Protecting the installation page
Video: Protecting the installation pageIn this screencast, you'll see how to protect the WordPress installation file using a variety of different methods. Protecting the installation file is important because if things go wrong, it could be used to gain illicit access to your web site. Here in our FTP/file editor we want to open and take a look at the install file. It's located in the wp-admin directory, right here. Here we are looking at the install.php file as it is located in the wp-admin directory.
- Next steps
Viewers: in countries Watching now:
This course explains how to secure self-hosted WordPress sites, including site configuration, code modification, and the use of free plug-ins. Beginning with the basics of site security, author Jeff Starr explains how to harden a WordPress site by configuring authentication keys, setting proper file permissions, and removing version numbers. The course shows how to implement a firewall, prevent automated spam, and control proxy access, and concludes with a series of advanced tips and site security best practices.
- Backing up and restoring your site
- Setting up strong passwords
- Choosing trusted plugins and themes
- Protecting the configuration file and the admin directory
- Securing the login page
- Fighting comment spam
- Blocking access and detecting hacks
- Finding and reporting vulnerabilities
Protecting the installation page
In this screencast, you'll see how to protect the WordPress installation file using a variety of different methods. Protecting the installation file is important because if things go wrong, it could be used to gain illicit access to your web site. Here in our FTP/file editor we want to open and take a look at the install file. It's located in the wp-admin directory, right here. Here we are looking at the install.php file as it is located in the wp-admin directory.
This file is used when installing WordPress and should be removed or protected after the installation process is complete. There are three different ways to do this: Method one, delete the file after installing WordPress. Method two, add a slice of code to your htaccess file. Or method three, replace the file with something more useful. Any of these methods only takes a minute and works just fine, so let's run through each of them. Method one, just delete the file.
There is no reason to keep it after installation. The downside with this approach is that WordPress will return the missing file the next time you update. This is certainly easy, but the file will return the next time you upgrade, so here is a more 'fix it and forget it' type solution. Open the htaccess file in your root installation directory. To protect the file at the server level, grab a copy of the blank htaccess file included with this screencast and paste it into the wp-admin directory, as seen here.
Next, copy and paste the following code, also included with the exercise files of this screencast. Copy this code and paste it beneath any existing rules in your htaccess file. Save the file and upload to the server. No modifications are necessary. Let's check to see if it works. We return to the browser, and here is the path to the installation file on the server.
Let's refresh the page now that we've made changes to the htaccess file. Forbidden. We see that the page is now safe and secure. Any requests for your installation file will be blocked. But we can do even better with our third and final method. Instead of just deleting or blocking, let's replace the insecure version of the file with something more useful, something that's more secure and informative. Just follow these quick steps. Rename the original install.php file to something like install_disabled.
Create a new file in the WordPress admin directory and call it install.php. We are going to need to move this ourselves. There we go. We know have the install_disabled file and the install.php file in our wp-admin directory.
We now want to open our blank install.php file and add the following slice of code, which is also available with this screencast. Grab the entire chunk of code and paste it into place. The only required edit for this code is right here, your email address. After entering your email address, everything is ready to go, so save the changes and upload the file to your server. This new install.php file will prevent any malicious behavior by serving up a simple static web page that looks like this.
This looks simple enough, but behind the scenes this install replacement page is doing quite a bit more. First, it communicates the proper 503 status code to anything that's making a request for your file. It also instructs clients and search engines to return after 60 minutes, and finally, it sends an email to your email address informing you of the situation, so that you may take action. Plus, this is written in regular PHP and good old fashion HTML, so everything is completely customizable.
Feel free to modify this template to suit your needs. For further information on this technique, check out my article at Perishable Press. In this screencast, we've seen three effective ways to prevent access to the WordPress install.php file, which isn't needed after installation is complete. Any of these techniques will improve security by preventing unwanted site access via the default installation file.
There are currently no FAQs about WordPress 3: Developing Secure Sites.