Portal Home > Knowledgebase > Articles Database > secure htaccess
secure htaccess
Posted by bittraffix, 04-22-2011, 12:40 AM |
can you please tell me whats he best htaccess for wordpress to secure my blog?
|
Posted by SH-Mau, 04-22-2011, 12:54 AM |
the one that comes with wordpress best way to be protected is to keep your wordpress updated all the time, additional software/services could be used to help like mod_security or CloudFlare.
|
Posted by SiberForum, 04-22-2011, 03:23 AM |
If you need to have secure connection to your blog via HTTP you may use SSL. So far there are should be reasons for that.
MrNerd is right - follow up all updates and you will be ok.
|
Posted by pmabraham, 04-26-2011, 10:34 AM |
Greetings:
Make sure the server you are hosted on is secured.
Check out http://wordpress.org/extend/plugins/...roof-security/ as a plug than can help including .htaccess
Thak you.
|
Posted by WeWatch, 04-27-2011, 08:53 AM |
We've found that the majority of WordPress sites that are infected are due to either the WordPress itself not being updated as well as all plugins.
More often than not, it's the plugins that don't get updated.
It would be nice if WordPress had a "Vulnerable Plugins" list similar to what Joomla has with their "Vulnerable Extensions" list.
The standard .htaccess file that comes with WordPress doesn't protect your plugins all that well.
Your .htaccess file also needs to protect your wp-content folder from outside injections and inclusions.
Hackers know that when you update your WordPress files, you delete the wp-admin and wp-includes folders, then copy those from the updated files, then copy over the root and wp-content folders from the update.
However, they also know that very little gets updated in the wp-content folder. Therefore, the safest place for them (hackers) to hide their malware is somewhere in the wp-content folder. Usually in a theme or some plugin folder.
Rarely do we see where all the plugins have been kept updated.
In the log files for infected sites we see many entries with:
GET querystrings with http:// (then the URL of some hacked/hacker website where they can remotely include a file)
So the .htaccess should prevent any direct access to .php files in the wp-content folder. Only "internal" access to these files should be allowed. Same rule holds true for the wp-includes folder.
Remember that .htaccess controls access for http requests - not internal program requests.
You also need to prevent code from running in any images folders, etc.
|
Add to Favourites Print this Article
Also Read
Report abuse? (Views: 825)