WordPress / Website Hardening 2.0

How do hackers find out which security hole(s) they can exploit on your website?

Simple: They first try to find out the installed version of your software or the version of the installed plugins. If the versions are already outdated, there is a high chance to exploit a security hole that is already closed.

This does not even require particularly great “hacker knowledge”. Fortunately, there is a simple method to prevent this. All you have to do is add the following lines to your .htaccess file:

RewriteRule (?:readme|license|changelog|changelogs|contributing|-config|-sample)\.(?:php|md|txt|html|md5?) - [R=404,NC,L]
RewriteRule(?:debug|debugger)\.(?:log|logs?) - [R=404,NC,L]

Why the error code 404 (not found) and not the error code 403 (access denied) is used is also easy to explain. With 403 you would automatically allow the conclusion that at least the directory (of the plugin) exists. So an attacker would at least still get the information that plugin xy is installed. By issuing the code 404, an attacker would have to do one more scan.

For some of you it could happen that the above code does not work or shows no effect, especially with *.txt files. In this case you should block direct caching and serving of txt files in your nginx settings by removing “txt” from the list.

Change directories

To further confuse these annoying automatic scanners, you can also change the plugin directory under WordPress:

To do this, define the new path in wp-config.php:

define( 'WP_PLUGIN_DIR', $_SERVER['DOCUMENT_ROOT'] . '/wp-content/penguins' );
define( 'WP_PLUGIN_URL', 'https://www.lautenbacher.io/wp-content/pinguine');

In the above example, of course, the URL should be customized. After that, in the above example, just rename the “plugins” folder to “penguins”

By the way, my old article on WordPress hardening should of course also be taken into account.

Of course I also help here at reasonable hourly rates – just write me via my contact form