Recent Posts


« | Main | »

WordPress security note – setup-config.php

By Dale Reagan | January 25, 2012

Limiting access to WordPress /wp-admin/* tools should be a standard approach; since there are so many installation scenarios this might not always be possible so some WordPress specific mod_security rules (see links below) may be more appropriate.  You may also want to consider some of the free WordPress security plugins.  Additional WordPress specific security-related suggestions/discussion are available on the WordPress web site.

Spider Labs provides several setup-config.php  WordPress specific mod_security rules that may assist in preventing problematic/un-authorized access to a WordPress installation.  The rules should work for generic WordPress installations, however, a simpler approach might include IP address specific and/or GeoIP address specific restrictions – see below for examples.

A more detailed discussion and sample scenarios are provided by TrustWave.

Potential Problem WordPress URIs

Note that if you don’t have mod_security then it is also possible to manage these types of issues for WordPress sites by making configuration changes; you can limit access to /wp-admin/ using Apache configuration files (*.conf) and with some limitations, with Apache .htaccess files (the Apache server must be configured to allow certain directives.)  In general, for better performance and security it is best to avoid using .htaccess files and use httpd configuration files instead…  If all of this is a bit too techy then some of the WordPress security plugins may be a good (or additional) alternative (see link above.)

Disabling phpinfo()

I found several web pages on a  number of domains that suggest adding the line below  to your .htaccess file – it DOES NOT currently WORK in .htaccess – perhaps it did in previous versions of PHP… See the PHP 5 manual – disable_functions is only available in the ‘php.ini’ file. (1/2012 – a reminder that you need to test any solution(s) that you find on the Internet – you could be getting stale or inaccurate info – of course include the pages from this domain since change happens…)

Add to your ‘php.ini’ file (global disable) and phpinfo()is disabled after you restart Apache.

While there may be cases where using phpinfo() is valid, in general it should NOT be allowed within WordPress themes or plugins since some-evil-bad-guy could use the information to hack into your system…  Note that dis-abling phpinfo() may ‘break’ some themes and/or plugins.

Locating php.ini

If you are not sure where your php.ini file is located you can use a short PHP program on your web site or the shell command shown below. Assuming that your server supports PHP then you can add the php code below to any working HTML file on your server.  I suggest removing the changes once you have the information that you need…

Create a file with the code snippet below OR append to an existing PHP script.

$inipath = php_ini_loaded_file();

if ($inipath) {
    echo 'Loaded php.ini: ' . $inipath;
} else {
    echo 'A php.ini file is not loaded';

Locating your php.ini via a shell commands – output will vary based on OS and configuration:

#php --ini
Configuration File (php.ini) Path: /etc
Loaded Configuration File:         /etc/php.ini
Scan for additional .ini files in: /etc/php.d
Additional .ini files parsed:      /etc/php.d/bcmath.ini,
#php -v
PHP 5.3.6 (cli) (built: Mar 17 2011 21:19:28)
Copyright (c) 1997-2011 The PHP Group
Zend Engine v2.3.0, Copyright (c) 1998-2011 Zend Technologies


Apache WordPress Security Configuration Tweaks

Sample  tweak for  *.conf restrictions for /wp-admin/

 1. allow wp-admin with SSL and good IP address
<Location /wp-admin/>
    Order deny,allow
    Deny from all
    Allow from A.B.C.D # (Good.Guy.IP.Address )
2. allow wp-admin access via good IP address
<Location /wp-admin/>
    Order deny,allow
    Deny from all
    Allow from A.B.C.D # (Good.Guy.IP.Address )
3. dis-allow all wp-admin access ## denies and requires SSL
<Location /wp-admin/>
    Order deny,allow
    Deny from all

Option 1 above is suggested but requires that:

Using GeoIP information to restrict access & Caveats

Require ‘Good’ GeoIP (i.e. limited in the ‘US’), with SSL and/or good IP address

 <Location /wp-admin/>
    SetEnvIf GEOIP_COUNTRY_CODE US AllowCountry
    Order deny,allow
    Deny from all
    Allow from env=AllowCountry A.B.C.D # (Good.Guy.IP.Address )

Restricting WordPress Access by File names

If you take this approach then you may need a ‘rule’ for each file and/or a ‘wildcard’ rule (see the WordPress security link above for more examples/suggestions.)

<Files setup-config.php>
        order deny,allow
        deny from all

If you take any of these approaches then testing is a really good idea… See related posts for more information on using mod_security, mod_geoip and securing Apache services.


Topics: Computer Technology, System and Network Security, Unix-Linux-Os, Web Problem Solving, Web Technologies | Comments Off on WordPress security note – setup-config.php

Comments are closed.

YOUR GeoIP Data | Ip:
Continent: NA | Country Code: US | Country Name: United States
Region: | State/Region Name: | City:
(US only) Area Code: 0 | Postal code/Zip:
Latitude: 38.000000 | Longitude: -97.000000
Note - if using a mobile device your physical location may NOT be accurate...

Georgia-USA.Com - Web Hosting for Business