WordPress Security Tip: Lock Down File Access

WordPress is more than regular website, it is a Content Management System. It has more than 1000 files out of the box. After installation extra themes, plugins, and other uploads. There are few thousands of files under one roof. Default WordPress installation only setup basic file and folder permission. There are certain files you don’t like to expose to anyone. As one of the security tips, locking down public access to these special files is crucial.

To Block Access to Single File

wp-config.php stores WordPress configuration, including sensitive data such as database connection username & password that stored in clear text. This is one file you wouldn’t want anyone to see but yourself.

Locking down file access is done via .htaccess directives.

Code down below using Files directive will do the trick on single file access control.

<Files wp-config.php>
  Order allow,deny
  deny from all
</Files>

Another example, let’s block the acecss from browser to .htaccess file itself.

<Files ~ "^\.htaccess">
  Order allow,deny
  Deny from all
</Files>

 

To Block Access to Multiple Files

Depends on which hosting company you choose, the default website setup structure is slightly different. You can find some very important system files in the root folder. For example:

  • php.ini
  • error.log

Locking down file access to these files is extremely critical. To block file access for multiple files, we use FilesMatch.

<FilesMatch "(\.(ini|log|bak|config|dist|fla|inc|psd|sh|sql|swp)|~)$">
  Order allow,deny
  Deny from all
</FilesMatch>

* Some hosting company choose different file name for system error log, for example error_log. In this case, you ca use the Files directive

In WordPress Security Tip: Delete ReadMe after Installation, we know that ReadMe files are also files that need restricted access. If you are pretty sure that direct access to .TXT file is now allowed on your website, you can add TXT extention to the snippet above. Other wise, we can use another code for protecting ReadMes.

<FilesMatch "^(readme\.html|readme\.txt)">
  Order allow,deny
  Deny from all
</FilesMatch>

Comparing with Deleting ReadMes, blocking access in .htaccess offers an easier solution.