Mobile app version of vmapp.org
Login or Join
Steve110

: How to Secure Wordpress website using .htaccess , allowing only index.php execution access I am responsible for security of lots of shared hosting server. We have at least 500 wordpress website

@Steve110

Posted in: #Htaccess #Security

I am responsible for security of lots of shared hosting server. We have at least 500 wordpress website in each server.

Some of the website owners keep a weak password for WP admin or use vulnerable plugin/themes, this results in injecting a WP sites with malware.

Once website is injected with malware, It is used for sending spam emails or some other malicious activity.

Though, we have instructed 100 times to keep a tough password, sometime people don't listen properly.

One of my friend told me that, We can block the execution of uploaded PHP file using .htaccess, i.e providing access only to index.php in public_html & wp-admin

<Files *.php>
Order Deny,Allow
Deny from all
</Files>


3 specific question about the problem

1) How can I block the execution of all other php files, except index.php in public_html & wp-admin ?

2) What modification is needed in the above .htacess file ? (Assume I am going to place it in all sub-folders in public_html)

2) Allowing only index.php in public_html & wp-admin is sufficient for the wordpress to function properly ?

10.02% popularity Vote Up Vote Down


Login to follow query

More posts by @Steve110

2 Comments

Sorted by latest first Latest Oldest Best

 

@Vandalay111

You could do this, but there is very little reason to actually do it.

What it may protect against is this case:


an attacker can upload files with .php extension
to an arbitrary directory (otherwise, you could just secure that one upload directory)
but not with .htaccess extension (this would allow PHP execution via any file extension, such as png)
and they cannot overwrite existing files (which would mean they could just overwrite eg an existing index.php file)
and they cannot create subfolders (because they could upload a index.php file there)


This is a very narrow scenario. It's not impossible, so if you really think that you do need the added security, go ahead (this will not solve your spam problem though; for that, you would need to force better passwords, restrict the plugins users may install, and generally harden wordpress, also against those users). But it will likely cause more problems than it will solve, and it is not quite as easy to implement as it may seem.

For example, @Manis approach is flawed. php is not the only extension that allows the execution of php code. There is also php4, php5, pht, and so on. As it is very unlikely that an attacker can upload php files, but not php4 files, you definitely need to block those as well.

Additionally, if an attacker can upload files to arbitrary directories, they can just upload an index.php file to wp-includes (which inherits the index.php allows from the root directory). And if we can assume that attackers cannot upload files to arbitrary directories, well, then we can just protect that one directory. Because of this, it is important to limit the allow to the current directory.

10% popularity Vote Up Vote Down


 

@Chiappetta492

I asked this question and I think, I have found the answer.

The following code to be appended in .htaccess of public_html

<Files *.php>
Order Deny,Allow
Deny from all
</Files>

<Files index.php>
Order Allow,Deny
Allow from all
</Files>

<Files wp-login.php>
Order Allow,Deny
Allow from all
</Files>


The following code to be added in the .htaccess of wp-admin

<Files *.php>
Order Deny,Allow
Deny from all
</Files>

<Files index.php>
Order Allow,Deny
Allow from all
</Files>
<Files admin-ajax.php>
Order Allow,Deny
Allow from all
</Files>
<Files load-styles.php>
Order Allow,Deny
Allow from all
</Files>
<Files load-scripts.php>
Order Allow,Deny
Allow from all
</Files>
<Files edit.php>
Order Allow,Deny
Allow from all
</Files>
<Files post-new.php>
Order Allow,Deny
Allow from all
</Files>
<Files edit-tags.php>
Order Allow,Deny
Allow from all
</Files>
<Files upload.php>
Order Allow,Deny
Allow from all
</Files>
<Files media-new.php>
Order Allow,Deny
Allow from all
</Files>
<Files edit-comments.php>
Order Allow,Deny
Allow from all
</Files>
<Files admin.php>
Order Allow,Deny
Allow from all
</Files>
<Files themes.php>
Order Allow,Deny
Allow from all
</Files>
<Files widgets.php>
Order Allow,Deny
Allow from all
</Files>
<Files plugins.php>
Order Allow,Deny
Allow from all
</Files>
<Files customize.php>
Order Allow,Deny
Allow from all
</Files>
<Files plugin-install.php>
Order Allow,Deny
Allow from all
</Files>
<Files plugin-editor.php>
Order Allow,Deny
Allow from all
</Files>
<Files plugin-install.php>
Order Allow,Deny
Allow from all
</Files>
<Files plugin-install.php>
Order Allow,Deny
Allow from all
</Files>


I have tested & It is working fine in WordPresss. So that we can block the execution of other uploaded malicious file.

Let me know if it is wrong, Or does it work.

Or is there any other better way to do it.

10% popularity Vote Up Vote Down


Back to top | Use Dark Theme