WordPress Security Using .htaccess

In a way, WordPress is a double-edged sword. On the one hand, it’s ease of use and popularity make it a great choice when starting a blog and building a web site. But this same popularity means that it is a huge target for hacking. For this reason alone, security should be taken seriously.

If you’re using a hosting service that runs on Unix and Apache (and the vast majority do), one way you can increase the security of your web site is by using an .htaccess file. This file is used by the web server itself in processing requests and can be programmed to re-route the request if needed.

Here’s an example of a .htaccess file that can block a couple of common script attacks:

Options +FollowSymLinks
RewriteEngine On
# if your blog is not installed in root, uncomment and change the
# following line to the directory that WordPress is installed in:
# RewriteBase /
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

There may already be a .htaccess file on your host, so adding the RewriteCond and RewriteRule commands after the last RewriteRule and before the </IfModule> would be all that’s necessary.

What this does is block three different types of attacks.

The first looks for a <span style="font-family:courier"><script> tag in the query string. This is used to inject JavaScript into a request.

The second checks to see if the request is attempting to set a global variable.

The third is checking to see if someone is attempting to reset one of the global request variables.

WordPress should already be blocking these, but using multiple methods of security doesn’t hurt. And doing this at the web server level, as well as the code level, gives you multiple layers of protection. Also, doing these checks in the web server is much faster than doing them in PHP within WordPress.

Leave a Comment

Your email address will not be published. Required fields are marked *