How to set up internal protection for .htaccess to | Website security
This part is applicable only for cases when you wish to manually set up all the necessary settings and rules. All these settings can be set up automatically with secure plugins (especially BulletProof Security). We recommend using the secure plugins first and only if they fail to deliver necessary control, perform manual configuration. If you do need to make specific changes to the .htaccess file manually, kindly use the guide provided below:
.htaccess (hypertext access) is the default name of the directory-level configuration file specific for web servers running Apache.
This is a file which is modified the most often when dealing with redirects and is also often used to change file types to make them executable. It is also the one you will be using to harden your environment.
To protect it, apply a few simple rules – set low permissions and deny access.
Apply Low Permissions
The basic guidance for permissions is simple: the lower the number, the harder the access becomes. Good rule of thumb is to keep the number as low as possible where the performance or functionality is not impacted. For most users, setting it to 640 will grant the level of access that you need.
Add .HTACCESS Directives
What’s important to note here is that this only works if the attack is external. This won’t protect you from internal attacks (if an entire cPanel account is hacked, for example)
This is the .htaccess directive you can use:
#PROTECT HTACCESS
<Files .htaccess>
Order Allow, Deny
Deny from all
</Files>
Note: This only protects the file from external access.
# disable directory browsing
Options All –Indexes
Wp-config.php is important because it contains all the sensitive data and configuration of your blog and therefore, it should be locked through .htaccess. Add the code below to the .htaccess file in the root directory:
# protect wp-config.php
<files wp-config.php>
Order deny,allow
Deny from all
</files>
The code denies access to the wp-config.php file to everyone.
Place the code below in the .htaccess file within the wp-content folder (not the root):
Order deny,allow
Deny from all
<Files ~ “.(xml|css|jpeg|png|gif|js)$”>
Allow from all
</Files>
If you have a static IP address and you always blog from your computer, this can be a good option for you. However, if you run a multiple user blog, then either you can opt out of it or you can allow access from a range of IPs.
Copy and paste the code below into the .htaccess in the wp-admin folder (not the root folder):
# deny access to wp admin
order deny,allow
allow from xx.xx.xx.xx # This is your static IP
deny from all
The above code will prevent the browser from accessing any file in these directories other than “xx.xx.xx.xx” which should be your static IP address.
# protect from sql injection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
.htaccess (hypertext access) is the default name of the directory-level configuration file specific for web servers running Apache.
This is a file which is modified the most often when dealing with redirects and is also often used to change file types to make them executable. It is also the one you will be using to harden your environment.
To protect it, apply a few simple rules – set low permissions and deny access.
Apply Low Permissions
The basic guidance for permissions is simple: the lower the number, the harder the access becomes. Good rule of thumb is to keep the number as low as possible where the performance or functionality is not impacted. For most users, setting it to 640 will grant the level of access that you need.
Add .HTACCESS Directives
What’s important to note here is that this only works if the attack is external. This won’t protect you from internal attacks (if an entire cPanel account is hacked, for example)
This is the .htaccess directive you can use:
#PROTECT HTACCESS
<Files .htaccess>
Order Allow, Deny
Deny from all
</Files>
Note: This only protects the file from external access.
- Disable directory browsing
# disable directory browsing
Options All –Indexes
- wp-config file protection
Wp-config.php is important because it contains all the sensitive data and configuration of your blog and therefore, it should be locked through .htaccess. Add the code below to the .htaccess file in the root directory:
# protect wp-config.php
<files wp-config.php>
Order deny,allow
Deny from all
</files>
The code denies access to the wp-config.php file to everyone.
- Access to wp-content directory
Place the code below in the .htaccess file within the wp-content folder (not the root):
Order deny,allow
Deny from all
<Files ~ “.(xml|css|jpeg|png|gif|js)$”>
Allow from all
</Files>
- wp-admin files
If you have a static IP address and you always blog from your computer, this can be a good option for you. However, if you run a multiple user blog, then either you can opt out of it or you can allow access from a range of IPs.
Copy and paste the code below into the .htaccess in the wp-admin folder (not the root folder):
# deny access to wp admin
order deny,allow
allow from xx.xx.xx.xx # This is your static IP
deny from all
The above code will prevent the browser from accessing any file in these directories other than “xx.xx.xx.xx” which should be your static IP address.
- Prevent script injection
# protect from sql injection
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
Buy Spotify Followers and plays at most affordable price. We provide authentic music promotion services. Get more spotify plays, followers and boost up your popularity on spotify.
ReplyDelete