Htaccess Restrict Access to Uploaded Files for Non-admin
In that location are many tips and tricks on WordPress security. Most of these include the installation of 3rd-political party security plug-ins. However, if y'all practise not desire to install the plugin, yous can try a simple setup with the .htaccess file.
What is the .htaccess file for?
The text file allows the writer of web pages to set the selected server backdrop. Additionally, it does not need total administrator admission and it only affects server behavior for selected directory and subdirectory on the server. WordPress basically uses it to set the behavior of generated URLs to brand them search engine friendly.
Where do I observe the .htaccess file?
The file is located in the root folder of your spider web hosting. Just log in to FTP with the aid of the selected client and yous should run into the file.
Sometimes, y'all can not run into the file after logging in to an FTP client.In this example, information technology is sufficient to strength the display of hidden files in the plan settings (most usually Total Commander, WinSCP or FileZilla).
If you lot still do non run into the file, you lot can manually upload it to the server, or simply click on "Settings"> "Permanent links" in WordPress settings to change the settings to other than bones and save. At present you ahoulf already run into the file on the server. Then, yous can switch back the settings.
How to edit .htaccess?
To edit a file, you can use any text editor from Notepad to developer PSPad Editor. Before editing the file, make a backup of the file to your PC to exist able to reset settings in case of problems.
one. Lock the administration to prevent uninvited guests
You can use the .htaccess file to manage your website by IP address. Yous will be able to connect to the website assistants only from specific IP addresses and locations. This method is useful when you regularly connect to a PC or a few PCs with a static IP address. Y'all can use the following code and re-create it to the .htaccess file:
AuthUserFile /dev/nothing
AuthGroupFile /dev/nothing
AuthName "WordPress Admin Access Control"
AuthType Basic
<LIMIT GET>
order deny,allow
deny from all
# Enabled IP address i:
allow from xx.xx.xx.xxx
# Enabled IP accost 2:
allow from xx.twenty.xx.xxx
</LIMIT>
Remember to replace the allowed IP address with your own. There can exist every bit many allowed addresses as you want.
2. Protect the administration with another password
If yous connect to WordPress from different locations and do non want to exist express past a specific IP address, you can use password security. Outset generate a .htpasswds file using an online generator and so upload it to a folder that is non publicly accessible. Ideally in mode:
/home/user/.htpasswds/public_html/wp-admin/passwd/
Now y'all tin access the .htaccess file itself, to which you copy the following lines of code:
AuthName "Admins Just"
AuthUserFile /habitation/yourdirectory/.htpasswds/public_html/wp-admin/passwd
AuthGroupFile /dev/cipher
AuthType bones
require user putyourusernamehere
<Files admin-ajax.php>
Order allow,deny
Permit from all
Satisfy any
</Files>
Be sure to supervene upon the path to the file as "AuthUserFile" for the path that corresponds to your spider web hosting construction.
3. Disable browsing folders
To prevent the attackers from seeing what files are on your spider web hosting, you tin disable public display of folders. This step is recommended by most security experts.
To actuate, just add together a unmarried line to the .htaccess file:
Options -Indexes
iv. Disable running PHP files in selected WordPress folders
Frequently the attackers endeavour to pause into the content management arrangement using the then-called backdoor (backgates). Often, this is a file that will lead the aggressor to sneak onto your web hosting so he can then execute additional commands and control your website.
One of the preventive solutions is to insert the post-obit code into a new .htaccess file:
<Files *.php>
deny from all
</Files>
And then upload the file to each of the following folders:
- /wp-content/uploads/
- /wp-includes/
5. Secure the wp-config.php configuration file
Ane of the about important files on your WordPress site is wp-config.php. Information technology includes admission to the database, including passwords.
To secure the wp.config.php file, paste the following code into the .htaccess main file:
<files wp-config.php>
lodge allow,deny
deny from all
</files>
half-dozen. Disable access to specific IP addresses
Did you notice an unusually loftier number of requests for your website from specific IP addresses? If yous think this behavior is suspicious, you can block access to your website for specific IP addresses.
Add the following lines to the .htaccess file and replace xxx for that IP address:
<Limit Become POST>
order allow,deny
deny from thirty.30.xx.x
let from all
</Limit>
7. Disable scanners in WordPress
The attacker's favorite technique is and then-called brute force assail. Scanning volition brainstorm with the attackers detecting the authors' sign-in names to the website. After that, they but need to do a dictionary or brute force attack on their passwords to gain access to your WordPress administration.
The easiest mode to exercise this is to block scanning of authors through the .htaccess file:
# BEGIN cake author scans
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* - [F]
# END block author scans
8. Disable external application admission to WordPress
Each WordPress installation hides the xmlrpc.php file. The file allows tertiary-political party services to access WordPress. If you do non apply any of these services, security experts recommend that you block admission to this file.
There are more ways to practise then, simply we tin can do information technology again by inserting the following line of code into .htaccess:
# Cake WordPress xmlrpc.php requests
<Files xmlrpc.php>
social club deny,let
deny from all
</Files>
Our hint at the end: Secure the .htaccess itself from unauthorized access
As you could run across to a higher place, .htaccess can affect many. That's why it's skilful to secure this file from attackers. Apply the following lines of code to do so:
<files ~ "^.*\.([Hh][Tt][Aa])">
order let,deny
deny from all
satisfy all
</files>
Source: https://www.active24.es/en/how-to-website-creation/wordpress/secure-wordpress-htaccess
0 Response to "Htaccess Restrict Access to Uploaded Files for Non-admin"
Publicar un comentario