Comments on: Trouble-Shooting the WordPress Security White Paper.

By: iwebie

iwebie — Sun, 13 Jul 2008 01:50:42 +0000

I used to use Wordpress, but I got sick of all the security holes and switched back to MovableType.

By: Sicherheit / WordPress absichern

Sicherheit / WordPress absichern — Mon, 19 May 2008 14:21:11 +0000

[...] http://www.linickx.com/archives/342/trouble-shooting-the-wordpress-security-white-paper#comment-9366 [...]

By: Nick

Nick — Wed, 17 Oct 2007 06:00:48 +0000

Thanks for the info “AskApache”

By: AskApache

AskApache — Wed, 17 Oct 2007 03:26:50 +0000

This is a really nice, well-thought-out effort, but unfortunately it is very much so NOT the best way to accomplish these goals. Using the (or filesmatch) is a good idea but the problem is it blocks INTERNAL and EXTERNAL requests alike. Plus anyone but a seasoned htaccess admin can easily cause some atrocious security holes by misusing the allow and deny commands..

The BEST way to block all of these files is to only block EXTERNAL requests for them. IOW, if your wp-cache requests a file, it should be allowed. If a visitor on your webpage requests the same file, it should be denied. This seems impossible to accomplish but actually mod_rewrite provides a really cool way…

for example, this blocks all external requests (except those generated by ErrorDocument code /index.php?error=code) for files ending in .php in either the wp-includes or wp-content directory, but it doesn’t block your server or WP install!
RewriteCond %{QUERY_STRING} !error RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /(wp-includes|wp-content)/(.+)\.php\ HTTP/ RewriteRule .* - [F]

code from htaccess tutorial

Another way to secure your wordpress with .htaccess is by using my wordpress plugin: htaccess password protect on AskApache.com

By: Philipp

Philipp — Wed, 10 Oct 2007 16:10:31 +0000

Thanks Nick for your addition, I’m not too well within Apache and you’re right. It’s mostly even better to use httpd.conf and disable .htaccess for increased performance. And even some more security. But many users may not be able to access httpd.conf so .htaccess will be the only solution.

By: Nick

Nick — Mon, 08 Oct 2007 16:55:12 +0000

Thanks for your responses guys

Btw. you can add everything you added to your httpd.conf file as well to the main .htaccess file we described. So you don’t even need access to the httpd.conf file.

You’re right, you can add the directives to .htaccess, but you cannot add the directives, I think I should have explained better, if you add to ~/wp-content/.htaccess then any file called share-this.php whether it be in the themes or plugins directory gets permitted, I was trying to be more granular by either using in httpd.conf or by creating htaccess files in the correct directory… does that make more sense?

By: Philipp

Philipp — Mon, 08 Oct 2007 16:41:26 +0000

Really nice work Nick. We’ll see what we will come around but something like a user driven repository is needed, as we have not the time to check every Plugin to see which access is needed in order to get it running. A good starting for sure, thanks for your help!
Btw. you can add everything you added to your httpd.conf file as well to the main .htaccess file we described. So you don’t even need access to the httpd.conf file.

By: David Kierznowski

David Kierznowski — Mon, 08 Oct 2007 09:22:34 +0000

Great initiative Nick.