What should the .htaccess file in wp-admin contain? I've read that this .htaccess file should password protect the wp-admin directory and I've also read that this can cause functionality problems. well if it comes to .htaccess security in general I am not to firm with the concepts - therefore i have gathered some infos.
I don't have specific experience with securing /wp-admin/ using .htaccess here a little list of some resources of different areas of interst regarding htaccess
- Hardening WordPress with .htaccess
- Password Protection, For WordPress
find below some discussion about it.
https://wordpress.org/support/article/htaccess/
The .htaccess is a distributed configuration file, and is how Apache handles configuration changes on a per-directory basis. WordPress uses this file to manipulate how Apache serves files from its root directory, and subdirectories thereof. Most notably, WP modifies this file to be able to handle pretty permalinks. This page may be used to restore a corrupted .htaccess file (e.g. a misbehaving plugin).
- Code: Select all
Basic WP #Basic WP
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
- Code: Select all
<Files ~ "\.(php)$">
AuthUserFile /etc/httpd/htpasswd
AuthType Basic
AuthName "restricted"
Order Deny,Allow
Deny from all
Require valid-user
Satisfy any
</Files>
Typically WordPress only has the following which handled permalink processing and is not related to security:
- Code: Select all
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPress
Recently I've found the WP htacess Control plugin that manages a lot of .htaccess for us
After tweaking it's settings it added the following options:
- Code: Select all
# WPhtC: Disable ServerSignature on generated error pages
ServerSignature Off
# WPhtC: Disable directory browsing
Options All -Indexes
# WPhtC: Protect WP-config.php
<files wp-config.php>
order allow,deny
deny from all
</files>
# WPhtC: Protect .htaccess file
<files ~ "^.*\.([Hh][Tt][Aa])">
order allow,deny
deny from all
</files>
with additional some lines - there are a bit more options which are about performance instead of security:
- Code: Select all
# WPhtC: Setting mod_gzip
<ifModule mod_gzip.c>
mod_gzip_on Yes
mod_gzip_dechunk Yes
mod_gzip_item_include file \.(html?|txt|css|js|php|pl)$
mod_gzip_item_include handler ^cgi-script$
mod_gzip_item_include mime ^text/.*
mod_gzip_item_include mime ^application/x-javascript.*
mod_gzip_item_exclude mime ^image/.*
mod_gzip_item_exclude rspheader ^Content-Encoding:.*gzip.*
</ifModule>
# WPhtC: Setting mod_deflate
- Code: Select all
<IfModule mod_deflate.c>
AddOutputFilterByType DEFLATE text/html text/plain text/xml application/xml application/xhtml+xml text/javascript text/css application/x-javascript
BrowserMatch ^Mozilla/4 gzip-only-text/html
BrowserMatch ^Mozilla/4.0[678] no-gzip
BrowserMatch bMSIE !no-gzip !gzip-only-text/html
Header append Vary User-Agent env=!dont-vary
</IfModule>
Beyond this one there are some plugins I haven't tried but that are focused on security and that interact with .htaccess - you might try them each just to see what they do to the .htaccess file:
Beyond that, if you want to know the (IMO) #1 expert resource on Apache security related to WordPress you can find it on AskApache.com; dude is hardcore! His blog won't solve your "too much information" problem but at least you can view it as an authoritative resource!
Here are some examples (though not all are directly WordPress related they all are applicable):
Advanced WordPress wp-config.php Tweaks
https://wordpress.org/plugins/wp-super-secure-and-fast-htaccess/
BulletProof Security https://wordpress.org/plugins/bulletproof-security/
WordPress Security Protection: Malware scanner, Firewall, Login Security, DB Backup, Anti-Spam & much more. View Security feature highlights below. View BulletProof Security feature details under the FAQ help section below. Secure your WordPress website even further by adding additional BulletProof Security Bonus Custom Code. See BulletProof Security Bonus Custom Code under the FAQ help section below. Effective, Reliable & Easy to use WordPress Security Plugin
Version:3.8
Last updated:3 weeks ago
Active installations:60,000+
WordPress Version:3.8 or higher
Tested up to:5.3.2
Description: WordPress Security Protection: Malware scanner, Firewall, Login Security, DB Backup, Anti-Spam & much more. View Security feature highlights below. View BulletProof Security feature details under the FAQ help section below. Secure your WordPress website even further by adding additional BulletProof Security Bonus Custom Code. See BulletProof Security Bonus Custom Code under the FAQ help section below. Effective, Reliable & Easy to use WordPress Security Plugin.
BULLETPROOF SECURITY INSTALLATION AND SETUP : SEE BULLETPROOF SECURITY FEATURE HIGHLIGHTS
One-Click Setup Wizard
Setup Wizard AutoFix (AutoWhitelist|AutoSetup|AutoCleanup)
MScan Malware Scanner
.htaccess Website Security Protection (Firewalls)
Hidden Plugin Folders|Files Cron (HPF)
Login Security & Monitoring
JTC-Lite (Limited version of BPS Pro JTC Anti-Spam|Anti-Hacker)
Idle Session Logout (ISL)
Auth Cookie Expiration (ACE)
DB Backup: Full|Partial DB Backups | Manual|Scheduled DB Backups | Email Zip Backups | Cron Delete Old Backups
DB Table Prefix Changer
Security Logging
HTTP Error Logging
FrontEnd|BackEnd Maintenance Mode
UI Theme Skin Changer (3 Theme Skins)
Extensive System Info
BULLETPROOF SECURITY PRO FEATURE HIGHLIGHTS
cf: https://wordpress.org/plugins/bulletproof-security/
Advanced WordPress wp-config.php Tweaks
https://www.askapache.com/wordpress/advanced-wp-config-php-tweaks/
wp-configThe bottom line for this article is that I want to make WordPress as fast, secure, and easy to install, run, and manage because I am using it more and more for client production sites, I will work for days in order to solve an issue so that I never have to spend time on that issue again. Time is money in this industry and that is ultimately (time) what there is to gain by tweaking WordPress.
Mod_Security .htaccess tricks
https://www.askapache.com/htaccess/modsecurity-htaccess-tricks/
.With over 70% of all attacks now carried out over the web application level, organizations need as much help as they can get in making their systems secure. WAFs are deployed to establish an external security layer that increases security, detects, and prevents attacks before they reach web applications.
Target Audience:
Web Server Administrators
Web security Adminis
Security consultants and other ballers.
Web Developers
The idea behind .htaccess, if someone has got strangling files hanging behind from past upgrades or for zero-day attacks,
his whole system could be hacked. Also securing the wp-admin by another method will help against brute-force attacks.
So the idea of htaccess is a great idea: If it is just you editing the site you can limit access to the folder by ip doing something like
- Code: Select all
<Files *>
Order deny,allow
Deny from All
Allow from 1.2.3.4
</Files>
To make it a bit more tolerable for dynamic IP systems; you should be able to allow from a subblock, so if you IP pool is always from 1.2.3.128 - 1.2.3.255, then you could do something like 1.2.3.128/25
Another Idea could be the following: require HTTPS, give a permissioned denied if they try it over http. But don't redirect them to the https. You can use a self-signed cert or one from CA Cert to get by without buying on
well i gathered some infos - since i need to have more of them to get a full overview on the topic.
if you have more information i would be glad... to hear from you
regards
