربری پیش فرض استفاده نکنید. با رعایت این موارد، تا حد بسیار زیادی در مقابل این نوع حملات مقاوم می شوید. اما به منظور داشتن امنیت بیشتر، لازم است که با قابلیت مسدودسازی را اضافه کنید و یا به کلی آدرس صفحه ورود به پنل مدیریت را تغییر دهید که قطعا تغییر آدرس بهترین روش خواهد بود. چراکه حتی مسدودسازی آی پی ها به دلیل استفاده هکر و یا ربات ها از آی پی مجازی جهت دفع کامل حملات پاسخگو نخواهد بود. ترجیحا از تمامی لایه های امنیتی استفاده کنید. به هر حال همان گونه که هکر فردی هوشمند است، شما نیز باید مدیری هوشمند و حتی باهوش تر از نفوذگر باشید. 3.حملات DDoS حملات Distributed Denial of Service نیازی به معرفی ندارد، چرا که از گذشته دور مطرح و متداول بوده است. زمانی هکر از این روش استفاده می کند که راه نفوذی نمی یابد و هدفش تحمیل هزینه و خسارت به سایت می باشد. در نوع این حمله،سرور سایت مورد هدف قرار می گیرد و آن قدر ترافیک و درخواست روانه آن می شود تا سرور توان پاسخگویی به آن را نداشته و در نتیجه دچار اختلال شود. به زبان عامیانه، هکر آنقدر حمله می کند تا سرور هنگ کرده و سایت به کاربران نمایش داده نشود یا با سرعت خیلی کند بارگذاری شود. به منظور مقابله با این حملات، کانفیگ امنیتی سرور حائز اهمیت است. البته از طریق وردپرس نیز راه حلی وجود دارد که در گزینه بعد، یعنی xmlrpc شرح داده می شود. 4.حملات XML - RPC پروتکل XML - RPC به منظور فراخوانی دستورات از راه ��ور در بستر HTTP طراحی شده که می توان آن را مشابه API گرفتن دانست. در واقع به کمک این پروتکل می توان با ایجاد اپلیکیشن هایی در ویندوز یا گوشی های موبایل، از راه دور به مدیریت سایت پرداخت. تمامی انواع حملات که تا به اینجا معرفی شد، روی انواع اسکریپت و سایت ها در اینترنت اثرگذار می باشد. اما این نوع حمله به صورت ویژه روی وردپرس اثرگذار است. به طوری که گاهی بر اثر حملات زیاد عملا سایت کند شده و مجبور به غیرفعال سازی قابلیت XML - RPC وردپرس می باشید. از طرفی غیرفعال سازی این پروتکل باعث اختلال در عملکرد برخی افزونه های وابسته به این پروتکل خواهد شد. وردپرس زمانی قابلیت -XML RPC را به صورت پیش فرض فعال نمود که این پروتکل به پایداری و امنیت مناسبی رسید. اما با این وجود، هکرها همچنان با ارسال درخواست های فراوان، از امکانات این پروتکل به منظور حملات DDoS و یا Brute force سو استفاده می نمایند. چندین روش مختلف برای غیرفعال سازی این پروتکل در وردپرس وجود دارد که ساده ترین راه، استفاده از افزونه Disable XML - RPC و یا افزونه های امنیتی است. همچنین با استفاده از فایل htaccess در هاست می توان این افزونه را غیرفعال کرد. 5.حملات SQL Injection تزریق SQL یکی از رایج ترین نوع حملات به سایت ها است، که وردپرس نیز در صورت عدم به روزرسانی سریع و عدم استفاده از افزونه های مطمئن، از آن مصون نیست. در این نوع حمله، هکر پس از کشف حفره امنیتی، کد دلخواهش را روی دیتابیس اجرا می کند که این مورد می تواند بسیار خطرناک باشد. به عنوان مثال در صورت وجود حفره و امکان اجرای دستور روی پایگاه داده، هکر می تواند رمز مدیر سیستم را تغییر دهد. ضعف در برنامه نویسی و عدم مدیریت صحیح داده های ارسالی از سمت کاربران، دلیل اصلی بروز SQL Injection می باشد. نکات عمومی و پایه ای برای ارتقای امنیت در وردپرس منبع:کتاب امنیت تمام قوا در وردپرس - دیباگران تهران Read the full article

#افزایشامنیتدروردپرس #بهترینهاستوردپرس #چگونهسایتوردپرسشماهکمیشود؟!#متداولترینروشهایحملهبهوردپرس #هاستتخصصیوردپرس #هاستمدیریتشدهوردپرس

0 notes

riichardwilson · 5 years ago

Text

WordPress security in a few easy steps

Michiel Heijmans

Michiel is a partner at Yoast and our COO. Internet veteran. His main goal with most of his articles is to kick-start your site optimization. So much to do!

If you’re working with or using WordPress, then you should always think about your site’s security. WordPress isn’t any more or less secure than any other platform, but the number of users, plugins and third party add-ons make it a common target for attackers. Don’t worry though, there are some basic steps you can take to keep your site safe (even if you’re not very tech-savvy)!

New to WordPress? Our FREE WordPress for beginners training is here to help. Find out how to set up your own site, learn the ins and outs of creating and maintaining it, and more. This training is part of our free training subscription, take a look at all our online SEO training subscriptions!

Table of contents

1. Don’t use ‘admin’ as a username

Most WordPress ‘hacks’ and attacks don’t do anything more sophisticated than try and brute-force their way into your admin area by guessing your password. That’s much easier for them to do if they don’t also have to guess your admin username! Avoiding using common words (like admin) for your usernames can make brute-force attacks much less effective.

If you’re working with an older site that already has an ‘admin’ user, it might be time to delete that account and transfer any content or access to a more secure username!

2. Use a complex password

Having a better password can make it much harder to guess or to brute-force. An easy tip to remember is CLU: Complex. Long. Unique.

But longer, unique passwords can be hard to remember, right? That’s where tools like 1Password and LastPass come into play, as they each have password generators. You type in the required length, and it generates a password for you. You save the link, save the password, and move on with your day. Depending on how secure you want the password to be, it’s sensible to set a long password (20 characters is good) and decide on things like the inclusion of less usual characters like # or *.

3. Add two-factor authentication

Even if you’re not using ‘admin’ and have a strong, randomly generated password, brute-force attacks can still be a problem. Don’t worry though, two-factor authentication can help protect your site.

The principle is that, rather than just entering your login details, you also need to confirm that you’re you by entering a one-time code from another device you own (usually through an app on your phone). That’s much harder for attackers to fake!

Two popular plugins for handling authentification in WordPress are the Google Authenticator and Rublon Plugin (which takes a slightly different approach). Just make sure that you don’t lose your backup codes, or you might find yourself locked out.

4. Employ least privileged principles

The WordPress.org team has put together a great article in the WordPress Codex regarding Roles and Capabilities. We encourage you to read it and become familiar with it because it applies to the following step.

The concept of Least Privileged is simple. Only give permissions to:

those that need it,

when they need it and

only for the time they need it.

If someone requires temporary administrator access for a configuration change, grant it, but then remove it upon completion of the task. The good news is you don’t have to do much here, other than employ best practices.

Contrary to popular belief, not every user accessing your WordPress instance needs to be categorized under the administrator role. Assign people to the appropriate roles, and you’ll greatly reduce your security risk.

5. Hide wp-config.php and .htaccess

Your wp-config.php and .htaccessfile are critical to your WordPress security. They often contain your system credentials and expose information about your site’s structure and configuration. Ensuring that attackers can’t gain access to them is vital.

