Sécuriser WordPress avec un fichier .htaccess
En complément de mon premier article sur la sécurité de WordPress, je vous propose cette fois un exemple de fichier .htaccess pour sécuriser votre site.
Les règles de base
Avant toutes modifications, sauvegardez votre .htaccess original !
Dans un premier temps, nous allons empêcher le listage des répertoires. Un sujet déjà abordé dans mon précédent article
Options -Indexes
On ajoute ou supprime le www pour éviter la duplication de contenu,remplacer www.exemple.fr par votre nom de domaine.
RewriteCond %{HTTP_HOST} !^www.exemple.fr$ [NC]
RewriteRule ^(.*)$ http://www.exemple.fr/$1 [R=301,L]Sécuriser votre .htaccess et votre wp-config.php
<Files wp-config.php> Order Deny,Allow Deny from all </Files> <Files .htaccess> Order Allow,Deny Deny from all </Files>
Enfin, nous allons rediriger tous les appels au fichiers et répertoire inexistants vers l’index
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . index.php [PT]Bloquer tous les bots et IP malicieux
Pour les bots nous allons utiliser la Bots Blacklist 2010 Perishable Press.
Pour les IP nous utiliserons l’IP Blacklist 2010 Perishable Press.
Résultat final
# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
# DEBUT PERSO
Options -Indexes
RewriteCond %{HTTP_HOST} !^www.immorezo.net$ [NC]
RewriteRule ^(.*)$ http://www.immorezo.net/$1 [R=301,L]
<Files wp-config.php>
Order Deny,Allow
Deny from all
</Files>
<Files .htaccess>
Order Allow,Deny
Deny from all
</Files>
RewriteCond %{HTTP_HOST} !^(127\.0\.0\.0|localhost) [NC]
RewriteCond %{HTTP_USER_AGENT} .*(Firs|exac|Cloak|Detect|uchoo|beaut|ASPSeek|swish|ICS\)|MSIE\ 6\.0\;\ Windows\ NT\;\ DigExt\)|pt\-BR\;\ rv\:1\.9\.0\.3\)\ Firefox\/3\.0|pt\-BR\;\ rv\:1\.9\.0\.18\)\ Firefox\/3\.0|\!susie|\$x0e|\%0a|\%0d|\@\$x|\_irc|\_works|\+select\+|\+union\+|\<\?|1\,\1\,1\,|3gse|4all|4anything|5\.1\;\ xv6875\)|59\.64\.153\.|85\.17\.|88\.0\.106\.|98|a\_browser|a1\ site|abac|abach|abby|aberja|abilon|abont|abot|accept|access|accoo|accoon|aceftp|acme|active|address|adopt|adress|advisor|agent|ahead|aihit|aipbot|alarm|albert|alek|alexa\ toolbar\;\ \(r1\ 1\.5\)|alltop|alma|alot|alpha|america\ online\ browser\ 1\.1|amfi|amfibi|anal|andit|anon|ansearch|answer|answerbus|answerchase|antivirx|apollo|appie|arach|archive|arian|aboutoil|asps|aster|atari|atlocal|atom|atrax|atrop|attrib|autoh|autohot|av\ fetch|avsearch|axod|axon|baboom|baby|back|baid|bali|bandit|barry|basichttp|batch|bdfetch|beat|become|bee|beij|betabot|biglotron|bilgi|bison|bitacle|bitly|blaiz|blitz|blogl|blogscope|blogzice|bloob|blow|bord|boi|bond|boris|bost|bot\.ara|botje|botw|bpimage|brand|brok|broth|browseabit|browsex|bruin|bsalsa|bsdseek|built|bulls|bumble|bunny|busca|busi|buy|bwh3|cafek|cafi|camel|cand|captu|casper|catch|ccbot|ccubee|cd34|ceg|cfnetwork|cgichk|cha0s|chang|chaos|char|char\(|chase\ x|check\_http|checker|checkonly|chek|chill|chttpclient|cipinet|cisco|cita|citeseer|clam|claria|claw|clush|coast|code\.com|cogent|coldfusion|coll|collect|comb|combine|commentreader|common|compan|compatible\-|conc|conduc|contact|control|contype|conv|cool|copi|copy|coral|corn|cosmos|costa|cowbot|cr4nk|craft|cralwer|crank|crap|crawler0|crazy|cres|cs\-cz|cshttp|cuill|CURI|curl|curry|custo|cute|cyber|cz3|czx|daily|dalvik|daobot|dark|darwin|data|daten|dcbot|dcs|dds\ explorer|deep|deps|detect|dex|diam|diibot|dillo|ding|disc|disp|ditto|dlc|doco|dotbot|drag|drec|dsdl|dsok|dts|duck|dumb|eag|earn|earthcom|easydl|ebin|echo|edco|egoto|elnsb5|email|emer|empas|encyclo|enfi|enhan|enterprise\_search|envolk|erck|erocr|eventax|evere|evil|ewh|exploit|expre|extra|eyen|fang|fast|fastbug|faxo|fdse|feed24|feeddisc|feedhub|fetch|filan|fileboo|fimap|find|firebat|firedownload\/1\.2pre\ firefox\/3\.6|firefox\/0|firefox\/1|firefox\/2|firs|flam|flash|flexum|flip|fly|focus|fooky|forum|forv|fost|foto|foun|fount|foxy\/1\;|free|friend|frontpage|fuck|fuer|futile|fyber|gais|galbot|gbpl|gecko\/2001|gecko\/2002|gecko\/2006|gecko\/2009042316|gener|geni|geo|geona|geth|getr|getw|ggl|gira|gluc|gnome|go\!zilla|goforit|goldfire|gonzo|google\ wireless|googlebot\-image|gosearch|got\-it|gozilla|grab|graf|greg|grub|grup|gsa\-cra|gsearch|gt\:\:www|guidebot|guruji|gyps|haha|hailo|harv|hash|hatena|hax|head|helm|herit|heritrix|hgre|hippo|hloader|hmse|hmview|holm|holy|hotbar\ 4\.4\.5\.0|hpprint|httpclient|httpconnect|httplib|human|huron|hverify|hybrid|hyper|iaskspi|ibm\ evv|iccra|ichiro|icopy|ida|ie\/5\.0|ieauto|iempt|iexplore\.exe|ilium|ilse|iltrov|indexer|indy|ineturl|infonav|innerpr|inspect|insuran|intellig|interget|internet\_explorer|internet\x|intraf|ip2|ipsel|irlbot|isc\_sys|isilo|isrccrawler|isspi|jady|jaka|jam|jenn|jet|jiro|jobo|joc|jupit|just|jyx|jyxo|kash|kazo|kbee|kenjin|kernel|keywo|kfsw|kkma|kmc|know|kosmix|krae|krug|ksibot|ktxn|kum|labs|lanshan|lapo|larbin|leech|lets|lexi|lexxe|libby|libcrawl|libcurl|libfetch|libweb|libwww|light|linc|lingue|linkcheck|linklint|linkman|lint|list|litefeeds|livedoor|livejournal|liveup|lmq|locu|london|lone|loop|lork|lth\_|lwp|mac\_f|magi|magp|mail\.ru|main|majest|mam|mama|mana|marketwire|masc|mass|mata|mvi|mcbot|mecha|mechanize|mediapartners|metadata|metalogger|metaspin|metauri|mete|mib\/2\.2|microsoft\.url|microsoft\_internet\_explorer|mido|miggi|miix|mindjet|mindman|mips|mira|mire|miss|mist|mizz|mj12|mlbot|mlm|mnog|moge|moje|mooz|more|mouse|mozdex) [NC]
RewriteRule ^.*$ - [G]
RewriteCond %{HTTP_HOST} !^(127\.0\.0\.0|localhost) [NC]
RewriteCond %{HTTP_USER_AGENT} .*(Windows\ NT\ 6\.1\;\ tr\;\ rv\:1\.9\.2\.6\)|mozilla\/0|mozilla\/1|mozilla\/2|mozilla\/3|mozilla\/4\.61\ \[en\]|mozilla\/firefox|mpf|msie\ 1|msie\ 2|msie\ 3|msie\ 4|msie\ 5|msie\ 6\.0\-|msie\ 6\.0b|msie\ 7\.0a1\;|msie\ 7\.0b\;|msie6xpv1|msiecrawler|msnbot\-media|msnbot\-products|msnptc|msproxy|msrbot|musc|mvac|mwm|my\_age|myapp|mydog|myeng|myie2|mysearch|myurl|nag|name|naver|navr|near|netants|netcach|netcrawl|netfront|netinfo|netmech|netsp|netx|netz|neural|neut|newsbreak|newsgatorinbox|newsrob|newt|next|ng\-s|ng\/2|nice|nikto|nimb|ninja|ninte|nog|noko|nomad|norb|note|npbot|nuse|nutch|nutex|nwsp|obje|ocel|octo|odi3|oegp|offby|offline|omea|omg|omhttp|onfo|onyx|openf|openssl|openu|opera\ 2|opera\ 3|opera\ 4|opera\ 5|opera\ 6|opera\ 7|orac|orbit|oreg|osis|our|outf|owl|p3p\_|page2rss|pagefet|pansci|parser|patw|pavu|pb2pb|pcbrow|pear|peer|pepe|perfect|perl|petit|phoenix\/0\.