Aanpassingen wp-config + htaccess ter bevordering van beveiliging.

**Ronald Boer** · 17-01-2017, 16:44

Beste Webmasters,

Helaas heb ik de laatste paar maanden nogal vaak aanvallen op mijn websites. Nu heb ik al een aantal maatregelen genomen maar alsnog blijven de aanvallen doorgaan en lukt het ook soms om zelfs door te breken en de site plat te leggen. Vandaar dat ik op onderzoek ben gegaan en een soort van checklist heb samengesteld waarbij mijn vraag is of jullie dit aan kunnen raden of wat zouden aanpassen?

Adding the following code to your wp-config.php file:

Force plugins to auto update
add_filter( ‘auto_update_plugin’, ‘__return_true’ ); // dit werkt niet
add_filter( ‘auto_update_theme’, ‘__return_true’ ); // dit werkt niet
define( 'WP_AUTO_UPDATE_CORE', true );

Disable File Edit
define('DISALLOW_FILE_EDIT', true);
define('DISALLOW_FILE_MODS', true );

Reset Wordpress Security keys each month
Open the wp-config.php file.
Search for “authentication unique keys and salts”.
Use an online automatic keys generator tool: https://api.wordpress.org/secret-key/1.1/salt/
Copy the keys from the online tool and replace the existing set of keys, overwriting it in wp-config.php.

Force/Enable HTTPS login for all Admin and Users
define('FORCE_SSL_LOGIN', true);
define('FORCE_SSL_ADMIN', true);

Secure Your Debug Logs, set to False
define( 'WP_DEBUG', false );

Hierbij dan eigenlijk 8 regels die je aan wp-cnofig kan toevoegen ter bevordering van de beveiliging in wordpress.
Daarnaast kan je via .htaccess file ook het een en ander aanpassen om de beveiliging van je website te verbeteren.
Maar hierover heb ik ook wat vragen. Hieronder een lijst die ik heb samengesteld waarbij ik afvraag of ik dit zomaar kan implementeren en in de htaccess kan plaatsen:

# Protecting Important Files from access

<FilesMatch "^(wp-config\.php|php\.ini|php5\.ini|install\.php|php\.i nfo|readme\.html|bb-config\.php|\.htaccess|\.htpasswd|readme\.txt|timt humb\.php|error_log|error\.log|PHP_errors\.log|\.s vn)">
Deny from all
</FilesMatch>

VRAAG: Welke van deze 3 types is beter?

<files wp-config.php>order allow,deny
deny from all
</files>

<Location "/wp-config*">
Deny from all
</Location>

<Location "/wp-content/">
<If "%{QUERY_STRING} =~ /wp-config.php/">
Deny from all
</If>
</Location>
_____

# Disable registration for bots
<Location "/wp-login*">
<If "%{QUERY_STRING} =~ /action=register/">
Deny from all
</If>
</Location>

# Deny access to all .htaccess files (Is dit niet deels hetzelfde als wat eerder hierboven staat bij Protecting files from access?)
<files ~ "^.*\.([Hh][Tt][Aa][Cc])">
order allow,deny
deny from all
satisfy all
</files>

# Restrict Access to the Admin
ErrorDocument 401 /path-to-your-site/index.php?error=404
ErrorDocument 403 /path-to-your-site/index.php?error=404

VRAAG: Zijn onderstaande scripts niet hetzelfde maar dan anders verwoord? Welke is beter?

<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^IP Address One$
RewriteCond %{REMOTE_ADDR} !^IP Address Two$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>

Of

# Block access to wp-admin – (+wp-log-in) replace x.x.x.x and y.y.y.y with your IP addresses.
creating a new .htaccess
order deny,allow
allow from x.x.x.x
deny from all

Dus:

<Files wp-login.php> (en dan ook de admin variant)
order deny,allow
Deny from all
# allow access from my IP address
allow from x.x.x.x.x.x.x
</Files>

___________

# Protect Your Site Against Script Injections
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]

# Prevent hotlinking from all files
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http://(www\.)example.com/.*$ [NC]
RewriteRule \.(gif|jpg|jpeg|bmp|zip|rar|mp3|flv|swf|xml|php|pn g|css|pdf)$ - [F]

# Securing the wp-includes Directory
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>

# Prevent Username Enumeration
RewriteCond %{QUERY_STRING} author=d
RewriteRule ^ /? [L,R=301]

# Require SSL
Use the code below to force the use of an SSL certificate unless the exact Fully Qualified Domain Name (FQDN) listed in line three is entered:
SSLOptions +StrictRequire
SSLRequireSSL
SSLRequire %{HTTP_HOST} eq "www.you-site.com"
ErrorDocument 403 https://www.your-site.com

Vraag: Of ik het nu in in de WP-CONFIG zet of in de HTACCES. Wat is beter? Kan het beide?

