Join Jeff Starr for an in-depth discussion in this video Firewall your site, part of WordPress: Developing Secure Sites .
- [Narrator] In this video, we're going to protect our site with a powerful .htaccess firewall. The 6G firewall by Perishable Press is optimized for WordPress-powered sites, and is very effective at blocking a vast spectrum of bad bots, exploits, malware, and other wasteful nonsense. As explained in the previous tutorial, controlling traffic using .htaccess, instead of plugins, is better for site performance, because it happens at the server level. So, there's no need to load PHP, the database, site assets and everything else.
Here we are looking at the root .htaccess file for our demo site. Notice the existing permalink rules at the top of the file. To add the 6G firewall, grab the code from the exercise files, and paste it before any existing WordPress directives, like so. No modifications are required. The 6G firewall is ready to protect your site, right out of the box. Just save the file and upload it to the server. Note that .htaccess is touchy stuff, and even a small copy-paste mistake may cause a server error.
So, caution is a must. If anything unexpected happens, simply remove the code and consult the official 6G homepage for troubleshooting tips and more information. Now, with 6G in place, let's return to the demo site. We want to verify that pages are loading normally and as expected. So, we check a few links, and everything looks good. It's always a good idea to check things out after making any changes to your site.
Then, after verifying proper functionality, you can relax, knowing that your site is now protected by a strong, well-tested firewall. Although this technique is simple, there's actually a lot going on in the code. Let's continue with a quick walkthrough of the 6G firewall. This first section of 6G checks the query string, and blocks a lot of bad stuff. This is a key part of the firewall. Next, the 6G blocks a number of unnecessary request methods, to prevent them from being used in an attack.
Then, the firewall provides a place to block bad referrers. The code blocks excessively-long referrer values, as well as a couple of the worst-known referrers, as an example. You can add more referrers like so. Next, the code checks the main part of the URL, which includes everything except the query string. If you only include one part of this firewall, this would be it, and maybe the query string section.
This section blocks a massive amount of garbage from getting through. The next section checks the user agent and blocks some of the worst offenders. Note that this is the same block of code used in our previous video. For more information, check out the .htaccess notes that are included with the exercise files. Lastly, the 6G provides a place to easily block bad IP addresses. It's included as an example of how to block IPs. To do so, just replicate the line like so, and then edit the IPs to match whatever you want to block.
You can block as many IPs as is needed using this method. These different sections of 6G work together to protect your site with a powerful and blazing fast firewall. For default installations of WordPress, the 6G firewall is a safe and powerful way to protect your site. It's optimized for WordPress and plays nice with plugins and themes that are written according to the WordPress API. Using the techniques in this tutorial, we've protected our site with a strong firewall that blocks tons of bad requests, spammers, malware, viruses, and other nonsense.
As expected, filtering out the garbage can serve system resources, and helps keep your site safe and secure for your valued visitors.
- Backing up and restoring your site
- Setting up strong passwords
- Understanding users and roles
- Choosing trusted plugins and themes
- Changing and recovering passwords
- Configuring authentication keys
- Securing the login page
- Fighting spam in the comments
- Blocking access and detecting hacks
- Building a firewall for WordPress
- Detecting and blocking bots
- Auditing your WordPress security