Web Talk

Some months ago I wrote an article where I spoke about how to secure your Wordpress blog with simple php pieces of code. Following that post, I have decided to write something more about it, to let you know how it is possible to further improve your blog’s security with some little tricks that don’t cost you a thing. As you know, I am always concerned about my blog’s security and, since no CMS is fully hacker-proof, it is always good to be prepared for rainy days. These are the tricks you can apply to better protect your blog.

Restrict access to your wp-config.php

• Create a “.htaccess” in your Wordpress root. (to create it, use Windows notepad. Just create the file and rename it accordingly)
• If you don’t know how to create a “.htaccess” file you can use this website.
• Put the “.htaccess” inside your wp-admin directory and, inside it, write:
• <Files wp-config.php>
  Order Deny,Allow
  Deny from All
  </Files>

Trick Spam and prevent it from spamming your comment section

This little piece of code tricks spam in a very easy and nasty way. In fact it adds, in the comment form section, a little blank field. Once the spambot detects it, it will try to write something in it. At this point, since the field is not writable, the code will prompt the spambot to start from the beginning… endlessly. Of course this field is not viewable by users, but it is visible to spambot and automatic malicious robots which will try to fill it out:

• Write this code in the “comments.php” file located in your Wordpress theme folder. You have to place this code among the other fields which are used to write a comment, before the field where people have to write the comments themself:
• <form method=POST action=”list.php” name=”list”>
  <input type=”hidden” name=”submitted” value=”submitted”>
  <div class=”form_01″>
  <label for=”first_name”>First name:</label>
  <input title=”If you managed to write in it, you are spam!!!” type=”text” name=”first_name” id=”first_name” value=”" onKeyUp=” val = this.value; if (val.length > 0) { alert(’Please place your cursor in ‘Name’ box to start your message’); this.value = val.substring(0,0); emailform.focus() } this.form.count.value=0-parseInt(this.value.length); “>
  </div>
• Now, to hidden this field from people, place this code in “style.css” located in your Wordpress theme folder:
• .form_01 {
  visibility: hidden;
  display: none;
  }

Restrict access to the wp-content and wp-includes directories

• Create a “.htaccess” inside your wp-content and wp-includes directories and, inside it, write:
• Order Allow,Deny
  Deny from all
  <Files ~ “.(css|jpe?g|png|gif|js)$”>
  Allow from all
  </Files>
• Note: this code may cause some plugin to misbehave.