Protect and lock down Wordpress

From Hostek.com Wiki
Jump to: navigation, search


How to Protect WordPress

Windows Server

  1. Edit or Create a file named .htaccess within the directory of your WordPress installation (yes, the file starts with .)
  2. Place this code in the .htaccess file (this example assumes your IP is 123.123.123.123). Click to see your IP.
RewriteEngine On
RewriteCond %{REQUEST_URI} ^(.*)?xmlrpc\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?admin-ajax\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$
RewriteRule .* http://0.0.0.0/Please_check_your_htaccess_file_or_contact_your_hosting_provider_for_assistance [R=301]

NOTE: If you need to allow access from more than 1 IP replace the REMOTE_ADDR line with this example and update accordingly

RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$

What this does: The above rule locks down the Wordpress dashboard, as well as the ability for the wordpress api ( xmlrpc ) to be attacked. The xml-rpc file essentially allows for outside applications to "interact" and "communicate" to your wordpress site in ways you may not want to. The reason for locking down the WordPress dashboard is because Wordpress is widely targeted around the world for potential vulnerabilities. Attackers will attempt to find common vulnerabilities known for each version of WordPress and will attempt to get in and compromise your site.

The 'admin-ajax.php' file is being locked down because this file is commonly targeted by attackers to hurt your site and server performance. This file is very resource heavy as it takes up a lot of CPU. It is very uncommon for this to ever be used as it's a wordpress heartbeat API. If you do need this file enabled then I'd recommend locking it down to specific IP Addresses.

Linux Server

  1. Edit or Create a file named .htaccess within the directory of your WordPress installation (yes, the file starts with .)
  2. Place this code in the .htaccess file (this example assumes your IP is 123.123.123.123). Click to see your IP.
<FilesMatch 'wp-login|admin-ajax.php|wp-admin|xmlrpc.php'>
  RewriteEngine On
  RewriteCond %{REMOTE_ADDR} !123.3123.123.123
  RewriteRule .* http://0.0.0.0/Please_check_your_htaccess_file_or_contact_your_hosting_provider_for_assistance [R=301]
</FilesMatch>

NOTE: If you need to allow access from more than 1 IP replace the REMOTE_ADDR line with this example and update accordingly

RewriteCond %{REMOTE_ADDR} !123.123.123.123

What this does: The above rule locks down the Wordpress dashboard, as well as the ability for the wordpress api ( xmlrpc ) to be attacked. The xml-rpc file essentially allows for outside applications to "interact" and "communicate" to your wordpress site in ways you may not want to. The reason for locking down the WordPress dashboard is because Wordpress is widely targeted around the world for potential vulnerabilities. Attackers will attempt to find common vulnerabilities known for each version of WordPress and will attempt to get in and compromise your site.

The 'admin-ajax.php' file is being locked down because this file is commonly targeted by attackers to hurt your site and server performance. This file is very resource heavy as it takes up a lot of CPU. It is very uncommon for this to ever be used as it's a wordpress heartbeat API. If you do need this file enabled then I'd recommend locking it down to specific IP Addresses.