Join Jeff Starr for an in-depth discussion in this video Protect the installation page, part of WordPress: Developing Secure Sites .
- [Narrator] In this video, you'll see how to protect the WordPress installation file using a variety of different methods. Protecting the installation file is important because if things go wrong on the server, it could be used by an attacker to gain access to your site. Here we are looking at the WordPress install.php file, which is located in the wp-admin directory. This file is used when installing WordPress and should be removed or protected after the installation process is complete. There are three different ways to do this.
Method 1, we can simply delete the file after installing WordPress. Method 2, we can deny access to the file using htaccess or Method 3, we can replace the file with something more useful. Any of these methods takes only a minute and works just fine. Let's run through each of them. Method 1, delete the file. The first method is to just delete the file from the server. There is no reason to keep it after WordPress is installed. The only real downside to this approach is that WordPress may replace the missing file during the next update.
To go ahead and delete the file, return to your FTP client and then the first step is to rename the local copy of install.php So, locate the file, and simply rename this something like install_BACKUP This will be a backup file that you can use if necessary. Next, delete the install.php file that's located on the server. This method is definitely easy but the file may return the next time you upgrade WordPress.
So you'll need to set a reminder to delete the file again. So let's check out a more fix-it-and-forget-it-type solution. Method 2, deny access via htaccess. The second method is to protect the file at the server level. To do so, grab a copy of the blank htaccess file included in the exercise files for this course and paste it into the wp-admin directory. We've done this for our demo site as seen here. Next, copy the following code also included with the exercise files and paste it anywhere near the top of the htaccess file.
No code modifications are necessary. Just save and Upload the file to your server. In plain language, this code basically denies access to the install.php file for older versions of Apache and newer versions of Apache. So you're covered regardless of which version you are using. After uploading the file, we can return to the browser to verify that it's working. Without protection, our site's installation file is readily available on the web and may leave the site vulnerable if things go wrong.
But not with our htaccess protection in place. We refresh the page and relax, knowing that the installation file is now safe and secure. Any requests for our installation file will be blocked, which is awesome. But we can do even better with our third and final method. Method 3, replace the file with something better. For the third method, instead of just deleting or blocking the installation file, let's replace it with something more secure and informative. Just follow these quick steps. First, duplicate install.php and name the copy something like install_BACKUP.php So we locate the file in the wp-admin directory, right-click, and Duplicate.
And then rename this file something like _BACKUP just so you can find it. This is our backup file just in case. We're going to leave that as is. Then we're going to open the original install file and we're going to replace its contents with the php code that's provided in the exercise files. So we copy the code and paste it in its entirety into the file. The only change that we need to make is right here, the email address.
You want to change that with your own email address. And then, save the file and upload it to the server. This new installation file will prevent any malicious behavior by serving a simple We'll Be Right Back message. Let's refresh the page and see it in action. We'll be right back.. It looks simple enough but behind the scenes, this install replacement page is doing quite a bit more. First, it communicates the proper 503 status code.
Then, it instructs the visitor to return after 60 minutes. And it also sends an email alert so you can take action. Plus, everything is customizable. So feel free to modify the template code to suit your needs. In this tutorial, we've seen three effective ways to prevent access to the WordPress installation file, which is not needed after WordPress has been installed. Any of these techniques will improve security by locking things down and preventing unauthorized access.
- Backing up and restoring your site
- Setting up strong passwords
- Understanding users and roles
- Choosing trusted plugins and themes
- Changing and recovering passwords
- Configuring authentication keys
- Securing the login page
- Fighting spam in the comments
- Blocking access and detecting hacks
- Building a firewall for WordPress
- Detecting and blocking bots
- Auditing your WordPress security