# Require/Force HTTP -> HTTPS redirect
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://www.mysite.com/$1 [R,L]
</IfModule>

Als laatste # Block bad bots and bad URLs

Code:

RewriteEngine on
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?Buying(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?Order(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?investment(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?singles(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?babes(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?cash(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?income(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?money(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?Rolex(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?earnings(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?Credit(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?Discount(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?Mortgage(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?dollars(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?payment(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?interest(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?insurance(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?weight(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?pharmacy(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?Viagra(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?Gambling(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?Billion(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?million(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?Xanax(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?Vicodin(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?claims(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?Free(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?Offer(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?Offers(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?Rates(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?increase(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?Affordable(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?Apply(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?pharmacy(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?Coupon(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?adult(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?anal(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?blow.?job(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?gay(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?cum+shot(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?casino(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?incest(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?mature(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?nude(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?piss(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?porn(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?pus*y(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?sex(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?seks(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?teen(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?tits(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?titten(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?wichsab(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*(-|.)?wichslos(-|.).*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*accepted.cc$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?.*episodesusdbz/.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?advancedmoneyloans.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?affiliplanet.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?apart-?design.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?auktion.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?autogewinne24.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?autospiele24.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?babay.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?euromillionen.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?eurowins.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?geldspiele24.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?goovle.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?gsm-support.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?gzltax.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?heil-fasten.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?immobiliengewinne24.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?internetsupervision.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?keywordmaster.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?nackt-stars-nackt.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?one2onemag.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?qw8.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?referrer-script.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?ranking-hits.