Hiding these files is relatively easy to do, but doing it wrong might make your site inaccessible. Make a backup and proceed with caution. Yoast SEO Company for WordPress makes this process somewhat easier for you. Just go to “Tools > File Editor�� to edit your .htaccess.

For better WordPress security, you will need to add this to your .htaccess file to protect wp-config.php:

<Files wp-config.php> order allow,deny deny from all </Files>

That will prevent the file from being accessed. Similar code can be used for your .htaccess file itself:

<Files .htaccess> order allow,deny deny from all </Files>

6. Use WordPress security keys for authentication

‘Authentication keys’ and ‘salts’ are basically a set of random variables, unique to your website, which improve the security (encryption) of information in cookies.

Your wp-config.php file has a dedicated area where you can provide your own variables (simply get a new set of keys from here and paste them in).

7. Disable file editing

If a hacker gets in, the easiest way for them to change your files would be to go to “Appearance > Editor” in WordPress. To improve your WordPress security, you could disable the editing of these files via that editor. Again, you can do this from within your wp-config.php file by adding this line of code:

define('DISALLOW_FILE_EDIT', true);

You will still be able to edit your templates via your favorite (S)FTP application. You just won’t be able to do it via WordPress itself.

8. Hide your login and limit login attempts

Brute-force attacks usually target your login form. So changing where that lives can make it harder for attackers to get in. The All in One WP Security & Firewall plugin has an option to simply change the default URL (from /wp-admin/) to something more secure.

Next to that, you can also limit the number of attempts to log in from a certain IP address. There are several WordPress plugins to help you protect your login form from IP addresses that fire a multitude of login attempts your way.

9. Be selective with XML-RPC

XML-RPC is an application program interface (API) that’s been around for a while. It’s used by a number of plugins and themes, so we caution the less technical to be mindful of how they implement this specific hardening tip.

While functional, disabling can come at a cost. This is why we don’t recommend disabling for everything, but being more selective on how and what you allow to access it. In WordPress, if you use Jetpack you’ll want to be extra careful here.

There are a number of plugins that help you be very selective in the way you implement and disable XML-RPC by default.

10. Hosting & WordPress security

Even if you’re meticulous when it comes to the security of your website, if it’s hosted by a company that isn’t just as meticulous, you may as well not have done anything at all.

If an attacker can gain access to your website hosting, they can take complete control of everything. That means it’s really important that you choose (or move to) a host that takes hosting seriously. Cheaper hosting options often don’t come with good security or backups, or might not offer support to help you clean up a hacked site.

Shared hosting (which is common on cheap packages) is often particularly risky, as attackers might be able to gain access to your site via another compromised site on the same system. That’s why we always recommend serious users to spend a little more on hosting and use a company with a great reputation for specialized WordPress hosting (for example GoDaddy or WP Engine).

11. Stay up to date

Staying up to date is an easy statement to make, but we realize how hard this can be for website owners in the day-to-day. Our websites are complex beings. They have many different things happening at any given time. And sometimes it’s difficult to apply the changes quickly. That’s why it’s not uncommon for websites to end up running out-of-date code. Both in their plugins and core software. Unfortunately, this makes them particularly vulnerable to known exploits.

It’s critical that updating your themes, software, plugins, and other components is part of an ongoing routine. Otherwise, you’re leaving the door open to attackers. If you’re a user of the Yoast SEO Company plugin, just follow these easy steps to update your Yoast SEO plugin.

12. Put more security layers in place

The best security solutions prevent attackers from ever getting anywhere near your website. That’s why we recommend that most sites run some kind of WordPress firewall plugin. These plugins look for known attackers and common attack patterns and stop them before they have a chance to compromise your site.

It’s also worth considering that many Content Delivery Systems now include firewall functionality; combining performance optimization with protection. Cloudflare, in particular, does a great job of blocking ‘bad traffic’ and even has rules and scans specifically developed to protect WordPress sites.

13. The best security plugins & themes

Most WordPress users tend to apply themes and plugins to their sites at will. We recommend being mindful of testing different themes or plugins, especially if you’re not using a test server. Most plugins and a lot of themes are free, and unless the developer has a solid business model to accompany these free giveaways, the security might not have been the highest priority during development. In other words, if a developer is maintaining a plugin just because it’s good fun, chances are he or she did not take the time to do proper security checks.

For this reason, we teamed up with Sucuri years ago to make sure every one of our plugins is checked for security before release. And we have an agreement with them for ongoing checks as well. If you are creating a free theme or plugin, you might not have the resources to add solid checks like that.

How to pick the right plugin

If you want to be taken by the hand in selecting the right WordPress security plugin for your website, please read this in-depth article Tony Perez did on the subject: Understanding the WordPress Security Plugin Ecosystem.

First, let me focus on the basics of plugin selection here. As explained above, free plugins and themes could be a possible vulnerability. When adding a plugin (or theme for that matter), always check the rating of that plugin on WordPress.org. Keep in mind that one 5-star rating won’t tell you anything, so always check the number of ratings. Depending on the niche, a plugin should be able to get multiple reviews. If more people think a plugin is awesome and take the time to rate it, you may feel more secure in using it too.

Compatibility of the plugin

There is one other thing you want to check. If a plugin hasn’t been updated for two years, WordPress will tell you that. Now, this doesn’t necessarily mean it’s a bad plugin. It could also mean there hasn’t been a need to update it, simply because the plugin still works. The ratings will help you decide if that’s the case. And have a look at the compatibility with the current WordPress version, which is also shown on the plugin page at wordpress.org. Having said that, Sucuri strongly recommends against using any plugins that haven’t been updated for that long. You should take their word for it.

Based on ratings and compatibility, you can pick your plugins thoughtfully and be mindful about your WordPress security at the same time.

Yoast recommends Sucuri

I’ve already mentioned our friends at Sucuri. Owners and managers Daniel and Tony have done a tremendous job on our plugins and have helped on several hacked websites in the past.

Sucuri is a globally recognized website security company known for its ability to clean and protect websites and bringing peace of mind to website owners, including us here at Yoast.

We teamed up with Sucuri because we take security very seriously. It’s not and never should be an afterthought. There is a variety of ways to address WordPress security, and we found that security was best addressed remotely at the edge beyond the application. What Daniel and Tony have built is a product/service that lets you get back to running your business. They are the security team we lean on when we need help the most. And they can help you out too. For instance, if you use WordPress, definitely read their WordPress guide on how to clean a hacked WordPress site.

Webinar Sucuri: how do websites get hacked?

If you’re wondering why websites get hacked and what type of attacks there are, watch Sucuri’s webinar on this subject:

youtube

Failing to take the necessary precautions for your WordPress security, and leveraging the experts can lead to malware infections, branding issues, Google blacklists and possibly have huge impacts on your SEO (something dear to our hearts). Because of this, we turn to Sucuri for our needs, as they turn to us for website optimization.

Moreover, Sucuri created an infographic on what to do when your site does get hacked:

A lot of the suggestions in this article can be dealt with by installing and configuring the free Sucuri Scanner plugin for WordPress or hiring Sucuri to handle your website’s security. At Yoast, we don’t think this is an ‘extra’, but consider it an absolute necessity. For us, security is not a DIY project, which is why we leave it to the professionals. Visit their website at sucuri.net for more information or check your site now to make sure you haven’t been infected with malware or have been blacklisted.

