Controlling proxy access
Video: Controlling proxy accessIt may be impossible to block 100% of proxy visits to your site, but you can block most of them. In this screencast, we'll see how to control proxy access with PHP and htaccess. Keep in mind that not all proxies are evil. So only use this technique if you're sure that you don't want anyone visiting via proxy. Here in our FTP/file editor we're looking at the root htaccess file for our WordPress installation.
- Next steps
Viewers: in countries Watching now:
This course explains how to secure self-hosted WordPress sites, including site configuration, code modification, and the use of free plug-ins. Beginning with the basics of site security, author Jeff Starr explains how to harden a WordPress site by configuring authentication keys, setting proper file permissions, and removing version numbers. The course shows how to implement a firewall, prevent automated spam, and control proxy access, and concludes with a series of advanced tips and site security best practices.
- Backing up and restoring your site
- Setting up strong passwords
- Choosing trusted plugins and themes
- Protecting the configuration file and the admin directory
- Securing the login page
- Fighting comment spam
- Blocking access and detecting hacks
- Finding and reporting vulnerabilities
Controlling proxy access
It may be impossible to block 100% of proxy visits to your site, but you can block most of them. In this screencast, we'll see how to control proxy access with PHP and htaccess. Keep in mind that not all proxies are evil. So only use this technique if you're sure that you don't want anyone visiting via proxy. Here in our FTP/file editor we're looking at the root htaccess file for our WordPress installation.
Currently, it contains only our WordPress PERMALINK rules, as seen here. After our existing rules, let's add this htaccess snippet, graciously provided by perishablepress.com. We copy the code and return to our htaccess file and paste into place. There is a lot going on in this slice of code, so for more information visit the short URL provided here.
There are no edits to make, so we save and upload the file to the server, and we're done. Now let's jump back over to our demo site and check that everything is working okay. The pages seem to be loading quickly, and everything is working great. If for some reason, the pages aren't loading or if something isn't working right, just remove the code and try again. By itself, this code should reduce the amount of proxy traffic hitting your site, but there are many types of proxies and blocking them happens in layers.
This htaccess code is like the first layer, and so now let's add another strong layer of protection, using PHP. Here in the demo site, we go to wp- content and then to the themes folder. We want to find our header.php file in the theme that we are using. We're using the default TwentyTen theme, and here's the header.php file that we're looking for. So we click to open it and then grab the second slice of code included with this screencast.
Copy this snippet, return to the FTP/file editor, and paste this at the top of the page. Next, save and upload the file and then return to the browser and refresh the page. As expected, everything is still working fine. This second layer of code does an excellent job of transparently blocking even some of the most clandestine of proxy sites. So let's wrap up this screencast by visiting some currently available proxies and seeing if we can access our now protected demo site.
So let's head on over to proxy.org for a list of active proxy services. Try any of the ones listed in green. We want to enter the URL for our site and then click Go. Some of them may be a little difficult to determine what's actually happened, but up in the corner here, we see that access is not allowed. We have been denied access to our site using this particular proxy.
Let's quickly try another one. Proxify is a reputable proxy. So we enter our URL and click Proxify. Excellent. Proxy access not allowed. This is due to our script that we have in place. Everything is all set at this point. These two layers of protection, htaccess and PHP, are going to block out most of the proxy visits to your site. Again, it's virtually impossible to block all proxies.
There are many types of proxies available: HTTP, SOCKS, VPNs, TOR, and so on. Further filtering of proxies is possible, but quickly goes beyond the scope of this tutorial. Even so, in this screencast, we've seen how combining a little PHP and htaccess proves an effective way to block many proxy visits to your site.
There are currently no FAQs about WordPress 3: Developing Secure Sites.