Caleb.williamson: /* Windows Server */

2017-10-13T18:32:30Z

‎Windows Server

Kaseya: Created page with "FORCETOC ==How to Protect WordPress== ===Windows Server=== #Edit or Create a file named .htaccess within the directory of your WordPress installation (yes, the file star..."

2017-02-16T05:46:38Z

Created page with "__FORCETOC__ ==How to Protect WordPress== ===Windows Server=== #Edit or Create a file named .htaccess within the directory of your WordPress installation (yes, the file star..."

New page

__FORCETOC__

==How to Protect WordPress==
===Windows Server===
#Edit or Create a file named .htaccess within the directory of your WordPress installation (yes, the file starts with .)
#Place this code in the .htaccess file (this example assumes your IP is 123.123.123.123). Click to see your [http://hostek.com/ip IP].
RewriteEngine On
RewriteCond %{REQUEST_URI} ^(.*)?xmlrpc\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?admin-ajax\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteRule .* http://0.0.0.0/Please_check_your_htaccess_file_or_contact_your_hosting_provider_for_assistance [R=301]

NOTE: If you need to allow access from more than 1 IP replace the REMOTE_ADDR line with this example and update accordingly
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$

'''What this does:''' The above rule locks down the Wordpress dashboard, as well as the ability for the wordpress api ( xmlrpc ) to be attacked. The xml-rpc file essentially allows for outside applications to "interact" and "communicate" to your wordpress site in ways you may not want to. The reason for locking down the WordPress dashboard is because Wordpress is widely targeted around the world for potential vulnerabilities. Attackers will attempt to find common vulnerabilities known for each version of WordPress and will attempt to get in and compromise your site.

The 'admin-ajax.php' file is being locked down because this file is commonly targeted by attackers to hurt your site and server performance. This file is very resource heavy as it takes up a lot of CPU. It is very uncommon for this to ever be used as it's a wordpress heartbeat API. If you do need this file enabled then I'd recommend locking it down to specific IP Addresses.

===Linux Server===
#Edit or Create a file named .htaccess within the directory of your WordPress installation (yes, the file starts with .)
#Place this code in the .htaccess file (this example assumes your IP is 123.123.123.123). Click to see your [http://hostek.com/ip IP].

<pre><FilesMatch 'wp-login|admin-ajax.php|wp-admin|xmlrpc.php'>
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !123.3123.123.123
RewriteRule .* http://0.0.0.0/Please_check_your_htaccess_file_or_contact_your_hosting_provider_for_assistance [R=301]
</FilesMatch></pre>

NOTE: If you need to allow access from more than 1 IP replace the REMOTE_ADDR line with this example and update accordingly
RewriteCond %{REMOTE_ADDR} !123.123.123.123

'''What this does:''' The above rule locks down the Wordpress dashboard, as well as the ability for the wordpress api ( xmlrpc ) to be attacked. The xml-rpc file essentially allows for outside applications to "interact" and "communicate" to your wordpress site in ways you may not want to. The reason for locking down the WordPress dashboard is because Wordpress is widely targeted around the world for potential vulnerabilities. Attackers will attempt to find common vulnerabilities known for each version of WordPress and will attempt to get in and compromise your site.

The 'admin-ajax.php' file is being locked down because this file is commonly targeted by attackers to hurt your site and server performance. This file is very resource heavy as it takes up a lot of CPU. It is very uncommon for this to ever be used as it's a wordpress heartbeat API. If you do need this file enabled then I'd recommend locking it down to specific IP Addresses.

[[Category:WordPress]]

@@ Line 8: / Line 8: @@
   RewriteCond %{REQUEST_URI} ^(.*)?xmlrpc\.php(.*)$ [OR]
   RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
-RewriteCond %{REQUEST_URI} ^(.*)?admin-ajax\.php(.*)$ [OR]
+ RewriteCond %{REQUEST_URI} ^(.*)?admin-ajax\.php(.*)$ [OR]
   RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
   RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$

Protect and lock down Wordpress - Revision history

Caleb.williamson: /* Windows Server */

Kaseya: Created page with "__FORCETOC__ ==How to Protect WordPress== ===Windows Server=== #Edit or Create a file named .htaccess within the directory of your WordPress installation (yes, the file star..."

Kaseya: Created page with "FORCETOC ==How to Protect WordPress== ===Windows Server=== #Edit or Create a file named .htaccess within the directory of your WordPress installation (yes, the file star..."