If you are serious about your website, you are serious about your security. Get the complete security package of Website Security Stack right here:

Get your Sucuri Website Security Stack NOW

14. Don’t forget logs & monitoring

So far, we’ve seen how to secure a WordPress site. However, since WordPress security is not an absolute (sites are always evolving by changing functionality and users) there is another aspect to WordPress security: logging and monitoring. Audit logs or activity logs are a chronological record of events and changes that happened on your website. In the audit logs you can find information on who logged into your site, installed or updated a plugin, changed the content, changed the site’s settings, and more.

Spot attacks before they happen

By keeping an audit log on your WordPress site you ensure user accountability, ease troubleshooting of technical issues, and spot attacks before or as they happen, allowing you to take evasive action to stop them. Audit logs are also used for forensics, to find out what went wrong in the unfortunate case of a successful hack. To keep an audit log on your WordPress site you need to install a plugin such as WP Security Audit Log.

There are several other things you should keep an eye on. For example, if you use Sucuri you’ll get a weekly traffic report with details on what was blocked and allowed. You can learn a lot from it, as well as from your website’s analytics and traffic patterns.

Closing thoughts on WordPress security

If you’ve come this far in this article, you will have no more excuse not to improve WordPress security for your website. Much like adding posts and pages, checking your WordPress security should be a routine for every WordPress site owner.

Also bear in mind that this isn’t the full list of things you can do to secure your website. I am aware that one should, for instance, create regular backups to keep your site secure. However, I trust this article about WordPress security gives you a practical list of things you can and should do to secure at least the first layer of defense of your website. Remember, WordPress security isn’t an absolute, and it’s up to us to make it harder for the hackers!

I would also like to thank Tony Perez for his input and several additions to this article.

Read more: 5 things to do after a hack »

WordPress for beginners series

SEO Company by DBL07.co

source http://www.scpie.org/wordpress-security-in-a-few-easy-steps/ source https://scpie.tumblr.com/post/616220589153239040

0 notes

laurelkrugerr · 5 years ago

Text

WordPress security in a few easy steps

Michiel Heijmans

Michiel is a partner at Yoast and our COO. Internet veteran. His main goal with most of his articles is to kick-start your site optimization. So much to do!

Table of contents

1. Don’t use ‘admin’ as a username

If you’re working with an older site that already has an ‘admin’ user, it might be time to delete that account and transfer any content or access to a more secure username!

2. Use a complex password

Having a better password can make it much harder to guess or to brute-force. An easy tip to remember is CLU: Complex. Long. Unique.

3. Add two-factor authentication

4. Employ least privileged principles

The concept of Least Privileged is simple. Only give permissions to:

those that need it,

when they need it and

only for the time they need it.

5. Hide wp-config.php and .htaccess

For better WordPress security, you will need to add this to your .htaccess file to protect wp-config.php:

<Files wp-config.php> order allow,deny deny from all </Files>

That will prevent the file from being accessed. Similar code can be used for your .htaccess file itself:

<Files .htaccess> order allow,deny deny from all </Files>

6. Use WordPress security keys for authentication

‘Authentication keys’ and ‘salts’ are basically a set of random variables, unique to your website, which improve the security (encryption) of information in cookies.

Your wp-config.php file has a dedicated area where you can provide your own variables (simply get a new set of keys from here and paste them in).

7. Disable file editing

define('DISALLOW_FILE_EDIT', true);

You will still be able to edit your templates via your favorite (S)FTP application. You just won’t be able to do it via WordPress itself.

8. Hide your login and limit login attempts

9. Be selective with XML-RPC

There are a number of plugins that help you be very selective in the way you implement and disable XML-RPC by default.

10. Hosting & WordPress security

Even if you’re meticulous when it comes to the security of your website, if it’s hosted by a company that isn’t just as meticulous, you may as well not have done anything at all.

11. Stay up to date

12. Put more security layers in place

13. The best security plugins & themes

How to pick the right plugin

Compatibility of the plugin

Based on ratings and compatibility, you can pick your plugins thoughtfully and be mindful about your WordPress security at the same time.

Yoast recommends Sucuri

I’ve already mentioned our friends at Sucuri. Owners and managers Daniel and Tony have done a tremendous job on our plugins and have helped on several hacked websites in the past.

Sucuri is a globally recognized website security company known for its ability to clean and protect websites and bringing peace of mind to website owners, including us here at Yoast.

Webinar Sucuri: how do websites get hacked?

If you’re wondering why websites get hacked and what type of attacks there are, watch Sucuri’s webinar on this subject:

youtube

Moreover, Sucuri created an infographic on what to do when your site does get hacked:

If you are serious about your website, you are serious about your security. Get the complete security package of Website Security Stack right here:

Get your Sucuri Website Security Stack NOW

14. Don’t forget logs & monitoring

Spot attacks before they happen

Closing thoughts on WordPress security

I would also like to thank Tony Perez for his input and several additions to this article.

Read more: 5 things to do after a hack »

WordPress for beginners series

SEO Company by DBL07.co

source http://www.scpie.org/wordpress-security-in-a-few-easy-steps/ source https://scpie1.blogspot.com/2020/04/wordpress-security-in-few-easy-steps.html

0 notes

scpie · 5 years ago

Text

WordPress security in a few easy steps

Michiel Heijmans

Michiel is a partner at Yoast and our COO. Internet veteran. His main goal with most of his articles is to kick-start your site optimization. So much to do!

Table of contents

1. Don’t use ‘admin’ as a username

If you’re working with an older site that already has an ‘admin’ user, it might be time to delete that account and transfer any content or access to a more secure username!

2. Use a complex password

Having a better password can make it much harder to guess or to brute-force. An easy tip to remember is CLU: Complex. Long. Unique.

3. Add two-factor authentication

4. Employ least privileged principles

The concept of Least Privileged is simple. Only give permissions to:

those that need it,

when they need it and

only for the time they need it.

5. Hide wp-config.php and .htaccess

For better WordPress security, you will need to add this to your .htaccess file to protect wp-config.php:

<Files wp-config.php> order allow,deny deny from all </Files>

That will prevent the file from being accessed. Similar code can be used for your .htaccess file itself:

<Files .htaccess> order allow,deny deny from all </Files>

6. Use WordPress security keys for authentication

‘Authentication keys’ and ‘salts’ are basically a set of random variables, unique to your website, which improve the security (encryption) of information in cookies.

Your wp-config.php file has a dedicated area where you can provide your own variables (simply get a new set of keys from here and paste them in).

7. Disable file editing

define('DISALLOW_FILE_EDIT', true);

You will still be able to edit your templates via your favorite (S)FTP application. You just won’t be able to do it via WordPress itself.

8. Hide your login and limit login attempts

9. Be selective with XML-RPC

There are a number of plugins that help you be very selective in the way you implement and disable XML-RPC by default.

10. Hosting & WordPress security

Even if you’re meticulous when it comes to the security of your website, if it’s hosted by a company that isn’t just as meticulous, you may as well not have done anything at all.

11. Stay up to date

12. Put more security layers in place

13. The best security plugins & themes

How to pick the right plugin

Compatibility of the plugin

Based on ratings and compatibility, you can pick your plugins thoughtfully and be mindful about your WordPress security at the same time.

Yoast recommends Sucuri

I’ve already mentioned our friends at Sucuri. Owners and managers Daniel and Tony have done a tremendous job on our plugins and have helped on several hacked websites in the past.

Sucuri is a globally recognized website security company known for its ability to clean and protect websites and bringing peace of mind to website owners, including us here at Yoast.

Webinar Sucuri: how do websites get hacked?

