wordpress-hacked-small

Image by Vivek

As WordPress getting popular day by day the probability of WordPress blog getting hacked by Hackers becoming quite high.Though it is impossible to completely eliminate the security hole, you can secure yourselves from some commonly used attacks by hackers.

If you are using WordPress on Apache web-server then you can add some codes to .htaccess file to secure your blog from security risks.

.htaccess is a hidden file which sets directory level server configuration.

First get a backup of .htaccess file and add the following at the end.

# 5G BLACKLIST/FIREWALL (2013)
# @ http://perishablepress.com/5g-blacklist-2013/

# 5G:[QUERY STRINGS]

	RewriteEngine On
	RewriteBase /
	RewriteCond %{QUERY_STRING} (javascript:).*(\;) [NC,OR]
	RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3) [NC,OR]
	RewriteCond %{QUERY_STRING} (\\|\.\./|`|=\'$|=%27$) [NC,OR]
	RewriteCond %{QUERY_STRING} (\;|\'|\"|%22).*(union|select|insert|drop|update|md5|benchmark|or|if) [NC,OR]
	RewriteCond %{QUERY_STRING} (base64_encode|localhost|mosconfig) [NC,OR]
	RewriteCond %{QUERY_STRING} (boot\.ini|echo.*kae|etc/passwd) [NC,OR]
	RewriteCond %{QUERY_STRING} (GLOBALS|REQUEST)(=|\[|%) [NC]
	RewriteRule .* - [F]

# 5G:[USER AGENTS]

	# SetEnvIfNoCase User-Agent ^$ keep_out
	SetEnvIfNoCase User-Agent (binlar|casper|cmsworldmap|comodo|diavol|dotbot|feedfinder|flicky|ia_archiver|jakarta|kmccrew|nutch|planetwork|purebot|pycurl|skygrid|sucker|turnit|vikspider|zmeu) keep_out

		Order Allow,Deny
		Allow from all
		Deny from env=keep_out

# 5G:[REQUEST STRINGS]

	RedirectMatch 403 (https?|ftp|php)\://
	RedirectMatch 403 /(https?|ima|ucp)/
	RedirectMatch 403 /(Permanent|Better)$
	RedirectMatch 403 (\=\\\'|\=\\%27|/\\\'/?|\)\.css\()$
	RedirectMatch 403 (\,|\)\+|/\,/|\{0\}|\(/\(|\.\.\.|\+\+\+|\||\\\"\\\")
	RedirectMatch 403 \.(cgi|asp|aspx|cfg|dll|exe|jsp|mdb|sql|ini|rar)$
	RedirectMatch 403 /(contac|fpw|install|pingserver|register)\.php$
	RedirectMatch 403 (base64|crossdomain|localhost|wwwroot|e107\_)
	RedirectMatch 403 (eval\(|\_vti\_|\(null\)|echo.*kae|config\.xml)
	RedirectMatch 403 \.well\-known/host\-meta
	RedirectMatch 403 /function\.array\-rand
	RedirectMatch 403 \)\;\$\(this\)\.html\(
	RedirectMatch 403 proc/self/environ
	RedirectMatch 403 msnbot\.htm\)\.\_
	RedirectMatch 403 /ref\.outcontrol
	RedirectMatch 403 com\_cropimage
	RedirectMatch 403 indonesia\.htm
	RedirectMatch 403 \{\$itemURL\}
	RedirectMatch 403 function\(\)
	RedirectMatch 403 labels\.rdf
	RedirectMatch 403 /playing.php
	RedirectMatch 403 muieblackcat

# 5G:[REQUEST METHOD]

	RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
	RewriteRule .* - [F]

# 5G:[BAD IPS]

	Order Allow,Deny
	Allow from all
	# uncomment/edit/repeat next line to block IPs
	# Deny from 123.456.789

[mybox] Source :  5G Blacklist 2013 by Jeff starr [/mybox]

Use this code at your own risk and I strongly recommend you to have a backup of your .htaccess file before adding the code.

As I said earlier add the code at the end of the file but in some blogs it may not work,in such case try adding the code at the beginning or more precisely place it before the WordPress permalink rules.

How it Works ?

The above code blocks any malicious request based on request method,referrer, cookies,request URI,query string, user agent and based on IP addresses.

If you dont understand it,no problem just know that it enhances your website security.

Any Effect on SEO ?

Nope…the code doesn’t block any legitimate request from white hat bots such as Google bots but It blocks any malicious request regardless of who makes it.

I will update the above code as soon as I find the enhancements.

Comments

  1. Kabenlah Cudjoe says

    Hi Vivek,
    This is a great post but with me, I’m not good with codes so I’ve a special way of backing up my website without necessarily dealing with codes.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>

CommentLuv badge