Installing and protecting WordPress from CLI and .htaccess

By Martín Navarro – Quality Assurance at Santex

MArtin Navarro Blog 2

Installing WordPress has never been easy as it is in the most recent versions of it. The steps are as easy as to copy over FTP all the files of the CMS to our hosting and access our site from its URL to start its installation. Sometimes if we have SSH access to our server we can download and unzip WordPress files directly to our website directory without the need of a FTP client, we just need a shell from Linux, OS X or Windows with Putty and use the following commands.

First we need to navigate to the root folder of our website that depending on your hosting/ server configuration can be different from the following example:

cd /home/your_website/public_html

Now that we are already positioned on our website root directory, we proceed with the download of the latest WordPress installation files:

wget http://wordpress.org/latest.zip

The download will start and it will be blazing fast since we are using our hosting internet connection.

Now lets unzip all the WordPress files:

unzip latest.zip

After doing this we are going to get a new folder in our website root called “wordpress”, we need all the files inside of it, located in our website root folder (only if we are going to host just one WP installation)

cp -rf ./wordpress/* ./

With that command we are moving all the files inside the “wordpress” folder to our website root folder.

And that’s all! Now we just need to point our browser to our domain and start with the configuration of our new WordPress site.

Although that’s not really all, once the installation/configuration of our new website is done, we need to secure it. One of the easiest ways to do this is by using the .htaccess file (Hypertext Access) within that file we can override some features of our webserver. By using the right commands, we can defend our website from spammers, hackers and other types of attackers.

After enabling the “Permalinks” functionality of WordPress a .htaccess file is created in the root folder of our website and indicates to our web server how the URL’s for our posts are going to be created.

Let’s protect our wp-config.php, .htaccess files. These files contains very sensitive information and it’s the first file we MUST protect from attackers. It contains information on the database we are using, user, password and other configurations parameters.

This is the parameter we must add between the lines “#BEGIN of WordPress” and “#END of WordPress”

<files wp-config.php> order allow,deny deny from all </files>

<Files .htaccess> order allow,deny deny from all </Files>

No one, not even ourselves, will be able to access that file. In our case we will still be able to access it via SSH, SCP, FTP.

Let’s disable directory listing, by doing this we are going to hide our folder structure and it’s a good measure to difficult the attacker’s first intentions.

Options All -Indexes

Protecting our images from Hot Linking, this is a technique where other users steal our bandwidth by using our images directly from its URL into their own websites. This is good for the bandwidth thief but not for us since all of the images in their website are going to be loaded from OUR web server.

Add the following lines to your .htaccess file.

RewriteEngine On RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC] RewriteRule \.(gif|jpg)$ http://www.yoursite.com/hotlink.gif [R,L]

With these lines the attacker will use the URL but the image displayed is not going to be the right one but a warning image that we created for this matter.

These lines and practices are just a few but are the most important ones to follow right after the installation of our website or even later if we already have an old installation of WordPress.

About the Author: Martin Navarro is a detailed Quality Assurance professional with full system development lifecycle experience, including designing, developing and implementing test plans, test cases and test processes. Martin is a strategic team player always willing to contribute and to solve problems.