If you’re wondering why websites get hacked and what type of attacks there are, watch Sucuri’s webinar on this subject:

youtube

Moreover, Sucuri created an infographic on what to do when your site does get hacked:

If you are serious about your website, you are serious about your security. Get the complete security package of Website Security Stack right here:

Get your Sucuri Website Security Stack NOW

14. Don’t forget logs & monitoring

Spot attacks before they happen

Closing thoughts on WordPress security

I would also like to thank Tony Perez for his input and several additions to this article.

Read more: 5 things to do after a hack »

WordPress for beginners series

SEO Company by DBL07.co

source http://www.scpie.org/wordpress-security-in-a-few-easy-steps/

0 notes

skqq-net · 6 years ago

Text

How to Stop and Prevent a DDoS Attack on WordPress

wordpress is certainly one of many predominant in mannequin internet articulate builder on this planet on narrative of it gives extremely environment friendly facets and a win codebase. Nevertheless, that does now not protect wordpress or each different instrument from malicious DDoS assaults, that are basic on the procure.

DDoS assaults can decelerate web sites and at closing perform them inaccessible to customers. These assaults will even be targeted in opposition to every and every minute and astronomical web sites.

Now, you’d additionally very nicely be questioning how can a minute enterprise internet articulate using wordpress stop such DDoS assaults with runt sources?

On this handbook, we will hint you the appropriate map to efficiently stop and forestall a DDoS assault on wordpress. Our purpose is to help you look methods to control your internet articulate safety in opposition to a DDoS assault savor a complete professional.

What’s a DDoS Assault?

DDoS assault, quick for Disbursed Denial of Service assault, is a create of cyber assault that makes expend of compromised computer systems and devices to ship or predict recordsdata from a wordpress webhosting server. The purpose of these requests is to decelerate and at closing wreck the targeted server.

DDoS assaults are an developed create of DoS (Denial of Service) assaults. In inequity to a DoS assault, they draw shut good factor a number of variety of compromised machines or servers unfold throughout diverse areas.

These compromised machines create a community, which is most incessantly generally known as a botnet. Each affected machine acts as a bot and launches assaults on the targeted blueprint or server.

This permits them to sprint omitted for some time and motive most nervousness before they’re being blocked.

Even the most important internet corporations are inclined to DDoS assaults.

In 2018, GitHub, a popular code webhosting platform, witnessed an enormous DDoS assault that despatched 1.Three terabytes per second internet articulate internet articulate guests to their servers.

That you just could be succesful to nicely nicely perhaps additionally merely moreover bear in mind the notorious 2016 assault on DYN (a DNS supplier provider). This assault bought worldwide recordsdata protection because it affected many in mannequin web sites savor Amazon, Netflix, paypal, Visa, AirBnB, The Unique York Circumstances, Reddit, and 1000’s of other web sites.

Why DDoS Assaults Occur?

There are a number of motivations on the succor of DDoS assaults. Underneath are some basic ones:

Technically savvy people that are lovely bored and salvage it adventurous

People and teams attempting to hold out a political stage

Teams targeted on web sites and services and products of a specific nation or purpose

Targeted assaults on a specific enterprise or supplier provider to motive them financial nervousness

To blackmail and achieve ransom money

What is the inequity between a Brute Energy Assault and a DDoS Assault?

Brute Energy Assaults are usually attempting to interrupt right into a blueprint by guessing passwords or making an attempt random mixtures to develop unauthorized win entry to to a blueprint.

DDoS assaults are purely dilapidated to merely wreck the targetted blueprint making it inaccessible or slowing it down.

For information survey our handbook on the appropriate map to dam brute energy assaults on wordpress with step-by-step directions.

What damages will even be triggered by a DDoS assault?

DDoS assaults can perform a space inaccessible or reduce effectivity. This could additionally merely motive opposed particular person journey, lack of enterprise, and the costs of mitigating the assault will even be in 1000’s of bucks.

Proper here is a breakdown of these expenses:

Lack of enterprise ensuing from inaccessibility of internet articulate

Price of purchaser reinforce to decision supplier disruption linked queries

Price of mitigating assault by hiring safety services and products or reinforce

The most important value is the opposed particular person journey and value status

The good map to Discontinuance and Discontinuance DDoS Assault on wordpress

DDoS assaults will even be cleverly disguised and complicated to sort out. Nevertheless, with some basic safety most absorbing practices, you’d stop and easily stop DDoS assaults from affecting your wordpress internet articulate.

Proper listed here are the steps you’d even beget to attract shut to forestall and stop DDoS assaults in your wordpress purpose.

Safe away DDoS / Brute Energy Assault Verticals

Doubtlessly probably the most absorbing ingredient about wordpress is that it is extremely versatile. wordpress allows third-occasion plugins and instruments to mix into your internet articulate and add up to date facets.

To realize that wordpress makes a number of APIs available to programmers. These APIs are methods at some stage of which third-occasion wordpress plugins and services and products can interact with wordpress.

Nevertheless, a majority of these APIs can moreover be exploited at some stage of a DDoS assault by sending a ton of requests. That you just could be succesful to nicely nicely safely disable them to reduce these requests.

Disable XML RPC in wordpress

XML-RPC allows third-occasion apps to beget interaction along with your wordpress internet articulate. Lets educate, you would like XML-RPC to expend the wordpress app in your mobile instrument.

Whilst you’re savor a limiteless majority of customers who don’t expend the mobile app, you then for dawdle can disable XML-RPC by merely together with the next code to your internet articulate’s .htaccess file.

# Block wordpress xmlrpc.php requests bid lisp,enabledeny from all

For alternate methods, survey our handbook on the appropriate map to with out issues disable XML-RPC in wordpress.

Disable REST API in wordpress

The wordpress JSON REST API permit plugins and instruments the ability to win entry to wordpress recordsdata, replace articulate, and/and even delete it. Proper right here is pointers on find out how to disable REST API in wordpress.

First ingredient you’d even beget to attain is set up and activate the Disable WP Leisure API plugin. For extra information, survey our step-by-step handbook on the appropriate map to put in a wordpress plugin.

The plugin works out of the sector, and it will merely disable the REST API for all non-logged in customers.

Prompt WAF (Web site on-line Utility Firewall)

Disabling assault vectors savor REST API and XML-RPC gives runt safety in opposition to DDoS assaults. Your internet articulate is mute inclined to common HTTP requests.

Similtaneously you’d mitigate a minute DOS assault by attempting to take cling of the opposed machine IPs and blockading them manually, this blueprint is now now not very environment friendly when dealing with a astronomical DDoS assault.

Absolutely the top map to dam suspicious requests is by activating a space software program firewall.

An online articulate software program firewall acts as a proxy between your internet articulate and all incoming internet articulate internet articulate guests. It makes expend of aesthetic algorithm to take cling of all suspicious requests and block them before they attain your internet articulate server.

We advocate using Sucuri on narrative of it is miles probably the most absorbing wordpress safety plugin and internet articulate firewall. It runs on a DNS stage which system they could be capable of snatch a DDoS assault before it’s going to perform a predict to your internet articulate.

Pricing for Sucuri begins from $20 month-to-month (paid yearly).

We expend Sucuri on WPBeginner. Behold our case survey on how they help block a whole lot of of 1000’s of assaults on our internet articulate.

Alternately, you’d moreover expend Cloudflare. Nevertheless, Cloudflare’s free supplier handiest gives runt DDoS safety. You’ll should signup for on the least their advertising and marketing blueprint for layer 7 DDoS safety which expenses round $200 month-to-month.

