Securing WordPress With htaccess

By Dianne on November 12th, 2008

If you're new here, you may want to subscribe to my RSS feed. Thanks for visiting!

For one reason or another, the developers of Wordpress have decided not to include “index” pages in the script folders, which puts the onus on us, as users to ensure that our Wordpress installations are as secure as we can make them.

If you visit http://www.YOURDOMAIN.com/wp-content/plugins you will probably see something like this:

Unprotected Wordpress Folder
Unprotected Wordpress Folder

This example is just one of the many folders contained within Wordpress that are viewable to anyone who wants to go snooping.

If all you see is a blank page, or an error 404 page, then congratulations! Your files are safe from snoopers.

If you do see a listing of everything in the directory, then you need to take further action.

There are a few ways of locking down these folders so that no prying eyes can go browsing through your files. The first way is to upload a blank index page into every folder that doesn’t already contain an index page. Personally, though effective, I find that way rather time consuming, especially if you have more than one Wordpress blog to deal with.

The second method only requires editing one file, and it will solve your problem: edit (or create) your .htaccess file.

I’m not going to get into explaining exactly what an .htaccess file is… check the links at the bottom of this post if you want more information. Suffice it to say that all Wordpress installations have an .htaccess file included - you’ll find it in the root directory of your installation.

Make sure you’ve set your FTP software, or your file manager to “show hidden files”. If you still don’t see an .htaccess file, create it now in the WordPress root, which should contain a file named wp-config.php. You may have to name your htaccess file like this: htaccess.txt and once you have it uploaded, rename the file to .htaccess (yes, with the . in front and no other file extensions).

Next, open the .htaccess file in a text editor, add the following two lines to the bottom, and save the file.

# Prevents directory listing
Options -Indexes

Here is what my .htaccess file looks like:

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>

# Prevents directory listing
Options -Indexes

# END WordPress

Your file may not look exactly like mine, depending on changes to permalinks etc. Just insert those 2 lines at the bottom of the file and you should be fine.

Reblog this post [with Zemanta]
Spread The Word:
  • Digg
  • del.icio.us
  • PlugIM
  • StumbleUpon
  • Technorati
  • Facebook
  • Google
  • Reddit
  • Sphinn
  • TwitThis

Categories: Blogging & RSS
Tags: , , , , ,

2 Responses to “ Securing WordPress With htaccess ”

  1. Char Nov 12th, 2008 at 12:02 pm

    Thanks for sharing this! That is such an easy fix - everyone needs to take two minutes and implement it - I just did.

    Chars last blog post..13 More Beautiful Pink for October Site Designs

  2. Dianne Nov 12th, 2008 at 2:23 pm

    Thanks Char! Glad to hear you didn’t have any problems implementing it :)

Leave a Reply

You can use these XHTML tags: <a href="" title=""> <abbr title=""> <acronym title=""> <blockquote cite=""> <code> <em> <strong>

« Blogging As A Home Business Wahm Cafe Nominated To Be A Top 10 Wahm Site! »