IT Nursery
  • 1010 Avenue of the Moon
    New York, NY 10018 US.
  • Mon - Sat 8.00 - 18.00
    Sunday: Closed
  • Get A Quote
  • WordPress

    • Securing my WordPress Files and Directories

    • IT Nursery
    • May 26, 2022
    • 0

    I am new to WordPress and securely hosting it on Amazon EC2. My question is, how do I secure my WordPress files and directories properly?

    My file permissions are set to 644 and my directories are set to 755. 

    [ec2-user@ip-xx-xxx-xxx-xx my_sub_directory]$ ls -l
total 160
-rw-r--r-- 1 ftpuser 65534   395 Jan  8  2012 index.php
-rw-r--r-- 1 ftpuser 65534 19929 May  6  2012 license.txt
-rw-r--r-- 1 ftpuser 65534  9177 Jun 21 17:26 readme.html
-rw-r--r-- 1 ftpuser 65534  4663 Nov 17  2012 wp-activate.php
drwxr-xr-x 9 ftpuser 65534  4096 Jul 23 23:12 wp-admin
-rw-r--r-- 1 ftpuser 65534   271 Jan  8  2012 wp-blog-header.php
-rw-r--r-- 1 ftpuser 65534  3522 Apr 10  2012 wp-comments-post.php
-rw-r--r-- 1 ftpuser root   3596 Jul 23 20:27 wp-config.php
drwxr-xr-x 5 ftpuser 65534  4096 Jul 23 17:44 wp-content
-rw-r--r-- 1 ftpuser 65534  2718 Sep 23  2012 wp-cron.php
drwxr-xr-x 9 ftpuser 65534  4096 Jun 21 19:39 wp-includes
-rw-r--r-- 1 ftpuser 65534  1997 Oct 23  2010 wp-links-opml.php
-rw-r--r-- 1 ftpuser 65534  2408 Oct 26  2012 wp-load.php
-rw-r--r-- 1 ftpuser 65534 29217 Jun 21 03:02 wp-login.php
-rw-r--r-- 1 ftpuser 65534  7723 Sep 25  2012 wp-mail.php
-rw-r--r-- 1 ftpuser 65534  9899 Nov 22  2012 wp-settings.php
-rw-r--r-- 1 ftpuser 65534 18219 Sep 11  2012 wp-signup.php
-rw-r--r-- 1 ftpuser 65534  3700 Jan  8  2012 wp-trackback.php
-rw-r--r-- 1 ftpuser 65534  2719 Sep 11  2012 xmlrpc.php

    And my .htaccess file attempts to further protect the wp-config.php file

    # PROTECT WP-CONFIG
<Files wp-config.php>
Order Allow,Deny
Deny from all
</Files>

    When I try to access my wp-config.php file from the browser like this:

    http://ec2-xx-xx-xxx-xx.compute-1.amazonaws.com/my_sub_directory/wp-config.php

    I get this error:

    Forbidden

    You don’t have permission to access /my_sub_directory/wp-config.php on
    this server.

    But when I access another file in my directory, for example, wp-cron.php like this:

    http://ec2-xx-xx-xxx-xx.compute-1.amazonaws.com/my_sub_directory/wp-cron.php

    I get a blank white page. I’m thinking, this can’t be secure.

    So my question is, how do I properly secure the following files?

    [ec2-user@ip-xx-xxx-xxx-xx my_sub_directory]$ ls -a
.            wp-activate.php       wp-cron.php        wp-settings.php
..           wp-admin              wp-includes        wp-signup.php
.htaccess    wp-blog-header.php    wp-links-opml.php  wp-trackback.php
index.php    wp-comments-post.php  wp-load.php        xmlrpc.php
license.txt  wp-config.php         wp-login.php
readme.html  wp-content            wp-mail.php

    1 Answer
    1

    Why would you want to protect them all? Not all of them need protecting, in my humble opinion.

    In any event, these are good to have in your .htaccess file:

    1: restrict access to wp-config.php

    <Files wp-config.php>
    order allow, deny
    deny from all
</Files>

    2: restrict access to .htaccess itself

    <Files .htaccess>
   order allow,deny
   deny from all
</Files>

    3: put password protection on your wp-login.php

    <FilesMatch "wp-login.php">
    AuthType Basic
    AuthName "Who are you?"
    AuthUserFile "/path/to/passwd"
    require valid-user
</FilesMatch>

    Tags:

    Leave a Reply

    Your email address will not be published. Required fields are marked *