Securing Your Website

Securing your website against attacks is important, with injection attacks on the rise and criminals (I don’t want to use the term hackers – this refers to a skillful and enthusiastic programmer or user and not a criminal as it is commonly used) attempting to access your website for their own purpose.

Over the next few days, I am going to look at ways to secure your website against most attacks.

One of the ways to protect your website is to write some code in the websites’ .htaccess file (every website will have one). Unfortunately, the .htaccess file is also one of the main ways criminals gain access to your website.

So, it makes sense to protect the .htaccess file first.

To protect the .htaccess file requires you adding a short piece of code to the file:

<Files ~ "^.*.([Hh][Tt][Aa])">
order allow,deny
deny from all
satisfy all

Add this to the .htaccess file in the root of your website (i.e. not in any folder) – if you cannot see a .htaccess file it may be hidden by your host – you may need to approach them to allow you to alter it.

In most cases you will be able to edit the .htaccess file (even if you have to create on – use a simple text editor such as Notepad in Windows and make sure that the file is saved as .htaccess – do not allow the editor to add any extensions (such as .txt) by selecting all files in the save as box of the save dialogue.

This code works by denying the ability to files with the combinations of Hh Tt Aa in their name – unless you have used this combination as the start of file names it will only work to deny outside use of the .htaccess file – by using upper and lower case you are covering all bases.

I am now going to concentrate on WordPress sites. WordPress has grown to be the most popular “off-the-shelf” CMS by far.

An obvious way to secure your WordPress website would be to only allow Admin access from a certain IP address. This is an excellent way to ensure that only you have access to your website.

Some considerations before you do this though. If your ISP has given you a dynamic IP address (and most do), then you would need to alter the allowed IP address every time that your IP address changes – this will happen every time you reboot your rooter. There are two possible answers to this; ask your ISP for a static IP address (they will charge you for this) or use a service such as DynamicDNS – this is a free service that gives you a static IP address and will respond to all the changes in IP addresses that your router will go through; maintaining your static IP address automatically.

OK to ensure that the WordPress Admin panel can only be accessed via your computer (or computers at your address) add the following to your .HTACCESS file. (See our earlier guide about the .HTACCESS file).

order deny, allow

allow from (replace with your IP address)

deny from all

That is it, job done!