Business Easy way for "Dummies" to make Wordpress more secure. - GoFuckYourself.com

PornDiscounts-V · 06-15-2014, 12:32 AM

If you are one of those types that reads the "... for Dummies" books and want to make your Wordpress installations more secure consider this tip.

Uninstall Wordpress.

Just kidding.

Lets pretend your hosting has you set up like so:

/web/sites/your_user_name/domain1.com
/web/sites/your_user_name/domain2.com
/web/sites/your_user_name/domain3.com

Drop an .htaccess file like so:
/web/sites/your_user_name/.htaccess

So that it is inside your personal directory above the domain directories.

Now put inside it:

Code:

<FilesMatch  "wp-login.php">
order deny,allow
deny from all
allow from 111.222.333.444
</FilesMatch>

<FilesMatch  "xmlrpc.php">
order deny,allow
deny from all
allow from 111.222.333.444
allow from 192.0.80.100
allow from 192.0.80.49
allow from 192.0.80.59
allow from 192.0.81.119
allow from 192.0.81.13
allow from 192.0.81.153
allow from 192.0.81.187
allow from 192.0.81.30
allow from 192.0.81.48
allow from 192.0.81.88
allow from 192.0.82.100
allow from 192.0.82.134
allow from 192.0.82.155
allow from 192.0.82.32
allow from 192.0.82.47
allow from 192.0.82.66
allow from 192.0.83.13
allow from 192.0.83.66
allow from 192.0.84.12
allow from 192.0.84.49
allow from 192.0.86.60
allow from 192.0.86.61
allow from 192.0.86.62
allow from 192.0.86.63
allow from 192.0.86.64
allow from 192.0.86.65
allow from 192.0.86.66
allow from 192.0.86.67
allow from 192.0.86.72
allow from 192.0.86.73
allow from 192.0.86.74
allow from 192.0.86.75
allow from 192.0.86.76
allow from 192.0.86.77
allow from 192.0.86.78
allow from 192.0.86.79
allow from 192.0.86.80
allow from 192.0.86.81
allow from 192.0.86.82
allow from 207.198.101.100
allow from 207.198.101.101
allow from 207.198.101.102
allow from 207.198.101.103
allow from 207.198.101.104
allow from 207.198.101.105
allow from 207.198.101.106
allow from 207.198.101.107
allow from 207.198.101.108
allow from 207.198.101.109
allow from 207.198.101.110
allow from 207.198.101.111
allow from 207.198.101.98
allow from 207.198.101.99
allow from 209.15.21
allow from 216.151.210
</FilesMatch>

Change 111.222.333.444 to your own IP address.

The other IPs in the list are for JetPack plugin to be able to connect back to your sites to make things like posting to Tumblr work or showing the latest posts of one blog in the sidebar of another blog. You can remove them if you don't use JetPack... The list is not complete. Wordpress/JetPack don't release a list of their IPs so you have to build it on your own. That is my incomplete list, but is about 95% done.

If you use Cloudflare or some other kind of service like it you will need to find that IP as well.

While this won't lock you down completely it will keep about 99% of the crap from being able to connect to your server and play with the two files they want to play with the most.

Rochard · 06-15-2014, 07:02 AM

I do something similar. I have my server locked down by IP address, and then in order to access any admin are you have to enter in another user / pass not related to Wordpress.

06-15-2014, 12:32 AM	#1
PornDiscounts-V Confirmed User Industry Role: Join Date: Oct 2003 Location: L.A. Posts: 5,740	Easy way for "Dummies" to make Wordpress more secure. If you are one of those types that reads the "... for Dummies" books and want to make your Wordpress installations more secure consider this tip. Uninstall Wordpress. Just kidding. Lets pretend your hosting has you set up like so: /web/sites/your_user_name/domain1.com /web/sites/your_user_name/domain2.com /web/sites/your_user_name/domain3.com Drop an .htaccess file like so: /web/sites/your_user_name/.htaccess So that it is inside your personal directory above the domain directories. Now put inside it: Code: <FilesMatch "wp-login.php"> order deny,allow deny from all allow from 111.222.333.444 </FilesMatch> <FilesMatch "xmlrpc.php"> order deny,allow deny from all allow from 111.222.333.444 allow from 192.0.80.100 allow from 192.0.80.49 allow from 192.0.80.59 allow from 192.0.81.119 allow from 192.0.81.13 allow from 192.0.81.153 allow from 192.0.81.187 allow from 192.0.81.30 allow from 192.0.81.48 allow from 192.0.81.88 allow from 192.0.82.100 allow from 192.0.82.134 allow from 192.0.82.155 allow from 192.0.82.32 allow from 192.0.82.47 allow from 192.0.82.66 allow from 192.0.83.13 allow from 192.0.83.66 allow from 192.0.84.12 allow from 192.0.84.49 allow from 192.0.86.60 allow from 192.0.86.61 allow from 192.0.86.62 allow from 192.0.86.63 allow from 192.0.86.64 allow from 192.0.86.65 allow from 192.0.86.66 allow from 192.0.86.67 allow from 192.0.86.72 allow from 192.0.86.73 allow from 192.0.86.74 allow from 192.0.86.75 allow from 192.0.86.76 allow from 192.0.86.77 allow from 192.0.86.78 allow from 192.0.86.79 allow from 192.0.86.80 allow from 192.0.86.81 allow from 192.0.86.82 allow from 207.198.101.100 allow from 207.198.101.101 allow from 207.198.101.102 allow from 207.198.101.103 allow from 207.198.101.104 allow from 207.198.101.105 allow from 207.198.101.106 allow from 207.198.101.107 allow from 207.198.101.108 allow from 207.198.101.109 allow from 207.198.101.110 allow from 207.198.101.111 allow from 207.198.101.98 allow from 207.198.101.99 allow from 209.15.21 allow from 216.151.210 </FilesMatch> Change 111.222.333.444 to your own IP address. The other IPs in the list are for JetPack plugin to be able to connect back to your sites to make things like posting to Tumblr work or showing the latest posts of one blog in the sidebar of another blog. You can remove them if you don't use JetPack... The list is not complete. Wordpress/JetPack don't release a list of their IPs so you have to build it on your own. That is my incomplete list, but is about 95% done. If you use Cloudflare or some other kind of service like it you will need to find that IP as well. While this won't lock you down completely it will keep about 99% of the crap from being able to connect to your server and play with the two files they want to play with the most. __________________ Blog Posts - Contextual Links - Hardlinks on 600+ Blog Network * Handwritten * 180 C Class IPs * Permanent! * Many Niches! * Bulk Discounts! GFYPosts /at/ J2Media.net

06-15-2014, 07:02 AM	#2
Rochard Jägermeister Test Pilot Industry Role: Join Date: Dec 2001 Location: NORCAL Posts: 72,948	I do something similar. I have my server locked down by IP address, and then in order to access any admin are you have to enter in another user / pass not related to Wordpress. __________________ “The choice is no longer between right or left. The choice is between normal and crazy.” - Sarah Huckabee Sanders YNOT MAIL \| THE BEST ADULT MAILING SOLUTION