January 12, 2015
3 tricks for boosting your WordPress site’s security
As many of you already know, WordPress is a free open source blogging platform and content management system (CMS). It provides a structural system built atop a PHP framework for adding and tweaking a suite of plugins and templates to integrate within your website. For the most part, you’re creating a website—and more specifically, a blog—to share something with the rest of the internet world.
In order to do this, you write and post about interesting or curious topics that catch the attention of people and robots alike. The more you write, the more traffic you drive in, the more vulnerable you are to attack. Sadly, the internet isn’t all sunshine and rainbows. (Strangely enough, however, there are an inordinate amount of cats.)
There are people out there that want nothing more than to spam, leech, and hack you, often times just because they can. You don’t have to play the victim, though. Here are a couple of things you can do to toughen up security around your website. Maybe then those creeps will leave you alone.
The access file contains a list of configuration procedures that the web server will follow when executing your website. The file is capable of overriding a subset of the web server’s global rules, which will only impact your website (for example, if you are on a shared web server, editing the .htaccess file within your site’s directory will affect the other websites on the server).
The .htaccess was originally intended to granulize directory control by limiting or broadening user access. The .htaccess file should be located within the primary directory where WordPress was installed. It can be edited or altered easily enough by opening it in Notepad or Text Edit (Mac) or any other editor of your choosing. As always before editing the file, make a backup copy just to be safe.
When another site links an image directly from your site, rather than saving a copy of the image within their directory, it’s called hot linking. This eats up your site’s bandwidth and, if you pay for a limited amount of bandwidth, it can cost you. Hot linking can be prevented by modifying the .htaccess file. To do this, all you have to do as add the following lines to the file (just be sure you replace “your domain” with the name of your domain):
Like hot linking, website spammers will eat up precious bandwidth. Spammers typically use bots to post random, off-topic (and sometimes lewd) comments across your blog. When the web server tries to identify the requests, it looks as though they aren’t coming from anywhere—in other words, they have ‘no referrer’. You can easily stop spammer bots by adding the following lines to your .htaccess file:
Finally, now that you’ve protected some of the integral pieces of your website, you’ll want to make sure that you protect the protector—your .htaccess file itself. There are a couple of ways you can do this, but your safest bet would be to use strong pattern matching to block external access to any file on within your site directory containing any variation of “.hta”: