Layered security also known as layered defense describes the practice of combining multiple security controls to help protect resources and data. These include point security solutions, filtering systems and monitoring strategies. These measures are meant to be used together to slow a hacking attempt down and forcing attackers to look for easier targets that use fewer resources to breach.
What is Web Security
The web security isn’t a perfect science, every site varies in terms of what needs to be shared, what files or folders need to remain accessible. And depending on whether you’re running a network or not, how many people need to access the site. Locking out access to areas of your site has its pros and cons. If you stop users from being able to upload files to your site from the WordPress admin area your site will definitely be more secure. However your users won’t be able to share images and other content without using cPanel or a FTP client to upload images. This would work for a site managed by one or two super admins but could cause big problems on multisite or Social Network websites.
The following measures for layered security protecting critical files and blacklisting and whitelisting IPs are merely suggestions and are not right for everyone. But they should give you some ideas on ways you can better secure your site.
Using .htaccess to Protect Your WordPress Site
By editing your site’s .htaccess file you can enable or disable access to various features on your site, limiting file permissions is a good way to ensure only the right people are accessing files on your server. The wpconfig.php file in the root directory of your site stores information about your site as well as database details. If a hacker were to get a hold of this information there’s nothing to stop him from manipulating the content on your whole website.
In short the wpconfig.php file is hacker gold. You can easily block access to the file by adding a few short lines of code to your .htaccess file. These code snippets should be placed just after the line in WordPress.
Another measure you could try is blacklisting and whitelisting IPs. Whitelisting your IP address is a good way to keep others off of your dashboard. Whitelisting will only work if you have a static IP address that you always work from. Or if you have a static IP that you have set up as a virtual portal to work from.
To limit access to your dashboard by IP address – create a new .htaccess file in your favorite text editor and upload it to your site’s wp-admin folder. Then add this code snippet using your IP address, this will deny access to the admin folder for everyone except people working from your IP address.
Order deny, allow
Allow from 192.168.x.x
Deny from all
Remember if you have a dynamic IP address you might have to regularly update this file or you lock yourself out of your own site. Unlike whitelisting, blacklisting allows access for all users and denies access to specific IP addresses. This can come in handy if hacking attempts on your side are coming from one specific IP address. To blacklist an IP from accessing your site just add the following snippet of code to your .htaccess file using the IP address you would like to black list.
Order allow, deny
Deny from 192.168.x.x
Allow from all
You can blacklist multiple IPs by replicating the deny line like this:
Order allow, deny
Deny from 192.168.x.x
Allow from all
Disabling the theme encode editor from your site’s dashboard is another way to protect valuable files. Simply placing this single line of code in your wp-config.php file will disable the code editor.
define( ‘DISALLOW_FILE_EDIT’ , true );
Finally, after adding all of this codes to your .htaccess file it’s important to protect this file too. This last bit of code will stop anyone from viewing any file on your site that begins with HTA.
<Files ~”^.*\.([Hh][Tt][Aa])”>
order allow, deny
deny from all satisfy all
</Files>
It’s important to remember the measures we’ve looked at in this video are not intended to be comprehensive. Putting up walls will not only make it harder for bad guys to get on to your website but it also creates more obstacles for you to jump through every time you want to make a change, running update or just login. How valuable is the content on your site – the answer to this question should determine how many layers and what kind of defense you need to use to protect your data and your customers.
