Today I've found several open WordPress directories, which were accessible via the browser and open to cross site scripting attacks.
All of the bespoken core WP directory files were NOT protected via a .htaccess file, I've tested ten sites with eight (!) open WP directories.
So before accusing your CMS system, rewrite your .htaccess file, make it secure, chmod it, then test it (important point).
The tested sites were all designer sites with portfolio, blog and so on, strange, as it implies that design is a major point, but security is apparently not.
- Login LockDown
A WordPress Enhanced Login Security Plugin
Tip 1 :
Tip 2 :
Place empty ‘index.html’ file in the plugins folder
Open Notepad. Click ’save as’ and save the file as index.html (be sure to change the filetype from text files to all files)
Upload the file to the WordPress plugins folder at your web server.
Upload a copy of .htaccess file in the wp-admin folder
Using FTP program or your webserver file manager, go to the root folder of your server and download .htaccess file (set ’show hidden files’ first if you’re using FTP program such as FileZilla)
Go to your wp-admin folder
Upload the .htaccess file you’ve downloaded just now.
You can also disallow users pretending to be search engine/ search engines from crawling the core WordPress folders by putting these in your robot.txt file (upload the file to root of your WordPress installation folder when you’ve finished).
# This rule means it applies to all user-agents
# Disallow all directories and files within
Password protect the wp-admin directory:
Create a file within your wp-admin directory named “.htaccess” if there isn’t already one.
Create a file ABOVE YOUR PUBLIC_HTML directory named “.htpasswd”. Make sure you put this outside the web accessible directory or someone could read your password! Usually this is where you go when you first login to your ftp programm.
Append the following contents to the “.htpasswd” file where xxxx = your username and yyyy = your password:
Append the following to your “.htaccess” file inside of your wp-admin directory. Make sure you use the absolute path to the “.htaccess” file. If you don’t know, ask your ISP. xxxx = the username that you entered in your “.htpasswd” directory:
require user xxxx
Restrict access to the wp-content and wp-includes directories:
Create a file within your wp-content and wp-includes directory named “.htaccess” if there isn’t already one.
Append the following to the “.htaccess” file. NOTE: you may have trouble with some plugins with this method:
Deny from all
<Files ~ “.(css|jpe?g|png|gif|js)$”>
Allow from all
Important Note: Please ensure that your WordPress files and database are backed up before attempting any of these changes.