Behold our article on Sucuri vs Cloudflare for an in depth aspect-by-aspect comparability.

Relate: Web site on-line Utility Firewalls (WAFs) that trudge on an software-level are a lot much less environment friendly at some stage of a DDoS assault. They block the net articulate internet articulate guests as quickly because it has already reached your internet server, so it mute impacts your basic internet articulate effectivity.

Discovering Out Whether or not it’s Brute Energy or DDoS Assault

Each brute energy and DDoS assaults intensively expend server sources, which system their signs ogle comparatively linked. Your internet articulate will win slower and may perhaps nicely nicely nicely merely wreck.

That you just could be succesful to nicely nicely with out issues salvage out whether or not it is miles a brute energy assault or a DDoS assault by merely Sucuri plugin’s login tales.

Merely, set up and activate the free Sucuri plugin after which sprint to Sucuri Security » Closing Logins web page.

Whilst you’d additionally very nicely be seeing a astronomical alternative of random login requests, then this suggests your wp-admin is underneath a brute energy assault. To mitigate it, you’d survey our handbook on the appropriate map to dam brute energy assaults in wordpress.

Issues to Manufacture For the size of a DDoS Assault

DDoS assaults can occur even should you’d even beget an online software program firewall and different protections in construct. Firms savor CloudFlare and Sucuri take care of these assaults on common foundation, and extra usually than now now not you are going to by no means hear about it since they could be capable of with out issues mitigate it.

Nevertheless in some situations, when these assaults are astronomical, it’s going to mute have an effect on you. If that’s the case, it’s most absorbing to be able to mitigate the considerations that may additionally merely come up at some stage of and after the DDoS assault.

Following are some points you’d attain to reduce the have an effect on of a DDoS assault.

1. Alert your crew members

Whilst you’d even beget a crew, you then for dawdle also can beget to uncover co-workers referring to the say. It will perhaps help them put together for purchaser reinforce queries, ogle out for conceivable considerations, and help out at some stage of or after the assault.

2. Uncover prospects referring to the inconvience

A DDoS assault can have an effect on particular person journey in your internet articulate. Whilst you trudge a WooCommerce retailer, then your prospects also can merely now now not be able to assemble an bid or login to their narrative.

That you just could be succesful to nicely nicely advise through your social media accounts that your internet articulate is having technical difficulties and all of the items will probably be succor to common quickly.

If the assault is astronomical, you then for dawdle can moreover expend your e-mail advertising and marketing supplier to speak with prospects and demand them to notice your social media updates.

Whilst you’d even beget VIP prospects, you then for dawdle also can merely are attempting to expend your group mobile phone supplier to hold out particular person mobile phone calls and allow them to know the map you’re working to revive the services and products.

Communication at some stage of these complicated conditions perform an enormous inequity in conserving your value’s status stable.

3. Contact Web internet hosting and Security Strengthen

Accumulate fervent along with your wordpress webhosting provider. The assault you’d additionally very nicely be witnessing will likely be part of a elevated assault targetting their methods. If that’s the case, they will be able to invent you latest updates referring to the say.

Contact your Firewall supplier and allow them to know that your internet articulate is underneath a DDoS assault. They’re going to additionally very nicely be able to mitigate the say even sooner and may perhaps nicely nicely nicely provide you with extra recordsdata.

In firewall corporations savor Sucuri, you’d moreover plight your settings to be in Paranoid mode which helps block a type of requests and perform your internet articulate accessible for normal customers.

Sustaining Your wordpress Web site on-line Precise

wordpress is very win out of the sector. Nevertheless, because the realm’s most in mannequin internet articulate builder it is usually targeted by hackers.

Luckily, there are various safety most absorbing practices that you just’d word in your internet articulate to hold out it much more win.

We’ve compiled a complete step-by-step wordpress safety handbook for newcomers. It will perhaps hotfoot you through probably the most absorbing wordpress safety settings to protect your internet articulate, and its recordsdata in opposition to basic threats.

We hope this text helped you look methods to dam and forestall a DDoS assault on wordpress. That you just could be succesful to nicely nicely perhaps additionally merely moreover are attempting to understand our handbook on probably the most basic wordpress errors and the appropriate map to restore them.

Whilst you preferred this text, then please subscribe to our YouTube Channel for wordpress video tutorials. That you just could be succesful to nicely nicely moreover salvage us on Twitter and Fb.

The put up The good map to Discontinuance and Discontinuance a DDoS Assault on wordpress appeared first on WPBeginner.

from WordPress https://ift.tt/2N65R6G via IFTTT

#WordPress

0 notes

trendysix · 5 years ago

Text

How to disable XML-RPC in WordPress

New Post has been published on https://trendyport.com/how-to-disable-xml-rpc-in-wordpress/

How to disable XML-RPC in WordPress

#Disable XML-RPC #disable XML-RPC with .htaccess #disable XML-RPC WordPress 3.5 #XML RPC #XML-RPC WordPress

0 notes

supertrendy1 · 5 years ago

Text

How to disable XML-RPC in WordPress

New Post has been published on https://trendyport.com/how-to-disable-xml-rpc-in-wordpress/

How to disable XML-RPC in WordPress

#Disable XML-RPC #disable XML-RPC with .htaccess #disable XML-RPC WordPress 3.5 #XML RPC #XML-RPC WordPress

0 notes

3zschool · 6 years ago

Link

WordPress作为一个热门的建站平台，其实并没大家认为的那么危险，而且经常有版本升级，漏洞也能被快速修复。当然WordPress并非无懈可击，如果能攻破一个 WordPress 安装，那么可能会有数以百万计的网站向你 “开放”，而且即使原生WordPress 是安全的，也并不能保证所有的主题和插件都会有同样的安全性。

有些人攻击行为比较简单粗暴，这些行为都很容易被发现，但是最糟糕的是那种潜入内容的行为，它们会将钓鱼网站深入到文件夹结构，或使用你的服务器发送垃圾邮件，一旦你安装的 WordPress 被破解，可能需要删除所有内容并从头重新安装，这是最糟糕的，今天3z学堂就和大家一起来研究下如何提升wordpress网站安全性。

一、选一家靠谱的主机商

主机商的重要性就无需多言了，一家靠谱的主机商会让你觉得和使用家用电脑一样轻松。那些不靠谱的主机商��理机丢在低端机房，要防火墙没防火墙、系统也不更新，软件也没人管，漏洞更加不会堵，搞不好压根就没有人维护。

现在wordpress的攻击已经高度程序化、自动化了，不论网站大小，全部自动扫描，一旦被攻破，你的网站已经不再属于你了~不过主机的费用还是你的~

(adsbygoogle = window.adsbygoogle || []).push({});

那么需要如何做呢？首先永远不用“免费”主机，这种服务商自己就是半个黑客，练手的就不说了，其次要选用具备安全措施的主机，预算不多的的就用基本款，对普通网站也够用了，国内可以选阿里云、腾讯云这些，国外选择面宽些 Fastcomet，SiteGround，WPEngine这些都不错。

二、设置WordPress自动升级

WordPress安全吗？相对安全。WordPress完美吗？不完美。越流行，越容易被盯上，越被盯上暴露的问题越多，这既是坏事也是也是好事，就像windows系统的攻击就远多于linux，安卓的漏洞也远高于IOS。所以关键是要保持系统更新，自动更新WordPress核心，插件和主题。核心代码，流行插件和主题，几乎每天都在迭代，不少都是修复安全漏洞，曾经就有极速修复的例子。长期不更新，版本落后会留下安全隐患，理论上被黑只是时间问题。保持核心，插件，主题自动更新，能防患于未然，更新不只填补漏洞本身，有时还强迫黑客程序重写，更改攻击机制，从而增加攻击难度。

