A couple months ago, I learned how to better protect WordPress installations from those with less-than-godly intentions. One action step was to install security plugins, such as Login Lock and WordPress Firewall 2, on the sites I manage. The subsequent plugin alerts began arriving in my email inbox at least weekly. They warned me, “This notice is to inform you that someone at IP address 220.127.116.11 tried to login to your site and failed,” or “WordPress Firewall has detected and blocked a potential attack. This may be a Directory Traversal Attack.”
I realized there was good reason to keep site security in mind. As mentioned in an earlier security post, WordPress powers almost 15% of all websites and presents a large target for hackers and malicious scripts. Relying on the default installation without keeping it updated and protected is akin to running a PC without virus software. You may be asking for it.
Customizing your site’s .htaccess files is an excellent way to bar your site against malevolent activity. Jeff Starr, site security expert from Perishable Press, released a new version of his “G” firewall last week. Dubbed the 5G Blacklist/Firewall, this code is a strong and useful security aid for websites running on Apache. (Apache is the most popular server software; check with your host to confirm its use.)
Adding the 5G Blacklist to your .htaccess file can help your site deliver resources more efficiently. The editing process need not be intimidating to those without a technical background. Simply connect to your host with your favorite FTP program, and browse to your site’s root directory. If you do not see an .htaccess file in the list, you may need to alter your program’s view options to “View Hidden Files,” or you may need to start and upload a new blank .htaccess file (You can use a simple text editor, such as Notepad or TextEdit).
Once you’ve opened the .htaccess file on your server, paste Jeff Starr’s firewall code after any other text. Save and close.
You’re almost done! Open your site, and check that all the pages are loading and functionality is working as expected. If anything is awry, remove the 5G code from the .htaccess file. As described in Starr’s post, try removing sections of the code to determine which portion conflicts with your site. You can comment out the problem lines with # signs. The ammended .htaccess file will continue to protect your site.
With little effort you can safeguard your site against unauthorized access. As the weeks pass without incident, you’ll feel grateful you took the few extra security-minded moves.