Securing my WordPress Files and Directories

3 Views

I am new to WordPress and securely hosting it on Amazon EC2. My question is, how do I secure my WordPress files and directories properly?

My file permissions are set to 644 and my directories are set to 755.

Read More
[ec2-user@ip-xx-xxx-xxx-xx my_sub_directory]$ ls -l
total 160
-rw-r--r-- 1 ftpuser 65534   395 Jan  8  2012 index.php
-rw-r--r-- 1 ftpuser 65534 19929 May  6  2012 license.txt
-rw-r--r-- 1 ftpuser 65534  9177 Jun 21 17:26 readme.html
-rw-r--r-- 1 ftpuser 65534  4663 Nov 17  2012 wp-activate.php
drwxr-xr-x 9 ftpuser 65534  4096 Jul 23 23:12 wp-admin
-rw-r--r-- 1 ftpuser 65534   271 Jan  8  2012 wp-blog-header.php
-rw-r--r-- 1 ftpuser 65534  3522 Apr 10  2012 wp-comments-post.php
-rw-r--r-- 1 ftpuser root   3596 Jul 23 20:27 wp-config.php
drwxr-xr-x 5 ftpuser 65534  4096 Jul 23 17:44 wp-content
-rw-r--r-- 1 ftpuser 65534  2718 Sep 23  2012 wp-cron.php
drwxr-xr-x 9 ftpuser 65534  4096 Jun 21 19:39 wp-includes
-rw-r--r-- 1 ftpuser 65534  1997 Oct 23  2010 wp-links-opml.php
-rw-r--r-- 1 ftpuser 65534  2408 Oct 26  2012 wp-load.php
-rw-r--r-- 1 ftpuser 65534 29217 Jun 21 03:02 wp-login.php
-rw-r--r-- 1 ftpuser 65534  7723 Sep 25  2012 wp-mail.php
-rw-r--r-- 1 ftpuser 65534  9899 Nov 22  2012 wp-settings.php
-rw-r--r-- 1 ftpuser 65534 18219 Sep 11  2012 wp-signup.php
-rw-r--r-- 1 ftpuser 65534  3700 Jan  8  2012 wp-trackback.php
-rw-r--r-- 1 ftpuser 65534  2719 Sep 11  2012 xmlrpc.php

And my .htaccess file attempts to further protect the wp-config.php file 

# PROTECT WP-CONFIG
<Files wp-config.php>
Order Allow,Deny
Deny from all
</Files>

When I try to access my wp-config.php file from the browser like this: 

http://ec2-xx-xx-xxx-xx.compute-1.amazonaws.com/my_sub_directory/wp-config.php

I get this error:

Forbidden

You don’t have permission to access /my_sub_directory/wp-config.php on
this server.

But when I access another file in my directory, for example, wp-cron.php like this: 

http://ec2-xx-xx-xxx-xx.compute-1.amazonaws.com/my_sub_directory/wp-cron.php

I get a blank white page. I’m thinking, this can’t be secure.

So my question is, how do I properly secure the following files? 

[ec2-user@ip-xx-xxx-xxx-xx my_sub_directory]$ ls -a
.            wp-activate.php       wp-cron.php        wp-settings.php
..           wp-admin              wp-includes        wp-signup.php
.htaccess    wp-blog-header.php    wp-links-opml.php  wp-trackback.php
index.php    wp-comments-post.php  wp-load.php        xmlrpc.php
license.txt  wp-config.php         wp-login.php
readme.html  wp-content            wp-mail.php
Post Views: 3

Related posts

1 comment

  1. Why would you want to protect them all? Not all of them need protecting, in my humble opinion.

    In any event, these are good to have in your .htaccess file:

    1: restrict access to wp-config.php

    <Files wp-config.php>
    order allow, deny
    deny from all
</Files>

    2: restrict access to .htaccess itself

    <Files .htaccess>
   order allow,deny
   deny from all
</Files>

    3: put password protection on your wp-login.php

    <FilesMatch "wp-login.php">
    AuthType Basic
    AuthName "Who are you?"
    AuthUserFile "/path/to/passwd"
    require valid-user
</FilesMatch>

Comments are closed.