Monthly Archives: October 2016

A few tips on Locking down WordPress

Add the following code to your .htaccess file or into your apache vhost config so that some things will be blocked

#block wp-config.php

order allow,deny
deny from all

#block wp-login.php

order deny,allow
deny from all
#optionally add ips that you want to allow from
#Allow from 10.

#block xmlrpc.php another way to login

order deny,allow
deny from all
#optionally add ips that you want to allow from
#Allow from 10.

#block author lookup (used by hackers to get your username)
RewriteEngine On
RewriteBase /
RewriteCond %{QUERY_STRING} (author=\d+) [NC]
RewriteRule .* /index.php?error=403 [L]

#block includes

RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]

Simple shell command to show 404 pages by occurrence from Apache logs

With the command below you can see all the 404 errors in your apache access logs. You’ll have to change /var/log/httpd/www.example.com-access.log to the path of your log file and change 20/Oct/2016:15 to the date and hour you want to look at
 

grep 20/Oct/2016:15 /var/log/httpd/www.example.com-access.log | grep 404 | cut -d'"' -f2,3 | awk '$4=404{print 404" "$2" "$4}' | sort | uniq -c | sort -rg