Prevent WordPress Hack

Prevent WordPress Hack by Blocking Search Engine Spiders from Indexing the Admin Section

Search engine spiders crawl over your entire blog and index every content unless they are told not to do so. We do not want to index the admin section as it contains all the sensitive information. The easiest way to prevent the crawlers from indexing the admin directory, is to create a robots.txt file in your root directory. Then place the following code in the file:

#
User-agent: *
Disallow: /cgi-bin
Disallow: /wp-admin
Disallow: /wp-includes
Disallow: /wp-content/plugins/
Disallow: /wp-content/cache/
Disallow: /wp-content/themes/
Disallow: */trackback/
Disallow: */feed/
Disallow: /*/feed/rss/$
Disallow: /category/*

# .htaccess Hacks

.htaccess (hypertext access) is the default name of directory-level configuration files that allow for decentralized management of configuration when placed inside the web tree. .htaccess files are often used to specify the security restrictions for the particular directory. This is not an exact tip that falls under the list but you should know about .htaccess because you can do a lot with it to prevent wordpress hack. I am not going to get in depth for this term but I found out some sweet .htaccess hacks which can tighten your wordpress security. See them below

# Protect your .htaccess

After tweaking your .htaccess to protect your blog from hackers, you cannot simply leave the .htaccess open itself to attacks. The hack below prevents external access to any file with .hta . Simply place the code in your domain’s root .htaccess file.

# STRONG HTACCESS PROTECTION</code>
<Files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all
</Files>

# No Directory Browsing

Its not a good idea to allow your visitors to browse through your entire directory. This is an easy way to find out about directory structures and this makes it easier for hackers to lookout for security holes.

In order to stop this, simply add the piece of 2 lines in your .htaccess in the root directory of your WordPress blog.

# disable directory browsing
Options All -Indexes

# Secure wp-config.php

Wp-config.php is important because it contains all the sensitive data and configuration of your blog and therefore we must secure it through .htaccess. Simply adding the code below to the .htaccess file in the root directory can do the trick

# protect wp-config.php
<files wp-config.php>
Order deny,allow
Deny from all
</files>

The code denies access to the wp-config.php file to everyone (including me :()

# Limit Access to the Wp-Content Directory

Wp-content contains everything. This is a very important folder and you should secure it. You don’t want users to browse and get access to unwanted/other data. Users should be only able to view and access certain file types like images (jpg, gif, png), Javascript, css and XML.

Place the code below in the .htaccess file within the wp-content folder (not the root).

Order deny,allow
Deny from all
<Files ~ “.(xml|css|jpeg|png|gif|js)$”>
Allow from all
</Files>

# Protect WordPress Admin Files

Wp-admin should be accessed only by you and your fellow bloggers (if any).  You may use .htaccess to restrict access and allow only specific IP addresses to this directory.

If you have static IP address and you always blog from your computer, then this can be a good option for you. However, if you run a multiple user blog then either you can opt out from this or you can allow access from a range of IPs. You can refer to Apache’s documentation on mod_access for complete instruction on how to set this up.

Copy and paste the code below to the .htaccess in wp-admin folder (not root folder)

# deny access to wp admin
order deny,allow
allow from xx.xx.xx.xx # This is your static IP
deny from all

The above code will prevent browser access to any file in these directories other than “xx.xx.xx.xx” which should be your static IP address.

There is another way you could restrict access to the directory and that is by using a password in the .htaccess. I am planning to write a detailed .htacess hack where I will include all of these.

# Prevent script injection

I found this code on wprecipes and it works like a charm. Now you can protect your WordPress blog from script injection, and unwanted modification of _REQUEST and/or GLOBALS.

Simple copy and paste the code below to your .htaccess in the root

# protect from sql injection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

Was this answer helpful?

 Print this Article

Also Read

How to secure a Joomla 3 site against hacker attacks

Most Joomla attacks are a result of plugin/components vulnerabilities, weak passwords, and...

Block some exploits, bad / unwanted user agents .htaccess

Add this to your .htaccess file########## Begin - Rewrite rules to block out some common...

PHP Firewall for Your CMS website

PHP Firewall is a small free PHP script, but secure all websites writen in PHP.PHP Firewall...

How to Get the Right Kind of Traffic

So you have a website and the whole point is to get as much as traffic to it as possible, right?...

How to secure a Joomla 3 site in .htaccess (security tips)

Warning: Read the hashed areas! Incorrect settings on some servers may cause 500 page errors. The...

Powered by WHMCompleteSolution