Because the attack exploits user error rather than an actual bug in the WordPress code, it is important to make sure that yours or your customers’ WordPress-based sites are secure. The first thing you can do is to chmod wp-config.php to 640, which means any outside site visitors will be completely denied.

chmod 650 wp-config.php

The second is to deny access using your .htaccess file, since no one who accesses the webserver will actually need access to the file under any circumstances.

# to protect wp-config.php

order allow,deny
deny from all


That is essentially all it takes and is actually more than is probably necessary to keep everything secure.
Warning: Some web hosting providers provide automated scripts to install WordPress for you. Do not assume that those installations are automatically secure.

Photo Source: Wikimedia Commons

Answer: If your web server is Apache, you should be able to do this with mod_rewrite. If you have a shared hosting account, first make sure that your web host has enabled mod_rewrite. Then, create an .htaccess file or edit your current one, placing the following strings inside it:

RewriteEngine on
RewriteRule ^([^/\.]+).html$ index.php?page=$1 [L]
The above will change http://mydomain.com/index.php?page=creative to:

http://mydomain.com/creative.html

This will make it easier for users to remember your URLs and possibly for search engines to index them.

Fortunately, hotlinking is very easy to prevent. A number of web hosts and control panels provide opt-in hotlink protection to users, including cPanel. You can also stop hotlinking by adding the following code to your .htaccess file:

RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourwebsite.com [NC] RewriteRule \.(jpg|jpeg|png|gif)$ – [NC,F,L]

This code will block other websites from hotlinking your images. As you can see from the code, it is very easy to adjust the file types blocked.

Photo | Flickr

Answer: There are two methods you can use to accompany the results you want and both involve using an .htaccess file. The first is to redirect your site’s visitors with standard Apache directives:

ErrorDocument 403 http://www.yourdomain.com
Order deny,allow
Deny from all
Allow from 192.168.5.5

This will redirect anyone who visits the site to yourdomain.com, with the exception of your computer or whichever computer uses the stated IP address.

Alternatively, you may use mod_rewrite to achieve similar results:

RewriteEngine On
RewriteBase /
RewriteCond %{REMOTE_HOST} !^192\.168\.5\.5
RewriteCond %{REQUEST_URI} !/temporary-offline\.html$
RewriteRule .* /temporary-offline.html [R=302,L]

Photo Source: Flickr

Answer: Yes, using .htaccess you can force most browsers open a “save as” prompt rather than opening a particular file type with a browser plugin. Add the following to an .htaccess file inside the directory with the files:

AddType application/octet-stream .pdf
AddType application/octet-stream .doc
AddType application/octet-stream .txt

Nevertheless, nothing is fool proof. If you want to make sure your clients will save the documents, there is no substitute for good education. Make sure they know how to do and that you mark that clearly on the download page. If you want to be particularly diligent, you can even add a popup window to remind them again before they click the link.

Photo Source: Flickr

Answer: Although we previously illustrated a method of blocking single IP addresses using an .htaccess file, it is important to know a few things.

1. Many hackers use proxies and other methods to use fake IP addresses. Blocking the one they have faked might actually block a legitimate user.

2. Even if you do have the right IP address for the right attacker, there is no guarantee they will continue to use that address, as it might be dynamic.

3. An attacker may use a cluster of IP addresses to initiate an attack (i.e. 66.328.203.000), but blocking an entire range of IP addresses, particularly ones that could point to home routers, will inevitably also block potential users.

The other option is to rely on hostnames rather than IP addresses. The problem with hostnames is that these too can be forged. That only leaves one real option, the option that should take precedence anyway. Secure your server to make it as difficult as possible for attackers to get in, and even if they do get in, make it difficult for them to do damage. Most will give up if doing damage takes to long or if their automated attack bots fail. Make your firewall airtight, install application firewalls like Modsecurity, and make it impossible for an outsider to gain root access.

Photo Source: Flickr

With a dedicated server, you can put the directive into your Apache configuration file, but this is not an ideal setup because it will control cookies for all websites on the server. The better method is to use an .htaccess file for each site.

Add the directive to your .htaccess file or create a new file:

CookieExpires expiry-period

Replace “expiry-period” with the number of seconds (i.e. 432,000 for 5 days) or you can insert as follows:

CookieExpires 2 weeks 3 days 7 hours

Source: Apache.org

Using a redirect, you can fool the site visitor into thinking the file they are looking for never existed. This will prevent any curious hackers from trying to gain access. For this example, let’s supposed you want to deny access to the “financial” directory. Edit your .htaccess file in the parent directory and add the following redirect rule:

RedirectMatch 404 /\\.svn(/|$)

Save the file, and now every time someone tries to access that directory, they will get a 404 Not Found Error rather than the 403 Forbidden one. With some simple line, you have made your private directory a little more hidden.

Answer: It is fairly easy to conceal hidden files in ProFTPD, but before you do, you should be aware of the consequences. Users will not be able to see their own .htaccess and .htpasswd files, which may be necessary if they install content management systems or want to enable any number of other Apache features.

If you insist on proceeding despite the consequences, open your /etc/proftpd.conf file and edit the following line:

IgnoreHidden on

With this feature turned on, ProFTPD will ignore any hidden files completely. Most will find the price of hiding .htaccess from users too great, and there truthfully is no harm in having users see their hidden files, provided you have properly chrooted their accounts. Furthermore, if the hidden files bother users, they can disable viewing them in their FTP clients.

Source: webhostingtalk.com

Answer: On an Apache server, you can do just about anything, and .htaccess files make a lot of that possible. Simply create an .htaccess file or use the one you already have and add something like this:

<Files ~ "^.*\.([Rr][Pp][Cc])">
Order allow,deny
Deny from all
Satisfy All
</Files>

The letters are repeated in lowercase and capital to ensure both are blocked. Simply substitute the letters with whatever extension you want to deny. For example: <Files ~ "^.*\.([Ll][Oo][Gg])"> will deny access to all .log files. It really is that simple.