Hardening WordPress Security

this tutorial will guide you how to increase your wordpress security by using a referral script and htaccess file combination,

The word security is derived from the Ancient Greek “Se-Cura” and literally translates to “without fear”. ‘Security’ is therefore the state of being secure, or the actions employed to achieve that state, i.e. to be secure is to be without fear of harm.

A form of protection where a separation is created between the assets and the threat. This includes but is not limited to the elimination of either the asset or the threat. In order to be secure, either the asset is physically removed from the threat or the threat is physically removed from the asset

first you need to go to your wp-login.php add this code on your wp-login.php file

require( dirname(__FILE__) . '/wp-auth.php' );

then create file named wp-auth.php then paste this code

<?php

/**
* @author xMoDx
* @copyright 2009
*/

$referrer = $_SERVER['HTTP_REFERER'];

$error_page = "YOUR ERROR MESSAGE HERE - NOT AUTHORIZED";

if (strlen($referrer)==0) {  //  MEANING NO REFFERER OR MAYBE ITS A DIRECT ACCESS, LIKE TYPE THE ADDRESS DIRECTLY AT ADMIN

print $error_page;
exit;
} else {
//REMOVE HTTTP
$diff[0] = '^(http://)?';
$diff[1] = '^(https://)?';

$referrer = eregi_replace($diff[0],'',$referrer);
$referrer = eregi_replace($diff[1],'',$referrer);
//GET ONLY THE HOST NAME..LIKE IGNORE THE REST AFTER THE FISRT SLASH, LIKE .COM/BLOG/ETC

$referrer_array = explode("/", $referrer);
$referrer = $referrer_array[0];
//REMOVE WWW

$referrer = eregi_replace('^(www.)?','',$referrer);

if ($referrer == "domain.tld.where.your.referral.is.hosted" || $_SERVER['SERVER_ADDR'] == 'YOURSERVERIP') {  //COMPARE THE FILTERED REFERRING AGAINST DOMAIN ETC

} else {
print $error_page;  exit;
}

}

?>


now we need to create your referral page:

and put make a link to your wp-login

<a href="http://domain.tld/wp-admin/" target="_blank">WP-LOGIN</a>

then we need to create htaccess for your referral domain

code:

order deny,allow
deny from all
allow from ALLOWED.IP.HERE

now its done, you have a combo protection using referral code and htaccess, first think no one can view your referral script except if he is using your IP address…… next no one can log in to your wordpress if he accessed it directly without using referral page “which is protected by htaccess”

Credits:
Code

Leave a Reply

Your email address will not be published. Required fields are marked *