那么需要怎么做呢？3z学堂向大家推荐一款安装自动更新插件 Companion Auto Update，通过这个插件可实现无人值守的WordPress核心，插件和主题自动更新。

三、配置wordpress自动备份

做维护就要作最坏打算，定期自动备份整站，一旦网站被黑，至少有数据可以恢复，留得青山在。最糟糕的情况是受了攻击，网站彻底变肉鸡，却发现无法备份，之前也没有留任何备份，那时就真的欲哭无泪了。。。

3z学堂之前专门��享过一篇文章《wordpress常见备份方法》，里面介绍了几个常用的wordpress做备份的方法，大家可以照着做一下。

四、通过工具自动安全扫描

网站有没有被渗透，靠肉眼是很难发现的，因为很多渗透有时没有什么现象也没有什么征兆，当然了更不能靠感觉靠猜，那么需要具体做些什么呢？

安装安全插件WordFence

首先3z学堂推荐大家使用安全插件 WordFence，这款插件很强大，也是目前最主流的wordprss安全插件，这款插件除了自动扫描还有很多功能，大家可以仔细查看插件配置页面。以后有空的话3z学堂也会单独整理篇文章介绍这个插件。

(adsbygoogle = window.adsbygoogle || []).push({});

五、启用过滤垃圾评论

多数垃圾评论的目的并非打广告这么简单，而是把评论内容写得像广告，实际嵌入了恶意代码进行XSS攻击，这样的评论如果流入正常用户的浏览器，就有可能带来危害，如果是权限较高的用户，网站就可能被渗透。所以大家装好WordPress立即打开Akismet插件，审核用户评论，在设置->讨论中可以配置。

六、降低插件使用风险

非官方的插件危险系数高，不可随便下载安装，先确认插件源可信。有一点也需要大家注意，安装的插件不激活，不代表没有风险，因为代码漏洞不依赖插件是否激活。那么需要怎么做应对呢？首先尽量从官网安装插件，避免从不明来历第三方网站下载插件，其次及时删除不用的插件，尽量避免在生产环境测试插件，控制插件使用数量。

七、用安全性更高的管理员帐号

当你的网站有了些流量，通过请求监控，你会发现总有几个熟悉的IP反复访问/wp-admin，这些访问一般来自黑客的肉鸡，请求是肉鸡上的自动脚本在猜你的登陆帐号密码。

所以你要避免使用“admin”、“administrator”作为管理员账号，这是黑客程序必试的账号，用只有自己知道的账号名，这个小小的改变，能让猜密码的黑客程序头痛指数增加N倍，理论上猜账号和猜密码一样难。同时启用安全性更高的密码，不复用密码。

限制密码尝试次数，可以安装登陆重试次数限制插件Login LockDown。

八、保护wp-admin目录

再设一道密码保护，在你的虚拟主控制面板里找“目录密码保护”的选项，如果没有或者找不到这个选项的话，3z学堂建议你那干脆替换默认登录入口好了，WordPress默认登录地址为 /wp-admin 和 /wp-login.php，网上大量黑客程序以它们为渗透目标。可以安装 WPS Hide Login 插件，可以禁止 /wp-admin 和 /wp-login.php 访问，并把登录入口修改成自定义URL。

(adsbygoogle = window.adsbygoogle || []).push({});

九、使用https协议

一般来说，后台登录输入的用户名密码不应明文传输，尤其当你使用代理时，敏感信息可能被中间人截获。配置web服务器，打开SSL证书，虚拟主机一般都提供免费SSL证书，点点鼠标就能搞定。如果用VPS也可以用Let's Encrypt生成，把所有http流量自动重定向到https。

十、避免使用默认数据库前缀

有一类工具叫SQL注入，黑客利用某个插件输入框的安全漏洞，通过恶意SQL语句直接修改网站数据库。这类语句通常假设数据库表前缀为wp_，这是WordPress安装时的默认前缀。所以在安装WordPress时，大家避免使用默认的wp_数据表前缀，可以使大量SQL注入工具失效。

十一、关闭文件编辑

WordPress默认允许管理员帐号修改主题或插件源文件，一旦管理员帐号被渗透，理论上黑客可以通过这个功能修改这些文件，执行任何他想执行的代码，比如注入木马，留后门。所以可以彻底关闭这个功能，通过在wp-config.php中加入：

define('DISALLOW_FILE_EDIT', true);

十二、关闭.php文件直接访问权限

一旦黑客发现某个php源文件有漏洞，就可以通过直接访问之反复尝试渗透，尤其是上传文件夹这样的敏感位置（/uploads）。如果关闭，那么即使漏洞存在，黑客也无能为力。所以需要在.htaccess文件里添加针对敏感目录的规则，禁止直接访问.php文件：

(adsbygoogle = window.adsbygoogle || []).push({});

Order Allow, Deny Deny from all

十三、关闭XML-RPC

XML-RPC是WordPress向外暴露的调用，Pingback和Trackback功能依赖这组调用，但会被黑客程序拿来来做蛮力攻击或者DDos。可以安装Disable XML-RPC插件，可彻底关闭XML-RPC。普通网站Pingback和Trackback功能意义不大，所以关掉XML-RPC也没有关系，除非你确定它需要打开。

总结

3z学堂今天详细和大家交流了下WordPress安全的注意事项，相信大家已经有个相对全面的认识了，有些内容略复杂，一些新手朋友估计一时半会儿不好消化，其实对一般网站来说，WordPress安全最重要的事就是三步，一是保持自动更新，二是使用安全插件定期扫描，三是备份。做到这三点，基本可保网站不被渗透，剩下的措施可以根据网站情况决定是否配置~今天就给大家分享到这里，也欢迎大家留言与3z学堂互动，共同学习，一起进步！

#IFTTT #WordPress

0 notes

sheilalmartinia · 8 years ago

Text

12 Most Useful .htaccess Tricks for WordPress

Are you looking for some useful .htaccess tricks for your WordPress site. The .htaccess file is a powerful configuration file which allows you to do a lot of neat things on your website. In this article, we will show you some of the most useful .htaccess tricks for WordPress that you can try right away.

What is .htaccess File and How to Edit it?

The .htaccess file is a server configuration file. It allows you to define rules for your server to follow for your website.

WordPress uses .htaccess file to generate SEO friendly URL structure. However, this file can do a lot more.

The .htaccess file is located in your WordPress site’s root folder. You will need to connect to your website using an FTP client to edit it.

If you cannot find your .htaccess file, then see our guide on how to find .htaccess file in WordPress.

Before editing your .htaccess file, it is important to download a copy of it to your computer as backup. You can use that file in case anything goes wrong.

Having said that, let’s take a look at some useful .htaccess tricks for WordPress that you can try.

1. Protect Your WordPress Admin Area

You can use .htaccess to protect your WordPress admin area by limiting the access to selected IP addresses only. Simply copy and paste this code into your .htaccess file:

AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "WordPress Admin Access Control" AuthType Basic <LIMIT GET> order deny,allow deny from all # whitelist Syed's IP address allow from xx.xx.xx.xxx # whitelist David's IP address allow from xx.xx.xx.xxx </LIMIT>

Don’t forget to replace xx values with your own IP address. If you use more than one IP address to access the internet, then make sure you add them as well.

