Sunday, September 30, 2012

Hardening Wordpress: An Explanation

Wordpress recommends hardening security by deploying the code below in your .htaccess file:
# Block the include-only files.
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]

# BEGIN WordPress
These are good rules, and I include them in my .htaccess, but I noticed there was no explanation offered for their effects, which complicates combining these rules with other rules. I prefer to understand what is going on, so I performed some research that I will now share with others.

Let us examine the code line-by-line until everything unique is explained. In the first place, any line beginning with # is a comment or remark statement, to us old-school programmers that cut our teeth on BASIC. A remark statement is intended for human comprehension in order to assist our feeble brains and is ignored by the Apache server.

Rewrite Engine On tells Apache, "Hey, start the engine, we have some rules on the way." Apache allocates resources in order to handle the rules.

RewriteBase / causes any evaluations that follow to assume the url (e.g.,, in order to avoid having to specify the url on each and every condition and rule that follows.

RewriteRule ^wp-admin/includes/ - [F,L] scans for anyone attempting to access anything beginning with (denoted by ^) wp-admin/includes/, and the reaction will be [F,L] which means "Forbidden, and skip [L] all remaining rules." Forbidden means the users get the 403 page instead of their request on this one instance.

RewriteRule !^wp-includes/ - [S=3] is a special command in two ways. First, it uses NOT logic, denoted by the ! symbol. It instructs Apache that if the user's request does not begin with (^) "wp-includes/" then [S=3], which means skip the next three rules. S is like a GOTO statement providing a primitive form of IF...THEN logic, such as I have to use in my batch files. The reason this line is included is for speed of execution. If "wp-includes/" is not present in the request, then clearly the three rules that follow will not apply and by avoiding them, time is saved.

The other lines should be self-explanatory. The main area that I did not understand this morning was [S=3], and I did a bit of digging to unearth that information. The [S] command is not often seen and certainly optional in the above code, but such concern over efficiency is the mark of a good programmer.

I wonder whether I can replace the RewriteRules with RewriteConds for improved efficiency, but the [S=3] line makes me doubt whether the Condition statements would be more efficient after all.Post a Comment
by igor 04:20 4 replies by igor 09:32 0 comments

No comments:

techlorebyigor is my personal journal for ideas & opinions