Does Wordfence modify my htaccess file?

  • Resolved tommytime555

    (@tommytime555)


    7 years, 4 months ago

    I am attempting to beef up my website security and was given some helpful .htaccess hacks to add to my htaccess file but I didn’t want to do this if Wordfence possibly already handles these…. Here are my hacks:

    Thank you!

    9. Protect your .htaccess
    After tweaking your .htaccess to protect your blog from hackers, you cannot simply leave the .htaccess open itself to attacks. The hack below prevents external access to any file with .hta . Simply place the code in your domain’s root .htaccess file.

    # STRONG HTACCESS PROTECTION
    <Files ~ “^.*\.([Hh][Tt][Aa])”>
    order allow,deny
    deny from all
    satisfy all
    </Files>

    10. No Directory Browsing
    Its not a good idea to allow your visitors to browse through your entire directory. This is an easy way to find out about directory structures and this makes it easier for hackers to lookout for security holes.

    In order to stop this, simply add the piece of 2 lines in your .htaccess in the root directory of your WordPress blog.

    # disable directory browsing
    Options All -Indexes

    11. Secure wp-config.php
    Wp-config.php is important because it contains all the sensitive data and configuration of your blog and therefore we must secure it through .htaccess. Simply adding the code below to the .htaccess file in the root directory can do the trick

    # protect wp-config.php
    <files wp-config.php>
    Order deny,allow
    Deny from all
    </files>

    The code denies access to the wp-config.php file to everyone (including me :()

    12. Limit Access to the Wp-Content Directory
    Wp-content contains everything. This is a very important folder and you should secure it. You don’t want users to browse and get access to unwanted/other data. Users should be only able to view and access certain file types like images (jpg, gif, png), Javascript, css and XML.

    Place the code below in the .htaccess file within the wp-content folder (not the root).

    Order deny,allow
    Deny from all
    <Files ~ “.(xml|css|jpeg|png|gif|js)$”>
    Allow from all
    </Files>

    13. Protect WordPress Admin Files
    Wp-admin should be accessed only by you and your fellow bloggers (if any). You may use .htaccess to restrict access and allow only specific IP addresses to this directory.

    If you have static IP address and you always blog from your computer, then this can be a good option for you. However, if you run a multiple user blog then either you can opt out from this or you can allow access from a range of IPs. You can refer to Apache’s documentation on mod_access for complete instruction on how to set this up.

    Copy and paste the code below to the .htaccess in wp-admin folder (not root folder)

    # deny access to wp admin
    order deny,allow
    allow from xx.xx.xx.xx # This is your static IP
    deny from all

    The above code will prevent browser access to any file in these directories other than “xx.xx.xx.xx” which should be your static IP address.

    There is another way you could restrict access to the directory and that is by using a password in the .htaccess. I am planning to write a detailed .htacess hack where I will include all of these.

    14. Prevent script injection
    I found this code on wprecipes and it works like a charm. Now you can protect your WordPress blog from script injection, and unwanted modification of _REQUEST and/or GLOBALS.

    Simple copy and paste the code below to your .htaccess in the root

    # protect from sql injection
    Options +FollowSymLinks
    RewriteEngine On
    RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
    RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
    RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
    RewriteRule ^(.*)$ index.php [F,L]

Viewing 2 replies - 1 through 2 (of 2 total)

  • Hi tommytime555,
    Sorry for my late reply, I’ve read all of these tips regarding “.htaccess” file, let me tell you my thoughts about them:

    9- Something similar to this snippet is already in the default Apache web server configuration, you can double check that with your host.
    10- Disabling “Directory Browsing” should be done on the server level by your host, if not, feel free to add this snippet you mentioned in “.htaccess”, and report this issue to your host after that.
    11- You don’t have to do that if file permissions were set correctly on your server.
    12- This can be replaced by “Disable Code Execution for Uploads directory” option in Wordfence.
    13- Please make sure that “/wp-admin/admin-ajax.php” is publicly accessible, because many plugins/themes use this file heavily, and by limiting “wp-admin” access to certain IP, I’m afraid these plugins/themes won’t work properly.
    14- I’m pretty sure that Wordfence firewall would prevent such SQL injections attacks.

    Thanks.

    Hello!

    I hope we were successful in helping you resolve your issue with Wordfence! Since we have not heard back from you in the past 2 weeks I will now be marking this support thread as resolved. However, if we still haven’t resolved your issue please reach out to us as we would be more than happy to further assist you!

    Thanks and have a great day!
    Chloe

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Does Wordfence modify my htaccess file?’ is closed to new replies.