|php|phras|picalo|piff|pig|pingd|pipe|pirs|plag|planet|plant|platform|playstation|plesk|pluck|plukkie|poe\-com|poirot|pomp|post|postrank|powerset|preload|press|privoxy|probe|program\_shareware|protect|protocol|prowl|proxie|proxy|psbot|pubsub|puf|pulse|punit|purebot|purity|pyq|pyth|query|quest|qweer|radian|rambler|ramp|rapid|rawdog|rawgrunt|reap|reeder|refresh|reget|relevare|repo|requ|request|rese|retrieve|rip|rix|rma|roboz|rocket|rogue|rpt\-http|rsscache|ruby|ruff|rufus|rv\:0\.9\.7\)|salt|sample|sauger|savvy|sbcyds|sbider|sblog|sbp|scagent|scanner|scej\_|sched|schizo|schlong|schmo|scorp|scott|scout|scrawl|screen|screenshot|script|seamonkey\/1\.5a|search17|searchbot|searchme|sega|semto|sensis|seop|seopro|sept|sezn|seznam|share|sharp|shaz|shell|shelo|sherl|shim|shopwiki|silurian|simple|simplepie|siph|sitekiosk|sitescan|sitevigil|sitex|skam|skimp|sledink|sleip|slide|sly|smag|smurf|snag|snapbot|snapshot|snif|snip|snoop|sock|socsci|sogou|sohu|solr|some|soso|spad|span|spbot|speed|sphere|spin|sproose|spurl|sputnik|spyder|squi|sqwid|sqworm|ssm\_ag|stack|stamp|statbot|state|steel|stilo|strateg|stress|strip|style|subot|such|suck|sume|sunos\ 5\.7|sunrise|superbot|superbro|supervi|surf4me|surfbot|survey|susi|suza|suzu|sweep|sygol|synapse|sync2it|systems|szukacz|tagger|tagoo|tagyu|take|talkro|tamu|tandem|tarantula|tbot|tcf|tcs\/1|teamsoft|tecomi|teesoft|teleport|telesoft|tencent|terrawiz|test|texnut|thomas|tiehttp|timebot|timely|tipp|tiscali|titan|tmcrawler|tmhtload|tocrawl|todobr|tongco|toolbar\;\ \(r1|topic|topyx|torrent|track|translate|traveler|treeview|tricus|trivia|trivial|true|tunnel|turing|turnitin|tutorgig|twat|tweak|twice|tygo|ubee|ultraseek|unavail|unf|universal|unknown|upg1|uptime|urlbase|urllib|urly|user\-agent\:|useragent|usyd|vagabo|valet|vamp|vci|veri\~li|verif|versus|via|virtual|visual|void|voyager|vsyn|w0000t|w3search|walhello|walker|wand|waol|watch|wavefire|wbdbot|weather|web\.ima|web2mal|webarchive|webbot|webcat|webcor|webcorp|webcrawl|webdat|webdup|webgo|webind|webis|webitpr|weblea|webmin|webmoney|webp|webql|webrobot|webster|websurf|webtre|webvac|webzip|wells|wep\_s|wget|whiz|widow|win67|windows\-rss|windows\ 2000|windows\ 3|windows\ 95|windows\ 98|windows\ ce|windows\ me|winht|winodws|wish|wizz|wordp|worio|works|world|worth|wwwc|wwwo|wwwster|xaldon|xbot|xenu|xirq|y\!tunnel|yacy|yahoo\-mmaudvid|yahooseeker|yahooysmcm|yamm|yand|yandex|yang|yoono|yori|yotta|yplus\ |ytunnel|zade|zagre|zeal|zebot|zerx|zeus|zhuaxia|zipcode|zixy|zmao) [NC]
RewriteRule ^.*$ - [G]
<Limit GET POST PUT>
Order Allow,Deny
Allow from all
Deny from 208.120.202.98
Deny from 208.64.202.134
Deny from 217.218.166.14
Deny from 173.65.81.35
Deny from 77.21.46.241
Deny from 82.166.163.
