This article discusses technical methods of securing your WordPress filesystem and is intended for use by Engineers. The advice provided herein should be used as a guideline, with the understanding that actual file system permissions will differ based on Linux distribution and other environmental variables.
File Permissions
For installations where the administrator has access to the WordPress core files (e.g. local, IaaS, VPS hosting), file permissions should be set to ensure that other processes and users on the webserver platform have limited and appropriate access. The following table summarizes the permissions requirements.
Under Linux, WordPress recommends “755” permissions for all WordPress directories, and “644” permissions for all other files. This can be automated as follows:
find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;
find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;
We recommend further securing these files per your environment. While the above guidance is generally acceptable, much more can be done to further restrict access to the WordPress files. Adhering to the principle of “least privilege” is important here as well.
Securing wp-admin
The /wp-admin/ directory is only used by those logging into the WordPress site and not the general public. Therefore, it may be possible to further secure these areas by restricting access to those users who are either connecting from a specific location or who have a global password. This is accomplished using HTTP “basic authentication” mechanisms available in the webserver configuration.
The following code can be added to your .htaccess to only allow access to the wp-admin directory from the 1.2.3.4 IP address.
# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^1\.2\.3\.4$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>
Additionally (or alternatively), the directory can be password protected with an additional password. This should not use the same password as your WordPress password and could be shared among a small group. Usually, password sharing is not recommended. However, this password will give access to the login screen first.
In the /wp-admin/.htaccess file, add:
AuthName "My Org Access Only"
AuthUserFile /path/to/passwords/.htpasswd
AuthType basic
require user myusername
To create the password file, use the command:
htpasswd -c /path/to/passwords/.htpasswd myusername
Securing wp-includes
Many files in the /wp-includes/ directory should only be accessed internally by other scripts. However, all the files in this directory are in the web root and are accessible directly by default. One method to prevent direct access to these files is the use of mod_rewrite rules in Apache. The following recommendations are made by WordPress to be added to the .htaccess file (or .conf where available):
# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
Securing wp-config
The wp-config.php file is the most sensitive of all WordPress configuration files. and should be protected accordingly. The following recommendations are made to help secure this file:
1. Move the wp-config file out of the webroot into an external configuration directory
2. Change the file permissions to be readable by only the webserver:
chown apache.apache /path/to/config/wp-config.php
chmod 400 /path/to/config/wp-config.php
3. Create .htaccess rules to prevent direct external access to the wp-config.php file
<files wp-config.php>
order allow,deny
deny from all
</files>
If you follow steps 1 and 2 above, you should not need to implement the 3rd recommendation. We recommend, at a minimum, implementing the 3rd recommendation.
Disallow File Editing
WordPress allows administrators to edit PHP files from the web. This can present a significant vulnerability if the administrator account is compromised. We recommend disabling this functionality by including the following line in the wp-config.php file:
define('DISALLOW_FILE_EDIT', true);
This article contains technical documentation intended for developers and systems administrators. Please seek professional services if you are not comfortable with any on the changes you see in this article.
As always, for more information on this topic please reach out to us; we’re here to help!