Matt Fiddles

Life's so vast, there's just so much to do...

User Tools

Site Tools


"`We've got to find out what people want from fire, how they relate to it, what sort of image it has for them.'
The crowd were tense. They were expecting something wonderful from Ford.
`Stick it up your nose,' he said.
`Which is precisely the sort of thing we need to know,' insisted the girl, `Do people want fire that can be fitted nasally?'"

- Ford "debating" what to do with fire with a marketing girl.

Where will you go today?

"There are of course many problems connected with life, of which some of the most popular are `Why are people born?'

`Why do they die?' `Why do they spend so much of the intervening time wearing digital watches?'"

- The Book.

Wordpress Security

Just some things about security. Not comprehensive…

See also

Password Hashes

WP only hashes its passwords as salted md5 hashes. These are weak.

There are plugins like WpCrypt that can change it. But the issue is that they do not add a salt. And without a salt, it's just not good enough.

This was a piece of code I found, but you need to add a salt function:

// do NOT use. Just for info
   function wp_hash_password($password){
     return hash('sha256', $password);
    function wp_check_password($password, $hash, $user_id = '') {
        // You might want to apply the check_password filter here 
        return wp_hash_password($password) == $hash;

Login Limit

Use a login limiter to limit the total number of logins

Review Plugins

Review your plugins installed. If you don't need it, get rid of it.

Block Direct Acccess to Plugin Files

Most plugins allow themselves to be directly accessed, even when they have no need to. And worse, when they aren't built for it. Use this in your .htaccess to block direct access to all except the ones you allow. Anything that isn't js or jpeg or css will not be allowed to be GETed or, even better, POSTed.

# block	access to plugins and theme files

# Little complex, but selects themes, plugins, and anything ending in .php for blocking
RewriteCond %{REQUEST_URI}  ^(/?|/+)wp-content/+(plugins|themes)/+.*  [NC,OR]
RewriteCond %{REQUEST_URI}  ^(/?|/+)wp-content/+.*\.php$  [NC]

# The same as above, just simpler, but could be circumvented
#RewriteCond %{REQUEST_URI}  ^/?wp-content/(plugins|themes)/.*  [NC,OR]
#RewriteCond %{REQUEST_URI}  ^/?wp-content/.*\.php$  [NC]

# Allow these file types
RewriteCond %{REQUEST_URI}  !.*\.(js|css|woff|jpe?g|gif|png|bmp|svg|swf|ttf|eot|otf)$ [NC]

# Allow these files to be directly accessed. Even if they are php or whatever.
#RewriteCond %{REQUEST_URI}  !^.*/wp-content/plugins/needs-direct-access/needs-direct-access\.php$  [NC]

# Allow access to db-error.php. if you are using it
#RewriteCond %{REQUEST_URI}  !^.*/wp-content/db-error\.php$  [NC]

# Decide how you will block it. Note how we block regardless 
# of whether the file actually exists or not
RewriteRule ^(.*)$ - [F]
#RewriteRule ^(.*)$ - [R=404,L]
#RewriteRule ^(.*)$ - [R=410,L]

Password Protect wp-admin

Make break things. May can random popup for users, even when not accessing the login or wp-admin pages.

First make your htpasswd file, and if you can, put it outside the website directory. Just to be safe.

Make a .htaccess file in you wp-admin folder:

# If you dont like these or have others, comment them out
# (or if you have problems)
ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"

# Allow plugin access to admin-ajax.php around password protection
# without this, random users will get login prompts while reading the home page
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any

# put htpasswd outside of website dir if possible
AuthUserFile /path/to/htpasswd
AuthGroupFile /dev/null
AuthName "Go away stupid bots"
AuthType Basic
require valid-user
# these two are optional
# may be needed in some cases
#allow from
#allow from <server ip>
Satisfy Any

You can also put this in your root .htaccess to block wp-login.php.

# If you dont like these or have others, comment them out
# (or if you have problems)
ErrorDocument 401 "Denied"
ErrorDocument 403 "Denied"

<FilesMatch "wp-login.php">
AuthType Basic
AuthName "Secure Area"
AuthUserFile "/path/to/htpasswd"
order deny,allow
deny from all
require valid-user
Satisfy Any

For more info see here

Spam Ham

This can help relieve comment and login spam, but can break things…

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REQUEST_URI} ^(.*)?wp-login.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-comments-post.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-contents/(.*)$     
RewriteCond %{HTTP_REFERER} !^ [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^-?$
RewriteRule .* [F,L]

You can then test it out by using the SimulateUserAgent here and

  • Entering the site
    • http://www.Your Website
    • http://www.Your Website
  • Selecting POST
  • Hiting “Send Request”
  • Fill out the CAPTCHA.

Or you could always just telnet…

Either way you should get a 403 error. If you got a 200, then it's not working.

Why WordPress Authentication Unique Keys and Salts Are Important …or how to forge authentication cookies in WordPress *


computers/websites/wordpress/security.txt · Last modified: Apr 5, 2015 (4 years ago) by Matt Bagley