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?reisegewinne24.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?rootfood.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?shemale.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?single66.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?slamhost.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?spielepsychatrie.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?superface.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?texasholdem.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?topgewinn24.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?topspiele24.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?transexual.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?usa-wins.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?vendini.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?webmasterplan.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?wichsfick.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?wseeker.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?yachtdurak.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?xmaster.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://www14\.blogspot.*$ [OR]
RewriteCond %{HTTP_REFERER} ^http://(www\.)?yahh+oo.*$
RewriteCond %{HTTP_USER_AGENT} almaden [OR]
RewriteCond %{HTTP_USER_AGENT} ^Anarchie [OR]
RewriteCond %{HTTP_USER_AGENT} ^ASPSeek [OR]
RewriteCond %{HTTP_USER_AGENT} ^attach [OR]
RewriteCond %{HTTP_USER_AGENT} ^autoemailspider [OR]
RewriteCond %{HTTP_USER_AGENT} ^BackWeb [OR]
RewriteCond %{HTTP_USER_AGENT} ^Bandit [OR]
RewriteCond %{HTTP_USER_AGENT} ^BatchFTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^BlackWidow [OR]
RewriteCond %{HTTP_USER_AGENT} ^Bot\ mailto:craftbot@yahoo.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^Buddy [OR]
RewriteCond %{HTTP_USER_AGENT} ^bumblebee [OR]
RewriteCond %{HTTP_USER_AGENT} ^CherryPicker [OR]
RewriteCond %{HTTP_USER_AGENT} ^ChinaClaw [OR]
RewriteCond %{HTTP_USER_AGENT} ^CICC [OR]
RewriteCond %{HTTP_USER_AGENT} ^Collector [OR]
RewriteCond %{HTTP_USER_AGENT} ^Copier [OR]
RewriteCond %{HTTP_USER_AGENT} ^Crescent [OR]
RewriteCond %{HTTP_USER_AGENT} ^Custo [OR]
RewriteCond %{HTTP_USER_AGENT} ^DA [OR]
RewriteCond %{HTTP_USER_AGENT} ^DIIbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^DISCo [OR]
RewriteCond %{HTTP_USER_AGENT} ^DISCo\ Pump [OR]
RewriteCond %{HTTP_USER_AGENT} ^Download\ Demon [OR]
RewriteCond %{HTTP_USER_AGENT} ^Download\ Wonder [OR]
RewriteCond %{HTTP_USER_AGENT} ^Downloader [OR]
RewriteCond %{HTTP_USER_AGENT} ^Drip [OR]
RewriteCond %{HTTP_USER_AGENT} ^DSurf15a [OR]
RewriteCond %{HTTP_USER_AGENT} ^eCatch [OR]
RewriteCond %{HTTP_USER_AGENT} ^EasyDL/2.99 [OR]
RewriteCond %{HTTP_USER_AGENT} ^EirGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} email [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailCollector [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailSiphon [OR]
RewriteCond %{HTTP_USER_AGENT} ^EmailWolf [OR]
RewriteCond %{HTTP_USER_AGENT} ^Express\ WebPictures [OR]
RewriteCond %{HTTP_USER_AGENT} ^ExtractorPro [OR]
RewriteCond %{HTTP_USER_AGENT} ^EyeNetIE [OR]
RewriteCond %{HTTP_USER_AGENT} ^FileHound [OR]
RewriteCond %{HTTP_USER_AGENT} ^FlashGet [OR]
RewriteCond %{HTTP_USER_AGENT} FrontPage [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^GetRight [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetSmart [OR]
RewriteCond %{HTTP_USER_AGENT} ^GetWeb! [OR]
RewriteCond %{HTTP_USER_AGENT} ^gigabaz [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go\!Zilla [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go!Zilla [OR]
RewriteCond %{HTTP_USER_AGENT} ^Go-Ahead-Got-It [OR]
RewriteCond %{HTTP_USER_AGENT} ^gotit [OR]
RewriteCond %{HTTP_USER_AGENT} ^Grabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^GrabNet [OR]
RewriteCond %{HTTP_USER_AGENT} ^Grafula [OR]
RewriteCond %{HTTP_USER_AGENT} ^grub-client [OR]
RewriteCond %{HTTP_USER_AGENT} ^HMView [OR]
RewriteCond %{HTTP_USER_AGENT} ^HTTrack [OR]
RewriteCond %{HTTP_USER_AGENT} ^httpdown [OR]
RewriteCond %{HTTP_USER_AGENT} .*httrack.* [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^ia_archiver [OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Stripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^Image\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} ^Indy*Library [OR]
RewriteCond %{HTTP_USER_AGENT} Indy\ Library [NC,OR]
RewriteCond %{HTTP_USER_AGENT} ^InterGET [OR]
RewriteCond %{HTTP_USER_AGENT} ^InternetLinkagent [OR]
RewriteCond %{HTTP_USER_AGENT} ^Internet\ Ninja [OR]
RewriteCond %{HTTP_USER_AGENT} ^InternetSeer.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^Iria [OR]
RewriteCond %{HTTP_USER_AGENT} ^JBH*agent [OR]
RewriteCond %{HTTP_USER_AGENT} ^JetCar [OR]
RewriteCond %{HTTP_USER_AGENT} ^JOC\ Web\ Spider [OR]
RewriteCond %{HTTP_USER_AGENT} ^JustView [OR]
RewriteCond %{HTTP_USER_AGENT} ^larbin [OR]
RewriteCond %{HTTP_USER_AGENT} ^LeechFTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^LexiBot [OR]
RewriteCond %{HTTP_USER_AGENT} ^lftp [OR]
