Like the blog? Get the book »

Secure uploads, upgrade and other directories with .htaccess

Secure uploads, upgrade and other directories with .htaccess

It sucks, but a lot of plugins require certain directories to be set at CHMOD 777 for its file permissions. Of course, you should not use any plugin that requires 777 directories, but if you absolutely must, you can help protect the folder by adding a thin slice of htaccess. This works great for any directory requiring “loose-ish” permissions (i.e., anything greater than 755), and may also be useful for other key folders as well.

They key here is that only you and the server need access to the folder that you want to protect, so for example, stuff like:

  • uploads
  • upgrade
  • backups
  • cache-123
  • temp-123
  • etc..

Anything that regular users aren’t going to need to access. Then, you’ll also need the IP address of your server and your own machine. Once you have that information, use it to edit the following code:

Order Deny,Allow
Deny from all
Allow from 123.456.789.0
Allow from 0.123.456.789

You can emulate the “Allow from” lines to allow more IP addresses. Like maybe you’ve got a remote office or something. Once the code is ready, just copy and paste into an htaccess file located in the directory you would like to protect. Fix it and forget it, as they say..

I use this code on several sites and it works great. Only takes a minute to setup, and greatly improves the security of otherwise potentially vulnerable directories.

18 responses

  1. Tips like these are only useful for people on a static IP address, which by far is still the majority, but there are also more and more people on a dynamic IP address and for those htaccess rules like above cannot be used. There are no real solutions for that, are there?

    • Good point, not sure about an equivalent sort of thing for dynamic IPs.. will keep an eye out and report back if anything turns up.

  2. It would be fantastic if there would be a way to “dynamically” add your current IP to the .htaccess file. If you happen to find anything, hopefully you can post it back here? Thanks.

  3. What if one has dynamic IP?

  4. Johnathan Williamson

    It’s also possible to Deny by Hostname. So rather than using your IP Address, get signed up for something like DynDNS. That way when your router/modem changes it’s external IP, DynDNS will pick up the change and your hostname will always be the same, making this tip both effective and worthwhile.

    It should be noted however that regardless of .htaccess rules – if you’re hosting on a Shared environment, this will still leave those 777 directories vulnerable should an attacker manage to break into another site on the same server.

    • That could be a nice solution. Would that also work when someone is on a VPN?

      • Johnathan Williamson

        Providing the VPN’s outward facing IP is in the allow list, I can’t see why not. Most VPN’s are fixed IP’s too, in my experience.

    • ..if you’re hosting on a Shared environment, this will still leave those 777 directories vulnerable should an attacker manage to break into another site on the same server.

      If that happens, you’ve got bigger issues than protecting your uploads directory ;)

  5. Ummm, having a directory with 777 permissions means you are still vulnerable to other users on your server. This usage of .htaccess just protects you attacks via the web. Right?

    • Correct, for shared hosting. Just to be clear, this method is designed to help protect potentially insecure directories. It just adds another layer of protection, not a guarantee of ultimate 100% security for anything.

  6. Russell Heimlich

    You can also allow large chunks of IPs by using IP wildcards.

    If you wanted to allow – without writing 256 ip addresses, you could just write the following in your htaccess file

    Allow from 123.123.123

  7. Would you also want to include protection for the htaccess file like adding the below.

    order allow,deny
    deny from all

  8. Sorry forgot it was code.

    <files ~ "^.*.([Hh][Tt][Aa])">
    order allow,deny
    deny from all

    • Good tip for the paranoid among us (such as myself), but technically there’s no need for this as Apache already protects the .htaccess file(s) from external access.

  9. Unless that part of Apache is hacked. Sorry I always go out with two pairs of socks on just in case one wears out.

    Never can be to sure.

    Here is some more paranoid for issues with proxy type attacks.

    <?php if(@fsockopen($_SERVER['REMOTE_ADDR'], 80, $errstr, $errno, 1)) die("Proxy access not allowed"); ?>

    Thanks to Perishable Press.

  10. You can place this in your header wordpress theme at the top.

  11. Can You Give Me A Full .Htaccess For My WordPress

Comments are closed for this post. Contact us with any critical information.
© 2009–2024 Digging Into WordPress Powered by WordPress Monzilla Media shapeSpace