Check your web host file permissions first!

November 23, 2010 | No Comments Yet

WordPress security issues come and go, and while some stay because it’s tough to get the crud out, other times it’s because site owners overlook an important part of keeping their hosts protected: file permissions.

A properly configured web server will not allow users to access the files of another user, regardless of file permissions. The web server is the responsibility of the hosting provider. The methods for doing this (suexec, et al) have been around for 5+ years.

Matt Mullenweg warns against web hosts and other security announcements that place the blame on the WordPress software without first checking if proper file permissions are in place.

Devlounge has an old but still applicable article on protecting your wp-config.php files, for starters. This article on WP Tavern also tackles the issue above and shares more file permission advice especially on shared hosting accounts.

Leave a Comment | Tags: , , , , , , , , , ,

WordPress .htaccess tips

October 8, 2010 | No Comments Yet

Controlling how URLs behave and who access your site rely on the .htaccess file, and while some of the things it can do have a comfortable interface inside WordPress, there’s so much more to explore. WP Shout goes from A to Z of those possibilities.

For example: if you need to stop spambots, try denying no-referrer requests with this code:

RewriteEngine On
RewriteCond %{REQUEST_METHOD} POST
RewriteCond %{REQUEST_URI} .wp-comments-post\.php*
RewriteCond %{HTTP_REFERER} !.*yourblog.com.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^$
RewriteRule (.*) ^http://%{REMOTE_ADDR}/$ [R=301,L]

Need to study the somewhat cryptic .htaccess language further? Head over to Apache’s official documentation.

Leave a Comment | Tags: , , , , , , , , ,