RewriteCond %{HTTP_USER_AGENT} ^Link*Sleuth [OR]
RewriteCond %{HTTP_USER_AGENT} ^likse [OR]
RewriteCond %{HTTP_USER_AGENT} ^Link [OR]
RewriteCond %{HTTP_USER_AGENT} ^LinkWalker [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mag-Net [OR]
RewriteCond %{HTTP_USER_AGENT} ^Magnet [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mass\ Downloader [OR]
RewriteCond %{HTTP_USER_AGENT} ^Memo [OR]
RewriteCond %{HTTP_USER_AGENT} ^Microsoft.URL [OR]
RewriteCond %{HTTP_USER_AGENT} ^MIDown\ tool [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mirror [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mister\ PiX [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mozilla.*Indy [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mozilla.*NEWT [OR]
RewriteCond %{HTTP_USER_AGENT} ^Mozilla*MSIECrawler [OR]
RewriteCond %{HTTP_USER_AGENT} ^MS\ FrontPage* [OR]
RewriteCond %{HTTP_USER_AGENT} ^MSFrontPage [OR]
RewriteCond %{HTTP_USER_AGENT} ^MSIECrawler [OR]
RewriteCond %{HTTP_USER_AGENT} ^MSProxy [OR]
RewriteCond %{HTTP_USER_AGENT} ^Navroad [OR]
RewriteCond %{HTTP_USER_AGENT} ^NearSite [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetAnts [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetMechanic [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Net\ Vampire [OR]
RewriteCond %{HTTP_USER_AGENT} ^NetZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^NICErsPRO [OR]
RewriteCond %{HTTP_USER_AGENT} ^Ninja [OR]
RewriteCond %{HTTP_USER_AGENT} ^Octopus [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Explorer [OR]
RewriteCond %{HTTP_USER_AGENT} ^Offline\ Navigator [OR]
RewriteCond %{HTTP_USER_AGENT} ^Openfind [OR]
RewriteCond %{HTTP_USER_AGENT} ^PageGrabber [OR]
RewriteCond %{HTTP_USER_AGENT} ^Papa\ Foto [OR]
RewriteCond %{HTTP_USER_AGENT} ^pavuk [OR]
RewriteCond %{HTTP_USER_AGENT} ^pcBrowser [OR]
RewriteCond %{HTTP_USER_AGENT} ^Ping [OR]
RewriteCond %{HTTP_USER_AGENT} ^PingALink [OR]
RewriteCond %{HTTP_USER_AGENT} ^Pockey [OR]
RewriteCond %{HTTP_USER_AGENT} ^psbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^Pump [OR]
RewriteCond %{HTTP_USER_AGENT} ^QRVA [OR]
RewriteCond %{HTTP_USER_AGENT} ^RealDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^Reaper [OR]
RewriteCond %{HTTP_USER_AGENT} ^Recorder [OR]
RewriteCond %{HTTP_USER_AGENT} ^ReGet [OR]
RewriteCond %{HTTP_USER_AGENT} ^Scooter [OR]
RewriteCond %{HTTP_USER_AGENT} ^Seeker [OR]
RewriteCond %{HTTP_USER_AGENT} ^Siphon [OR]
RewriteCond %{HTTP_USER_AGENT} ^sitecheck.internetseer.com [OR]
RewriteCond %{HTTP_USER_AGENT} ^SiteSnagger [OR]
RewriteCond %{HTTP_USER_AGENT} ^SlySearch [OR]
RewriteCond %{HTTP_USER_AGENT} ^SmartDownload [OR]
RewriteCond %{HTTP_USER_AGENT} ^Snake [OR]
RewriteCond %{HTTP_USER_AGENT} ^SpaceBison [OR]
RewriteCond %{HTTP_USER_AGENT} ^sproose [OR]
RewriteCond %{HTTP_USER_AGENT} ^Stripper [OR]
RewriteCond %{HTTP_USER_AGENT} ^Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperBot [OR]
RewriteCond %{HTTP_USER_AGENT} ^SuperHTTP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Surfbot [OR]
RewriteCond %{HTTP_USER_AGENT} ^Szukacz [OR]
RewriteCond %{HTTP_USER_AGENT} ^tAkeOut [OR]
RewriteCond %{HTTP_USER_AGENT} ^Teleport\ Pro [OR]
RewriteCond %{HTTP_USER_AGENT} ^URLSpiderPro [OR]
RewriteCond %{HTTP_USER_AGENT} ^Vacuum [OR]
RewriteCond %{HTTP_USER_AGENT} ^VoidEYE [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Image\ Collector [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Sucker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebAuto [OR]
RewriteCond %{HTTP_USER_AGENT} ^[Ww]eb[Bb]andit [OR]
RewriteCond %{HTTP_USER_AGENT} ^webcollage [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebCopier [OR]
RewriteCond %{HTTP_USER_AGENT} ^Web\ Downloader [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebEMailExtrac.* [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebFetch [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebGo\ IS [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebHook [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebLeacher [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebMiner [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebMirror [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebReaper [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebSauger [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ eXtractor [OR]
RewriteCond %{HTTP_USER_AGENT} ^Website\ Quester [OR]
RewriteCond %{HTTP_USER_AGENT} ^Webster [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebStripper [OR]
RewriteCond %{HTTP_USER_AGENT} WebWhacker [OR]
RewriteCond %{HTTP_USER_AGENT} ^WebZIP [OR]
RewriteCond %{HTTP_USER_AGENT} ^Wget [OR]
RewriteCond %{HTTP_USER_AGENT} ^Whacker [OR]
RewriteCond %{HTTP_USER_AGENT} ^Widow [OR]
RewriteCond %{HTTP_USER_AGENT} ^WWWOFFLE [OR]
RewriteCond %{HTTP_USER_AGENT} ^x-Tractor [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xaldon\ WebSpider [OR]
RewriteCond %{HTTP_USER_AGENT} ^Xenu [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus.*Webster [OR]
RewriteCond %{HTTP_USER_AGENT} ^Zeus
RewriteRule .* - [F,L]
RewriteRule ^(.*)$ http://no.access/

