Securing Wordpress Installation

Discussion in 'other security issues & news' started by whitedragon551, Mar 11, 2013.

Thread Status:
Not open for further replies.
  1. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,189
    Location:
    USA
    As most of you know I have my own site. Some of the folders are accessible without being logged in.

    What would be the best way to prevent unauthorized access to these locations?

    I can completely disable indexing using an .htaccess file in the website root, but that prevents users from getting to the HirensBCD mirror also hosted on the site.
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    You can put .htaccess files in sub-directories, (assuming certain settings in your webserver config files), not just in the webroot. They can be custom for exactly the rules you want in each directory. If one limiting indexing, placed in the webroot, is okay for everything except wherever you have your mirror. Adding one in that directory that switches indexing back on, should work.

    You could also put empty, (or basic stub), index files in every directory that doesn't have one of its own, except the mirror directory, of course. They would catch any attempt at indexing in each specific directory. You'll find a lot of PHP applications do this for world readable subdirectories that aren't meant for direct browing by the public. If you have PHP applications on your site, scan into the subdirectories to see the stub index files they are using for this purpose.

    If you have some directories you'd rather limit access to via passwords, check out using .htaccess for that. Search on: "password protecting directory using htaccess" for how to info. I usually put my test forums and other test apps behind password access, and only give the access info to those doing testing.

    There's lots of ways to accomplish this kind of tightening up.
     
  3. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,189
    Location:
    USA
    I have used a .htaccess file in root to block the wp-includes folder. It allows HirensBCD folder, but Ive heard from some network engineer friends that .htaccess files are easy to get around.
     
  4. whitedragon551

    whitedragon551 Registered Member

    Joined:
    Sep 30, 2008
    Posts:
    3,189
    Location:
    USA
    I have forced SFTP instead of FTP, disabled FTP through my web host, removed the ability to modify .php and .css files from admin, removed admin as a user, used .htaccess to prevent indexing and listing directories except for those that I specify, and implemented a syslog that logs all IP's that hit the site, login attempts, successful logins, failed logins, and much more.

    What else is their left that I could do to tighten down security?
     
Loading...
Thread Status:
Not open for further replies.