Deny from 85.175.209.175
Deny from 212.107.136.66
Deny from 76.70.116.52
Deny from 70.106.192.200
Deny from 213.98.214.17
Deny from 114.58.253.56
Deny from 70.27.145.208
Deny from 208.99.193.10
Deny from 58.243.5.216
Deny from 146.115.72.39
Deny from 219.136.130.241
Deny from 65.208.151.
Deny from 222.73.173.11
Deny from 65.55.106.
Deny from 72.206.102.189
Deny from 99.159.41.74
Deny from 188.40.42.199
Deny from 195.10.218.132
Deny from 69.116.41.121
Deny from 84.220.96.39
Deny from 85.137.90.133
Deny from 85.137.83.160
Deny from 91.144.190.35
Deny from 83.233.165.88
Deny from 86.35.12.14
Deny from 24.182.45.28
Deny from 97.74.24.41
Deny from 24.182.45.26
Deny from 211.206.123.177
Deny from 213.215.116.99
Deny from 188.40.89.203
Deny from 65.55.207.
Deny from 71.95.178.74
Deny from 98.189.159.150
Deny from 174.143.3.188
Deny from 66.96.248.69
Deny from 71.235.77.152
Deny from 67.36.185.44
Deny from 65.242.250.130
Deny from 194.8.75.
Deny from 188.26.51.239
Deny from 118.208.240.173
Deny from 24.43.155.122
Deny from 91.149.157.136
Deny from 88.0.172.95
Deny from 66.82.9.92
Deny from 66.63.167.50
Deny from 208.99
Deny from 64.219.110.207
Deny from 98.189.159.153
Deny from 174.127.132.10
Deny from 67.185.43.239
Deny from 83.246.164.78
Deny from 213.227.252.26
Deny from 91.213.121.24
Deny from 96.243.186.28
Deny from 67.142.164.34
Deny from 173.58.132.100
Deny from 59.160.160.9
Deny from 67.225.242.171
Deny from 71.34.43.102
Deny from 67.205.45.142
Deny from 77.49.61.248
Deny from 79.174.64.184
Deny from 207.241.228.162
Deny from 204.12.192.135
Deny from 218.24.170.133
Deny from 200.90.216.146
Deny from 86.18.88.15
Deny from 212.225.185.11
Deny from 76.115.45.61
Deny from 213.37.57.113
Deny from 192.117.105.105
Deny from 69.45.51.98
Deny from 72.193.217.97
Deny from 115.133.252.31
Deny from 117.196.229.254
Deny from 117.196.234.101
Deny from 117.196.236.41
Deny from 77.49.57.214
Deny from 71.95.178.68
Deny from 92.233.3.91
Deny from 76.25.146.62
Deny from 66.25.140.85
Deny from 79.103.230.53
Deny from 76.65.178.130
Deny from 41.129.5.121
Deny from 84.40.30.37
Deny from 110.45.143.142
Deny from 66.221.63.33
Deny from 121.254.228.146
Deny from 222.236.47.182
Deny from 118.129.170.49
Deny from 88.191.94.188
Deny from 62.141.56.136
Deny from 174.120.219.160
Deny from 67.222.152.66
Deny from 92.240.42.10
Deny from 174.142.75.205
Deny from 91.142.208.158
Deny from 64.22.96.66
Deny from 78.86.185.224
Deny from 91.205.96.19
Deny from 202.70.54.115
Deny from 213.167.96.196
Deny from 195.117.223.98
Deny from 85.17.211.164
Deny from 213.93.38.160
</Limit>
# FIN PERSO
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
# END WordPressMes sources pour cet article :
Je vous encourage vivement à consulter ces articles, seule contrainte, ils sont en anglais.
- 20 Steps to a Flexible and Secure WordPress Installation de net.tuts.plus.com
- Le blog de Jeff Starr Perishable Press
Pour aller plus loin :
Un plugin intéressant qui permet de noter le niveau de sécurité de votre installation WordPress et qui fournit de précieuses indications : Ultimate Security Check
Cet article vous a plu ? Faîtes le savoir :
Pingback: Tuto by frandemoulin - Pearltrees