Join Jeff Starr for an in-depth discussion in this video Control proxy access, part of WordPress: Developing Secure Sites .
- [Instructor] Proxy servers, such as the one shown here, can be used by legitimate visitors, but also are used by attackers to disguise their identity. Some sites allow all proxy visits, while others may want to block proxies and require visitors to use their true identity. It may be impossible to block 100% of proxy visits to your site, but you can block most of them. In this video you'll learn how to control proxy access with PHP and HTAccess.
Keep in mind that not all proxies are evil, so only use this technique if you're sure that you don't want anyone visiting via proxy. To block proxy visits, the first thing we want to do is add a code snippet to our site's root HTAccess file. To do so, visit the exercise files for this course and copy the HTAccess code snippet. Then return to the file editor and paste the code before any existing HTAccess rules. To learn the details about how this code works, visit the short URLs provided here.
Next, save and upload the file to the server. This first step is now complete. Let's jump back over to our demo site and check that everything is working properly. If you notice any errors, remove the HTAccess code to restore original functionality. For our demo site, yes, everything looks great, so let's move on to the next step. By itself, the HTAccess code should reduce the amount of proxy traffic to your site but there are many types of proxies and blocking them happens in layers.
This HTAccess code is the first layer and so now let's add another strong layer of protection. We do this by opening our current theme's functions.php file. If one doesn't exist in your theme, you can add a copy of the blank functions file that's included with the exercise files for this course. For this demo site, we are using the 2016 theme that's included with WordPress. 2016 contains a healthy functions.php file, as we can see here.
Next, return to our exercise files and open the WordPress code file. Let's copy the code snippet and then return to functions.php. You want to scroll to the end of the file and then paste the code snippet into place, after any existing code. Finally, save and upload the functions file to the server. Notice the message that this function displays when a proxy visit is blocked. Proxy access not allowed.
It's very simple and may be customized, as desired. Now, returning to our demo site in the browser window, we refresh the page and, as expected, everything's still working fine. This second layer of code does an excellent job of transparently blocking even some of the most difficult proxy sites. Now, let's wrap up this video by visiting some currently available proxy servers and seeing if we can access our now-protected demo site. Let's begin with the proxy service shown at the beginning of this video.
We enter the URL of our demo site, click Go, and we see that we are blocked. Here is our custom message, Proxy access not allowed. Let's try another free proxy service. And, entering our site's URL, one again, no access. And, one more for the road. Once again, we see that our custom code is blocking access to proxy visits.
So, at this point, we're all set. The two layers of protection, HTAccess and PHP, are going to block most of the proxy visits to your site. Again, it's virtually impossible to block them all. There are many types of proxies, such as HTTP, SOCKS, VPNs, TOR, and so on. Further filtering a proxy is possible but quickly goes beyond the scope of this video. In this video, we've seen how combining a little PHP and HTAccess code provides an effective way to block many proxy visits to your site.
- Backing up and restoring your site
- Setting up strong passwords
- Understanding users and roles
- Choosing trusted plugins and themes
- Changing and recovering passwords
- Configuring authentication keys
- Securing the login page
- Fighting spam in the comments
- Blocking access and detecting hacks
- Building a firewall for WordPress
- Detecting and blocking bots
- Auditing your WordPress security