Secure uploads, upgrade and other directories with .htaccess

Posted by Jeff Starr on June 16th, 2011

It sucks, but a lot of plugins require certain directories to be set at CHMOD 777 for its file permissions. Of course, you should not use any plugin that requires 777 directories, but if you absolutely must, you can help protect the folder by adding a thin slice of htaccess. This works great for any directory requiring “loose-ish” permissions (i.e., anything greater than 755), and may also be useful for other key folders as well.

They key here is that only you and the server need access to the folder that you want to protect, so for example, stuff like:

uploads
upgrade
backups
cache-123
temp-123
etc..

Anything that regular users aren’t going to need to access. Then, you’ll also need the IP address of your server and your own machine. Once you have that information, use it to edit the following code:

Order Deny,Allow
Deny from all
Allow from 123.456.789.0
Allow from 0.123.456.789

You can emulate the “Allow from” lines to allow more IP addresses. Like maybe you’ve got a remote office or something. Once the code is ready, just copy and paste into an htaccess file located in the directory you would like to protect. Fix it and forget it, as they say..

I use this code on several sites and it works great. Only takes a minute to setup, and greatly improves the security of otherwise potentially vulnerable directories.

18 responses ↓

About the author

Jeff Starr is a professional web developer and book author with over 15 years of experience. Jeff works with WordPress every day, designing themes, developing plugins, and securing sites. His books include Digging Into WordPress, WordPress Themes In Depth, and The Tao of WordPress.

View all from Jeff Starr

← Leave the Visual Editor ON

AnythingSlider Plugin →

18 responses

Piet

June 16, 2011 @ 7:30 pm

Tips like these are only useful for people on a static IP address, which by far is still the majority, but there are also more and more people on a dynamic IP address and for those htaccess rules like above cannot be used. There are no real solutions for that, are there?
- Jeff Starr Post Author
  
  June 16, 2011 @ 8:28 pm
  
  Good point, not sure about an equivalent sort of thing for dynamic IPs.. will keep an eye out and report back if anything turns up.
Piet

June 16, 2011 @ 9:08 pm

It would be fantastic if there would be a way to “dynamically” add your current IP to the .htaccess file. If you happen to find anything, hopefully you can post it back here? Thanks.
- Piet
  
  June 16, 2011 @ 9:09 pm
  
  sorry that comment was supposed to go under yours…
Andrew

June 16, 2011 @ 11:42 pm

What if one has dynamic IP?
Johnathan Williamson

June 17, 2011 @ 1:51 am

It’s also possible to Deny by Hostname. So rather than using your IP Address, get signed up for something like DynDNS. That way when your router/modem changes it’s external IP, DynDNS will pick up the change and your hostname will always be the same, making this tip both effective and worthwhile.

It should be noted however that regardless of .htaccess rules – if you’re hosting on a Shared environment, this will still leave those 777 directories vulnerable should an attacker manage to break into another site on the same server.
- Piet
  
  June 17, 2011 @ 2:00 am
  
  That could be a nice solution. Would that also work when someone is on a VPN?
  - Johnathan Williamson
    
    June 17, 2011 @ 2:11 am
    
    Providing the VPN’s outward facing IP is in the allow list, I can’t see why not. Most VPN’s are fixed IP’s too, in my experience.
- Jeff Starr Post Author
  
  June 17, 2011 @ 8:56 am
  
  ..if you’re hosting on a Shared environment, this will still leave those 777 directories vulnerable should an attacker manage to break into another site on the same server.
  
  If that happens, you’ve got bigger issues than protecting your uploads directory ;)
Michael Clark

June 18, 2011 @ 7:42 am

Ummm, having a directory with 777 permissions means you are still vulnerable to other users on your server. This usage of .htaccess just protects you attacks via the web. Right?
- Jeff Starr Post Author
  
  June 19, 2011 @ 9:40 pm
  
  Correct, for shared hosting. Just to be clear, this method is designed to help protect potentially insecure directories. It just adds another layer of protection, not a guarantee of ultimate 100% security for anything.
Russell Heimlich

June 20, 2011 @ 9:49 am

You can also allow large chunks of IPs by using IP wildcards.

If you wanted to allow 123.123.123.0 – 123.123.123.255 without writing 256 ip addresses, you could just write the following in your htaccess file

Allow from 123.123.123
Lost Dreams

July 23, 2011 @ 12:45 pm

Would you also want to include protection for the htaccess file like adding the below.

order allow,deny
deny from all
Lost Dreams

July 23, 2011 @ 12:46 pm

Sorry forgot it was code.

<files ~ "^.*.([Hh][Tt][Aa])">
order allow,deny
deny from all
</files>
- Jeff Starr Post Author
  
  July 23, 2011 @ 1:04 pm
  
  Good tip for the paranoid among us (such as myself), but technically there’s no need for this as Apache already protects the .htaccess file(s) from external access.
Lost Dreams

July 23, 2011 @ 1:20 pm

Unless that part of Apache is hacked. Sorry I always go out with two pairs of socks on just in case one wears out.

Never can be to sure.

Here is some more paranoid for issues with proxy type attacks.

<?php if(@fsockopen($_SERVER['REMOTE_ADDR'], 80, $errstr, $errno, 1)) die("Proxy access not allowed"); ?>

Thanks to Perishable Press.
Lost Dreams

July 23, 2011 @ 1:21 pm

You can place this in your header wordpress theme at the top.
reda

August 13, 2011 @ 5:37 pm

Can You Give Me A Full .Htaccess For My WordPress