Start learning with our library of video tutorials taught by experts. Get started
Viewers: in countries Watching now:
This course explains how to secure self-hosted WordPress sites, including site configuration, code modification, and the use of free plug-ins. Beginning with the basics of site security, author Jeff Starr explains how to harden a WordPress site by configuring authentication keys, setting proper file permissions, and removing version numbers. The course shows how to implement a firewall, prevent automated spam, and control proxy access, and concludes with a series of advanced tips and site security best practices.
In this screencast, we use the htaccess file to prevent a type of spam known as no-referrer spam. No-referrer spam happens when spammers target the WordPress comment script directly without actually visiting your web site like a regular human being. Preventing this type of spam helps to save bandwidth and other valuable server resources and also helps keep your site looking clean and respectable to your visitors. Here in our FTP/file editor, we see the files and directories that are located in the WordPress installation directory.
To protect against no-referrer spam, we open our site's root htaccess file, which is open here already. Next, we open the htaccess code that is included with the exercise files for this screencast, and we copy the first block, Method 1. Copy that entire block and paste it beneath any existing rules in the root htaccess file. The only thing we need to edit is the fifth line, right here. We want to change example.com to match our own domain name.
Mine is perishablepress.com, so I just make that quick change and I'm all set. Next is to save the file and upload to the server. And once that's done, we return to our web site and check that everything is working properly. Pages are still loading, so everything is great. Now, let's check that the code is actually working and doing what it's supposed to do, to block no-referrer spam.
Open a browser tab and go to this extremely useful user agent simulation tool at botsvsbrowsers.com. Scroll down the page a bit and enter the URL of your WordPress installation. Next, we want to add the name of the file that spammers are trying to hit directly. To do that, return quickly to the FTP/file editor and in the root WordPress directory, you should see a file named wp-comments-post.php.
By quickly renaming the file, you can copy the name and return to the browser to simply paste it into place. Then, off to the right here, there is a dropdown menu that will set the request method, which should be set to post, because that's what the spammers will be doing. And with that, we click the Go button to make it so. Excellent! As expected, the post request returns a 403 Forbidden response, which is perfect for spammers that are trying to directly spam us using our comments post script.
Returning to our FTP/file editor, we can do a little bit more. If we would rather send our blocked request to a particular location, just replace the entire block of code with this one, also included with our exercise files. Copy Method 2 and paste into place, replacing the previous block of code. Next, with this code in place, we need to make two edits. We need to edit both instances of example.com.
The first one should be your domain name, and the second should be the URL of the location to which you want to send the blocked spammers. example.com is a reserve domain, so it's ok to use for this demo. But you should use caution when sending spammers elsewhere. Once we have our edits completed, we save the file and upload it to the server. Now, let's wrap things up by returning to botsvsbrowsers and trying to request our page again, now that the redirect method is in place.
Clicking the GO button using the same values, we see the redirect happening as expected. Here is example.com. If this were a spammer trying to spam our web site directly with no-referrer spam, this is where they'll end up. At this point, our htaccess code is in place and working great. Spammers trying to hit our comments script directly will now either be blocked using method 1, or redirected to the URL of your choice using method 2, and that's a wrap.
In this screencast, we learned how to use the htaccess file to protect our site against spam. This helps from a security perspective and from a performance perspective. No more leeching of resources means a better experience for our valued site visitors.
There are currently no FAQs about WordPress 3: Developing Secure Sites.
Access exercise files from a button right under the course name.
Search within course videos and transcripts, and jump right to the results.
Remove icons showing you already watched videos if you want to start over.
Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.
Click on text in the transcript to jump to that spot in the video. As the video plays, the relevant spot in the transcript will be highlighted.