____
Al met al zijn er nog veel vragen. Hopelijk hebben een aantal webmasters nog iets aan dit lijstje.

**Erik Kraijenoord** · 17-01-2017, 17:03

xmlrpc wordt vaak misbruikt, zou deze samen met wp-trackback blokkeren.

**Menno W** · 17-01-2017, 18:06

Of je installeert wordfence en bespaart jezelf al die moeite.

**Ronald Boer** · 17-01-2017, 18:28

Origineel gepost door Erik Kraijenoord

xmlrpc wordt vaak misbruikt, zou deze samen met wp-trackback blokkeren.

Hoe zou jij dit erin verwerken?

<Location "/wp-trackback.php*">
Deny from all
</Location>

<Location "/xmlrpc.php*">
Deny from all
</Location>

**B. van der Weerd** · 17-01-2017, 18:30

Origineel gepost door Menno vd Werf

Of je installeert wordfence en bespaart jezelf al die moeite.

Of All In One WP Security & Firewall.

**ramon fincken** · 17-01-2017, 19:12

Origineel gepost door Menno vd Werf

Of je installeert wordfence en bespaart jezelf al die moeite.

Origineel gepost door B. van der Weerd

Of All In One WP Security & Firewall.

bieden beiden geen echte garanties.

opzich is de OP wel aardig, maar wel de klassieke fout om heel wp-admin dicht te timmeren.
Dan kun je nooit AJAX calls naar wp-admin/admin-ajax.php doen als bezoeker (want dan krijg je een deny)

wbt dit stuk:
add_filter( ‘auto_update_plugin’, ‘__return_true’ ); // dit werkt niet
add_filter( ‘auto_update_theme’, ‘__return_true’ ); // dit werkt niet

let op dat je quotes "fancy" zijn, en dus niet zoals t hoor namelijk '
dan snapt PHP t niet.

en ja .. combinaties van WAF/server level, .htaccess/nginx EN in je wp-config is echt t veiligst. Meerlaags beveiligen.
En gooi ook je online editor by default dicht en pak een 2 factor login (wc-eend hint: standaard bij ons)

**Menno W** · 17-01-2017, 19:26

Dit bied ook geen garantie. Veel succes als iemand je website via FTP of mysql aanvalt. Of javascript/ nog wel 100 mogelijkheden.... Zelf maken we geen gebruik meer van htacces vm. beveiliging. En verder is eigenlijk enige beveiliging ip op wp-admin/ wp-login vooral met dus de rest bij wordpress sites met wordfence. Andere sites met andere/ eigen beveiliging.

**Jacob S** · 18-01-2017, 08:11

Ik heb hier een wordpress plugin voor geschreven, deze zorgt dat nep bezoekers automatisch gedetecteerd worden en automatisch geblokkeerd. Je kan deze plugin gratis vinden op mijn site. Laat me weten als je hulp nodig hebt.

**Erik Kraijenoord** · 18-01-2017, 08:16

Origineel gepost door Menno vd Werf

Dit bied ook geen garantie. Veel succes als iemand je website via FTP of mysql aanvalt. Of javascript/ nog wel 100 mogelijkheden.... Zelf maken we geen gebruik meer van htacces vm. beveiliging. En verder is eigenlijk enige beveiliging ip op wp-admin/ wp-login vooral met dus de rest bij wordpress sites met wordfence. Andere sites met andere/ eigen beveiliging.

Ook dan heb je geen garanties, als ze in je FTP komen schakelen ze de plugin gewoon uit (hernoemen) en is de beveiliging er ook vanaf.

**Mathieu Schol** · 18-01-2017, 11:53

Het is geen kwestie van 1 plugin uploaden en instellen. Bij een goede beveiliging van WordPress komt veel meer kijken.

Enkele tips

Kijk hier of je geen lekke plugins hebt: https://wpvulndb.com/
Kijk hier of je site nog geen malware bevat: https://sitecheck.sucuri.net/
Maak voldoende backups, goede wachtwoorden, zet xmlrpc etc uit, minimaliseer het aantal plugins, update je thema en WP

Ik herstel en beveilig WordPress websites, 7 dagen per week.
Ik heb met een programmeur samen 1 van de beste beveiligingplugins vertaald en verbeterd op 118+ punten.
Die is op mijn site te vinden. Ik zet hem er bij iedere klant in. De plugin pakt zoveel belangrijke punten aan.

Als een belangrijke bedrijfswebsite hebt, of een flinke webshop is het belangrijk dat je de website eerst goed na laat kijken. Met een backdoor, een lekke ftp/server of gelekte database kun je beveiligen zoveel je wilt zonder resultaat.

Aanpassingen wp-config + htaccess ter bevordering van beveiliging.