Security?

WordPress .htaccess security best practices in Apache 2.4.6+

Apache Access Control done right in WordPress .htaccess, ‘Allow/Deny from all’ versus ‘Require All Granted/Denied’

Since Apache 2.4.6, a new module is used to configure and set up access control for websites: mod_authz_core. This means you have to use a different syntax for allowing or blocking hosts and IP addresses to your website. But unfortunately, old documentation is never updated and people even still write blog posts using that old syntax, leaving you with an unprotected website. Not what you had in mind, now is it?…

Securing WordPress with .htaccess files the wrong way

I see it all to often: blog posts telling you to use the following snippet in a .htaccess file to secure / protect WordPress’ wp-config.php file:

<Files wp-config.php>
	Order Allow,Deny
	Deny from all
</Files>

This is wrong! Wrong! Wrong!

Unfortunately this does not work with Apache 2.4.6 and higher! And I find it hard to believe so called “WordPress Security” companies still write posts explaining the old, non-functional, syntax without even mentioning the new, correct syntax…

Satisfy, Order, Deny and Allow have all been deprecated and replaced with new Require directives.

Yes, there is Apache’s mod_access_compat, that provides compatibility for old directives like Order, Allow, Deny and Satisfy. But depending on such a module is not recommended, since it’s deprecated by mod_authz_host: https://httpd.apache.org/docs/2.4/mod/mod_access_compat.html.

Access authorization in Apache 2.4.6 – Properly secure WordPress

Psst, here are 7 snippets to use .htaccess as a Web Application Firewall. However, .htaccess files should not be used for security restrictions.

So now, for once and for all: here is how to use the new Apache 2.4.6+ mod_authz_host syntax in your WordPress .htaccess files:

# Protect wp-config.php
<Files wp-config.php>
	Require all denied
	Require ip 198.51.100.15 # substitute with your IP address
</Files>

For compatibility with older Apache versions, you can wrap this up in a condition:

<Files wp-config.php>
	# Apache 2.2
	<IfModule !mod_authz_core.c>
		Order Deny,Allow
		Deny from all
		Allow from 198.51.100.15
	</IfModule>

	# Apache 2.4
	<IfModule mod_authz_core.c>
		Require all denied
		Require ip 198.51.100.15
	</IfModule>
</Files>

Note: by using .htaccess files you leave Nginx and IIS web servers unprotected! You can use .htaccess in IIS though, but don’t rely on just .htaccess files for your website defense.

Read this too:   Increase WordPress' memory limit WP_MEMORY_LIMIT properly in wp-config.php

Block IP addresses in .htaccess

This is not just for WordPress, but for all websites hosted on Apache (Drupal, Joomla, …). Another change is the syntax to block an IP address in .htaccess. Where you used to use the following:

Order Allow,Deny
Allow from all
Deny from 203.0.113.0/24

Don’t use this above .htaccess code! You now have to use mod_authz_core syntax again:

<RequireAll>
	Require all granted
	Require not ip 203.0.113.0/24
</RequireAll>

Deny all requests for *.php

For example, to deny all requests for *.php files you can use:

<Files *.php>
	# Apache 2.2
	<IfModule !mod_authz_core.c>
		Order Deny,Allow
		Deny from all
	</IfModule>

	# Apache 2.4 and up
	<IfModule mod_authz_core.c>
		Require all denied
	</IfModule>
</Files>

Block access to WordPress’ debug.log file

It is important to block access to WordPress’ debug.log file in wp-content/. Or all log files for that matter, as they contain important information about your website and possibly even passwords.

Use mod_rewrite to simply block requests to *.log:

RewriteEngine On
RewriteRule \Q.log\E - [F,L,NC]

Here, \Q and \E are used to remove the special meaning from a sequence of characters.

If you want to remove the special meaning from a sequence of characters, you can do so by putting them between \Q and \E. The \Q…\E sequence is recognized both inside and outside character classes.

Regular expression syntax

But as with the example above, you could also use a <Files "debug.log"> ... </Files> block in your .htaccess file. I just wanted to show you more than one way.

Hope this helps! :)


Did this post helped you solve a problem? Or dit you find it interesting? Support Sysadmins of the North with a direct donation via Paypal of by bank wire transfer IBAN: NL31 ABNA 0432217258 (Jan Reilink). Just $ 5,- or € 5,- is more than enough, thanks!

Read this too:   WordPress wp_options table autoload micro-optimization

Support SAOTN.ORG


1,863 views

Leave a Reply

Your email address will not be published. Required fields are marked *