In previously article we tell you about some important moments that are necessary for security of you website. Any site can be subject to possible attacks. Therefore it is necessary to know how to prevent them.
In this article, we’ll show you how to protect directories, the admin panel of your site and more.
1. Directory.
Directories that are in your site must to be closed. Now you can check your directories is close or no. Please follow link of your site: http://yourdomain/directory/ (for example, http://yourdomain/wp-includes). If you don’t close your directory, you will see all of files in directory as same as functions.php, post-formats.php …, So at now you can understand why we must to disable directory!
How we can disable directory for site? We have 2 ways:
- by .htaccess (for Linux host and host that allow it).
This is easy, add this code to your .htacess in main directory:# PREVENT DIRECTORY LISTINGS Options –Indexes
- by adding index.html file to directory (for windows server host that don’t allow .htaccess):
<!DOCTYPE> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <title>Untitled Document</title> </head> <body> <h1>Directory Listing Disabled!</h1> </body> </html>
2.Protect admin.
We must to protect wp-admin from another people because they do not need it! How we can do it? By adding .htaccess file to this folder (wp-admin). You must get your IP and add to this .htaccess:
# SECURE WP-ADMIN
<FilesMatch ".*">
Order Deny,Allow
Deny from all
Allow from 123.456.78.9
</FilesMatch>
Then by proxy test your site. You will see that you can go to admin panel but for another people it will be Forbidden.
You can add several IP that you want to have access to your admin.
3. WordPress version.
One of the biggest part for secure site and keep out from bad boy is that block sensitive information such as WordPress version.
When you see code of site in 3 places you will see WordPress version in header:
- the version number displayed in web pages;
- the wp version number is displayed in rss feeds;
- the wp version number is displayed in other feeds.
We don’t want nobody see this information. So we must to go to the active theme folder and find file function.php. In the end of this file (before ?>) add code bellow then save.:
// remove version number from head & feeds
function disable_version() { return ''; }
add_filter('the_generator','disable_version');
remove_action('wp_head', 'wp_generator');
After this actions you will see that version WordPress will not be show more in pages and feed! That was our goal.
4. Hotlinking.
As you know link in your site meaning hotlink that may be file, picture, video or another things …from another site. How we can avoid hotlink in our site?
You can add code bellow to your .htaccess file (in main directory of files):
# HOTLINK PROTECTION
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{REQUEST_FILENAME} -f
RewriteCond %{REQUEST_FILENAME} \.(gif|jpe?g?|png|docx)$ [NC]
RewriteCond %{HTTP_REFERER} !^https?://([^.]+\.)?example\. [NC]
RewriteRule \.(gif|jpe?g?|png)$ - [F,NC,L]
</IfModule>
Change «example» to address of your site without .com (etc), then save it to host. As you will see hotlink don’t allow more and additional you can add another format to this file in line 6.
We hope that the tips in this article, we could help you in protecting your site. If you have any difficulties, you can write to us. GKS Web Studio Team will advise you on any questions.
In the next article, we will share some more secrets of how to protect your site onWordpress.