Go back

Installing and protecting WordPress from CLI and .htaccess

Wordpress CLI

By Martín Navarro – Quality Assurance at Santex

Installing WordPress has never been as easy as it is in the most recent iterations of the program. The first step is as easy as copying all the files over FTP from the CMS to our hosting. The second step involves accessing our site from its URL to start the installation process. Sometimes if we have SSH access to our server we can download and unzip WordPress files directly to our website directory without needing an FTP client, we just need a shell from Linux, OS X or Windows with Putty and to use the following commands.

First, we need to navigate to the root folder of our website. Depending on your hosting and server configuration, that may be different from the following example:

cd /home/your_website/public_html

Now that we are already positioned in our website root directory, we can proceed with downloading the latest WordPress installation files:

wget http://wordpress.org/latest.zip

The download will start, and be blazing fast since we are using our hosting internet connection.

Now, we can unzip all the WordPress files:

unzip latest.zip

After doing this, we are going to create a new folder in our website root called “wordpress.” We need all the files inside of it, located in our website root folder (only if we are going to host just one WP installation).

cp -rf ./wordpress/* ./

With that command, we are moving all the files inside the “wordpress” folder to our website root folder.

And that’s all! Now we just need to point our browser to our domain and start the configuration of our new WordPress site.

Once the installation and configuration of our new website are done, we need to secure it. One of the easiest ways to do this is by using the .htaccess file (Hypertext Access) within that file. We can override some features of our web server. By using the right commands, we can defend our website from spammers, hackers and other types of attackers.

After enabling the “Permalinks” functionality of WordPress a .htaccess file is created in the root folder of our website and indicates to our web server how the URLs for our posts are going to be created.

Let’s start by protecting our wp-config.php, .htaccess files. These files contain very sensitive information and MUST be protected from attackers. It contains information on the database we are using, such as usernames, passwords, and other configuration parameters.

This is the parameter we must add between the lines “#BEGIN of WordPress” and “#END of WordPress”

<files wp-config.php> order allow,deny deny from all </files>

<Files .htaccess> order allow,deny deny from all </Files>

No one, not even ourselves, will be able to access that file. However, in our case we will still be able to access it via SSH, SCP, FTP.

Let’s disable the directory listing. By doing this we are going to hide our folder structure. This is a good measure to take because it makes the attacker’s first intentions very difficult.

Options All -Indexes

Protecting our images from Hot Linking: This is a technique where other users are able to steal our bandwidth by using our images directly from their URLs onto their own websites. This is good for the bandwidth thief but not for us since all of the images on their website are going to be loaded from OUR web server. there is also Secure WordPress Hosting that one can look into.

Add the following lines to your .htaccess file.

RewriteEngine On RewriteCond %{HTTP_REFERER} !^$ RewriteCond %{HTTP_REFERER} !^http://(www\.)?yourdomain.com/.*$ [NC] RewriteRule \.(gif|jpg)$ http://www.yoursite.com/hotlink.gif [R,L]

With these lines, the attacker will be able to use the URL but the image displayed is not going to be the right one. Instead, it will be a warning image that we created specifically for these purposes.

These lines and practices are just a few but are among the most important ones to follow right after the installation of our website. They should still be followed, even if you’re using an older version of WordPress.

About the Author: Martin Navarro is a detailed Quality Assurance professional with full system development lifecycle experience, including designing, developing and implementing test plans, test cases and test processes. Martin is a strategic team player always willing to contribute and to solve problems.