For detailed instructions, see our guide on how to limit access to WordPress admin using .htaccess.

2. Password Protect WordPress Admin Folder

If you access your WordPress site from multiple locations including public internet spots, then limiting access to specific IP addresses may not work for you.

You can use .htaccess file to add an additional password protection to your WordPress admin area.

First, you need to generate a .htpasswds file. You can easily create one by using this online generator.

Upload this .htpasswds file outside your publicly accessible web directory or /public_html/ folder. A good path would be:

/home/user/.htpasswds/public_html/wp-admin/passwd/

Next, create a .htaccess file and upload it in /wp-admin/ directory and then add the following codes in there:

AuthName "Admins Only" AuthUserFile /home/yourdirectory/.htpasswds/public_html/wp-admin/passwd AuthGroupFile /dev/null AuthType basic require user putyourusernamehere <Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files>

Important: Don’t forget to replace AuthUserFile path with the file path of your .htpasswds file and add your own username.

For detailed instructions, see our guide on how to password protect WordPress admin folder.

3. Disable Directory Browsing

Many WordPress security experts recommend disabling directory browsing. With directory browsing enabled, hackers can look into your site’s directory and file structure to find a vulnerable file.

To disable directory browsing on your website, you need to add the following line to your .htaccess file.

Options -Indexes

For more on this topic, see our guide on how to disable directory browsing in WordPress.

4. Disable PHP Execution in Some WordPress Directories

Sometimes hackers break into a WordPress site and install a backdoor. These backdoor files are often disguised as core WordPress files and are placed in /wp-includes/ or /wp-content/uploads/ folders.

An easier way to improve your WordPress security is by disabling PHP execution for some WordPress directories.

You will need to create a blank .htaccess file on your computer and then paste the following code inside it.

Save the file and then upload it to your /wp-content/uploads/ and /wp-includes/ directories. For more information check out our tutorial on how to disable PHP execution in certain WordPress directories.

5. Protect Your WordPress Configuration wp-config.php File

Probably the most important file in your WordPress website’s root directory is wp-config.php file. It contains information about your WordPress database and how to connect to it.

To protect your wp-config.php file from unathorized access, simply add this code to your .htaccess file:

<files wp-config.php> order allow,deny deny from all </files>

6. Setting up 301 Redirects Through .htaccess File

Using 301 redirects is the most SEO friendly way to tell your users that a content has moved to a new location. If you want to properly manage your 301 redirects on posts per post basis, then check out our guide on how to setup redirects in WordPress.

On the other hand, if you want to quickly setup redirects, then all you need to do is paste this code in your .htaccess file.

Redirect 301 /oldurl/ http://www.example.com/newurl Redirect 301 /category/television/ http://www.example.com/category/tv/

7. Ban Suspicious IP Addresses

Are you seeing unusually high requests to your website from a specific IP address? You can easily block those requests by blocking the IP address in your .htaccess file.

Add the following code to your .htaccess file:

<Limit GET POST> order allow,deny deny from xxx.xxx.xx.x allow from all </Limit>

Don’t forget to replace xx with the IP address you want to block.

8. Disable Image Hotlinking in WordPress Using .htaccess

Other websites directly hotlinking images from your site can make your WordPress site slow and exceed your bandwidth limit. This isn’t a big issue for most smaller websites. However, if you run a popular website or a website with lots of photos, then this could become a serious concern.

You can prevent image hotlinking by adding this code to your .htaccess file:

#disable hotlinking of images with forbidden or custom image option RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?wpbeginner.com [NC] RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?google.com [NC] RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]

This code only allows images to be displayed if the request is originating from wpbeginner.com or Google.com. Don’t forget to replace wpbeginner.com with your own domain name.

For more ways to protect your images see our guide on ways to prevent image theft in WordPress.

9. Protect .htaccess From Unauthorized Access

As you have seen that there are so many things that can be done using the .htaccess file. Due to the power and control it has on your web server, it is important to protect it from unauthorized access by hackers. Simply add following code to your .htaccess file:

<files ~ "^.*\.([Hh][Tt][Aa])"> order allow,deny deny from all satisfy all </files>

10. Increase File Upload Size in WordPress

There are different ways to increase the file upload size limit in WordPress. However, for users on shared hosting some of these methods do not work.

One of the methods that has worked for many users is by adding following code to their .htaccess file:

php_value upload_max_filesize 64M php_value post_max_size 64M php_value max_execution_time 300 php_value max_input_time 300

This code simply tells your web server to use these values to increase file upload size as well as maximum execution time in WordPress.

11. Disable Access to XML-RPC File Using .htaccess

Each WordPress install comes with a file called xmlrpc.php. This file allows third-party apps to connect to your WordPress site. Most WordPress security experts advise that if you are not using any third party apps, then you should disable this feature.

There are multiple ways to do that, one of them is by adding the following code to your .htaccess file:

# Block WordPress xmlrpc.php requests <Files xmlrpc.php> order deny,allow deny from all </Files>

For more information, see our guide on how to disable XML-RPC in WordPress.

12. Blocking Author Scans in WordPress

A common technique used in brute force attacks is to run author scans on a WordPress site and then attempt to crack passwords for those usernames.

You can block such scans by adding the following code to your .htaccess file:

# BEGIN block author scans RewriteEngine On RewriteBase / RewriteCond %{QUERY_STRING} (author=\d+) [NC] RewriteRule .* - [F] # END block author scans

For more information, see our article on how to discourage brute force attacks by blocking author scans in WordPress.

We hope this article helped you learn the most useful .htaccess tricks for WordPress. You may also want to see our ultimate step by step WordPress security guide for beginners.

If you liked this article, then please subscribe to our YouTube Channel for WordPress video tutorials. You can also find us on Twitter and Facebook.

The post 12 Most Useful .htaccess Tricks for WordPress appeared first on WPBeginner.

from WPBeginner http://www.wpbeginner.com/wp-tutorials/9-most-useful-htaccess-tricks-for-wordpress/

0 notes

mbaljeetsingh · 8 years ago

Text

15 Useful .htaccess Snippets for Your WordPress Site

Having a well-configured .htaccess file is crucial if you want to increase security and reduce vulnerabilities on your WordPress site. Usually, the main goal of creating a custom .htaccess file is to prevent your site from being hacked but it’s also an excellent way to handle redirects and manage cache-related tasks.

Designers & Developer’s Guide To .htaccess

Among the many various tools for customizing your web server, the .htaccess config file is a tremendous asset.…Read more

.htaccess is a configuration file used on Apache web servers. Most WordPress sites run on an Apache server, although a small portion is powered by Nginx. In this article, you can find a collection of .htaccess code snippets, most of which you can use to secure your website while the rest implements other useful features.

Don’t forget to back up the .htaccess file before you edit it so that you can always return to the previous version if something goes wrong.

And, if you’re someone who rather not touch configuration files I recommend you the BulletProof Security plugin which is the most reliable (and probably the oldest) free .htaccess security plugin on the market.

Create the default WP .htaccess

.htaccess works on a per-directory basis which means that each directory can have its own .htaccess file. It can easily happen that your WordPress site doesn’t have a .htaccess file yet. If you don’t find a .htaccess file in your root directory create an empty text file and name it to .htaccess.

Below, you can find the default .htaccess WordPress uses. Whenever you need this code you can quickly look it up in the WordPress Codex. Note that there is a different .htaccess for WP Multisite.

# BEGIN WordPress <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^index\.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule> # END WordPress

The lines beginning with # are comments. Don’t edit anything between the lines # BEGIN WordPress and # END WordPress. Add your custom .htaccess rules below these default rules.

All code snippets you can find in this article go to the core .htaccess file found in your root directory.

1. Deny access to all .htaccess files

The code below denies access to all .htaccess files you have installed in your WordPress. This way you can prevent people from seeing your web server configurations.

# Denies access to all .htaccess files <Files ~ "^.*\.([Hh][Tt][Aa])"> Order Allow,Deny Deny from all Satisfy all </Files>

2. Protect your WP configuration

The wp-config.php file contains all your WP configurations, including your database login and password. You can either deny it from everyone or give permission to admins to access it.

If you choose the latter comment out the # Allow from xx.xx.xx.xxx line (remove # from the beginning of the line) and insert the admin’s IP address in place of xx.xx.xx.xxx.

# Protects wp-config <Files wp-config.php> Order Allow,Deny # Allow from xx.xx.xx.xxx # Allow from yy.yy.yy.yyy Deny from all </Files>

3. Prevent XML-RPC DDoS attack

WordPress supports XML-RPC by default, which is an interface that makes remote publishing possible. However, while it’s a great feature, it’s also one of WP’s biggest security vulnerability as hackers may exploit it for DDoS attacks.

If you don’t want to use this feature it’s better to just disable it. Just like before, you can add exceptions by commenting out the # Allow from xx.xx.xx.xxx line and adding the IPs of your admin(s).

# Protects XML-RPC, prevents DDoS attack <FilesMatch "^(xmlrpc\.php)"> Order Deny,Allow # Allow from xx.xx.xx.xxx # Allow from yy.yy.yy.yyy Deny from all </FilesMatch>

4. Protect your admin area

It’s also a good idea to protect the admin area by giving access only to administrators. Here, don’t forget to add at least one “Allow” exception otherwise you won’t be able to access your admin at all.

# Protects admin area by IP AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "WordPress Admin Access Control" AuthType Basic <LIMIT GET> Order Deny,Allow Deny from all Allow from xx.xx.xx.xxx Allow from yy.yy.yy.yyy </LIMIT>

5. Prevent directory listing

Most WordPress sites don’t disable directory listing, which means anyone can browse their folders and files, including media uploads and plugin files. It’s needless to say that this is a huge security vulnerability.

Below, you can see how a typical WordPress directory listing looks like.

Luckily, you just need one line of code to block this feature. This code snippet will return a 403 error message to anyone who wants to access your directories.

# Prevents directory listing Options -Indexes

6. Prevent username enumeration

If WP permalinks are enabled, it’s quite easy to enumerate usernames using the author archives. The revealed usernames (including the admin’s username) then can be used in brute force attacks.

Insert the code below into your .htaccess file to prevent username enumeration.

# Prevents username enumeration RewriteCond %{QUERY_STRING} author=d RewriteRule ^ /? [L,R=301]

7. Block spammers and bots

Sometimes you may want to restrict access from certain IP addresses. This code snippet provides an easy way to block spammers and bots you already know.

# Blocks spammers and bots <Limit GET POST> Order Allow,Deny Deny from xx.xx.xx.xxx Deny from yy.yy.yy.yyy </Limit> Allow from all

8. Prevent image hotlinking

Although not a security threat, image hotlinking is still an annoying thing. People don’t only use your images without your permission but they even do it at your cost. With these few lines of code, you can protect your site from image hotlinking.

# Prevents image hotlinking RewriteEngine on RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourwebsite.com [NC] RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourwebsite2.com [NC] RewriteRule \.(jpe?g?|png|gif|ico|pdf|flv|swf|gz)$ - [NC,F,L]

9. Restrict direct access to plugin & theme PHP files

It can be dangerous if someone directly calls your plugin and theme files, whether it happens accidentally or by a malicious attacker. This code snippet comes from the Acunetix website security company; you can read more about this vulnerability in their blog post.

# Restricts access to PHP files from plugin and theme directories RewriteCond %{REQUEST_URI} !^/wp-content/plugins/file/to/exclude\.php RewriteCond %{REQUEST_URI} !^/wp-content/plugins/directory/to/exclude/ RewriteRule wp-content/plugins/(.*\.php)$ - [R=404,L] RewriteCond %{REQUEST_URI} !^/wp-content/themes/file/to/exclude\.php RewriteCond %{REQUEST_URI} !^/wp-content/themes/directory/to/exclude/ RewriteRule wp-content/themes/(.*\.php)$ - [R=404,L]

10. Set up permanent redirects

You can easily handle permanent redirects with .htaccess. First you have to add the old URL, then follow the new URL that points to the page you want to redirect the user to.

# Permanent redirects Redirect 301 /oldurl1/ http://ift.tt/2pUgqiU; Redirect 301 /oldurl2/ http://ift.tt/2qAytXu;

11. Send visitors to a maintenance page

We wrote about this technique in detail here. You need a separate maintenance page (maintenance.html in the example) for this .htaccess rule to work. This code puts your WordPress site into maintenance mode.

# Redirects to maintenance page <IfModule mod_rewrite.c> RewriteEngine on RewriteCond %{REMOTE_ADDR} !^123\.456\.789\.000 RewriteCond %{REQUEST_URI} !/maintenance.html$ [NC] RewriteCond %{REQUEST_URI} !\.(jpe?g?|png|gif) [NC] RewriteRule .* /maintenance.html [R=503,L] </IfModule>

12. Restrict all access to WP includes

The /wp-includes/ folder contains the core WordPress files that are necessary for the CMS to work. There are no content, plugins, themes or anything else a user may want to access here. So to harden security it’s best to restrict all access to it.

# Blocks all wp-includes folders and files <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [S=3] RewriteRule ^wp-includes/[^/]+\.php$ - [F,L] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,L] </IfModule>

13. Block cross-site scripting (XSS)

The following code snippet is from WP Mix and it protects your site against some common XSS attacks, namely script injections and attempts to modify global and request variables.

# Blocks some XSS attacks <IfModule mod_rewrite.c> RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR] RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR] RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) RewriteRule .* index.php [F,L] </IfModule>

14. Enable browser caching

As I mentioned before, .htaccess is not only good for security reasons and redirections but it can also help you manage the cache. The code snippet below is from Elegant Themes and it makes browser caching possible by enabling visitors to save certain kinds of files, so next time they visit they don’t have to download them again.

# Enables browser caching <IfModule mod_expires.c> ExpiresActive On ExpiresByType image/jpg "access 1 year" ExpiresByType image/jpeg "access 1 year" ExpiresByType image/gif "access 1 year" ExpiresByType image/png "access 1 year" ExpiresByType text/css "access 1 month" ExpiresByType application/pdf "access 1 month" ExpiresByType text/x-javascript "access 1 month" ExpiresByType application/x-shockwave-flash "access 1 month" ExpiresByType image/x-icon "access 1 year" ExpiresDefault "access 2 days" </IfModule>

15. Set up custom error pages

You can use .htaccess to set up custom error pages on your WordPress site. For this method to work, you also need to create the custom error pages (custom-403.html, custom-404.html in the example) and upload them to your root folder.

You can set up a custom error page for any HTTP error status code (4XX and 5XX status codes) you want.

# Sets up custom error pages ErrorDocument 403 /custom-403.html ErrorDocument 404 /custom-404.html

How To Put WordPress Site Into Maintenance Mode

Sometimes, you may have the need to put your website into maintenance mode for upgrades. This would make…Read more

via Hongkiat http://ift.tt/2pU1m4F

#IFTTT #Feedly

0 notes