Home  ›  How to Disable Uploads to My Website

How to Disable Uploads to My Website

Written By Thursday, 14 April 2022 Add Comment Edit

WordPress is undoubtedly one of the highly recommended content management systems. 75 million websites including businesses, blogs, professionals, and entertainment are currently built on WordPress. This too classifies it as one of the most vulnerable when information technology comes to online attacks. While virtually online attacks issue from unpatched versions and vulnerable plugins, another major source of WordPress data theft is access to disclosure of essential WordPress elements. Have, for instance, Directory Browsing.

It often happens that when your web server is unable to discover an alphabetize file (i.e. a file like index.php or index.html), by default it displays an index page revealing contents of the directory.

Hide WP-includes, WP-content/uploads from Your WordPress Site
Directory Browsing in WordPress

You lot can hands prepare directory browsing with a click of a button with the WP-Hardening plugin. WP-Hardening is a one-stop solution to ready nigh of your WordPress security woes.

Here is how it works:

  • Install the WP Hardening Plugin and activate it. It will render in the bottom left corner of your admin console.
Hiding WP-includes with WP-Hardening
WP Harden
  • Go to the "Security Fixers" tab.
  • Navigate to 'Server Hardening' and but toggle the key next to 'Hide Directory Listing of WP includes.'
Hide WP-includes
Hiding WP-includes with WP-Hardening plugin
  • And you're done!

Rendering such information public could brand your site vulnerable to hackers. As it reveals the of import information needed to exploit a potential vulnerability in the WordPress theme, plugin, or the server to the hackers.

Why hide WordPress folders from the public?

Owing to an increased number of WordPress CMS attacks, it is essential to Disable Directory Browsing. Hackers can exploit directory browsing to reveal files with known vulnerabilities, and in turn exploit it to gain unauthorized admission. Moreover, directory browsing can be used by outsiders to mimic the contents of your file, discover your directory construction, and other information. Which is why information technology is imperative to restrict directory indexing and browsing.

Related Guide – WordPress Malware Removal

This can be washed by modifying your .htaccess file. The .htaccess file is a server configuration file that essentially allows the user to define rules for his server to follow for his website. The .htaccess file is located in your WordPress site's root folder. To edit it, you'll need to connect to your website using an FTP client. It is important to note that before beginning to edit your .htaccess file, information technology is important to download a copy of it to your reckoner as a backup to be used in instance anything goes wrong.

How to hibernate WP folders from public access?

Add the following line of code to the .htaccess file in your website root:

          Options -Indexes

This will forestall directory listing beyond the website.

How to hide the WordPress login URL?

WordPress login URL tin exist hidden via multiple methods:

  • With WP-Hardening: The WP Hardening plugin enables you to specify a custom URL for your WordPress login. The new URL can be specified under the 'Security Fixers' section in the WordPress Settings. In case a caching plugin is used on the website, the new login page should be added to the listing of pages that are excluded from caching.
Hide WP-includes
  • By whitelisting IP addresses: In this method, simply the whitelisted IP addresses can access the wp-login page and every other IP will be shown an fault message. This method is recommended if you have a static IP and non many people requiring access to your WordPress admin console. All you need to do is add the following code in your .htaccess file and supplant the "!^123\.123\.123\.123$".
          <IfModule mod_rewrite.c>  RewriteEngine on  RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]  RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$  RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$  RewriteRule ^(.*)$ - [R=403,L]  </IfModule>

In instance multiple IP addresses demand to be added, just add together a new line for each, equally shown below:

          RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123$ RewriteCond %{REMOTE_ADDR} !^223\.223\.223\.223$

Your login page will now only exist visible to these IP addressess.

Protecting your WP admin page

How to hide WP-content/uploads from Your WordPress?

The wp-content binder appears in the master directory of any WordPress site. It is an important office of every WordPress installation and Information technology contains plugins, themes, uploads, and debug.logs that are provided by the user and non stored on the database.

I can hands hide a certain folder from being accessible to the public by modifying the .htaccess file a little bit. To hide the "Uploads" folder from the public:

  1. Open your FTP customer
  2. Navigate to wp-content/uploads
  3. Create a new file and name it ".htaccess" and open it
  4. Copy and paste the following lawmaking into the file:
    Gild Allow, Deny
    Deny from all
    Permit from all
  5. Salvage changes.
  6. To verify the changes, navigate tohttp://yourdomain.com/wp-content/uploads/ where you should now go a 404 error or a blank page which doesn't testify the content of your upload folder.

Disabling Directory Listing in WordPress

How to hide WP-includes from Your WordPress

It is important to restrict access to the WP-includes folder every bit information technology contains files strictly meant to run the core version of WordPress. This is the one without whatever plugins or themes and houses the default theme in thewp-content/theme directory. Access to the includes folder tin can be disabled using the following lawmaking snippet in the .htaccess file :

          # Block wp-includes folder and files <IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^wp-admin/includes/ - [F,L] RewriteRule !^wp-includes/ - [Southward=3] RewriteRule ^wp-includes/.*\.php$ - [F,50] RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L] RewriteRule ^wp-includes/theme-compat/ - [F,Fifty] </IfModule>

How to hide WP-admin aka WP-login

Nosotros all know that the default URL for visiting the login folio of any WordPress site issite-proper noun/wp-admin.Withal, exposing your default admin login page tin invite hackers to inspect it, and even figure out your credentials. Therefore, information technology is essential to hibernate your wp-admin and wp-login pageto not only make it more than complex for hackers to crack just likewise to get actress protection from the non-hacker communities.

Related Guide – Complete Guide to WordPress Security (Reduce the risk of Hacking by 90%)

  1. Login to your server dashboard. Go to your public_html folder in Cpanel & open up your .htaccess file in the lawmaking editor. If information technology is non visible to you, enable the option "Show hidden files" under visibility and then edit it.
  2. Add the following lawmaking at the beginning of your .htaccess file. It might be containing some codes, but you have to paste this at the beginning of every code. 
                                  AuthUserFile                /dev/null                AuthGroupFile                /dev/null                AuthName                "WordPress Admin Access Command"                AuthType Basic                <LIMIT Get>                gild deny,allow                deny from all                # whitelist <bridge mode="color: #00ff00;">Prakhar IP</span> address                let from                <span manner="color: #00ff00;">xx.twenty.xx.30</bridge>                # whitelist <span way="colour: #00ff00;">Satyansh IP</span> accost                permit from                <span style="color: #00ff00;">xx.xx.twenty.xxx</bridge>                </LIMIT>
  3. Supersede the light-green texts with the proper noun and IP address of the devices (computers, laptops, smartphones) of yours. The number of users tin can exist increased by repeating the same code i.e. #whitelist username address.

The above-listed WordPress hacks are some of the many htaccess hacks that strengthen your WordPress site.

Get the ultimate WordPress security checklist with 300+ exam parameters

For the comprehensive security of WordPress sites, it is advised to use Astra for WordPress Security Astra seamlessly integrates with WordPress websites and simplifies regular security checks via a simple dashboard feature.

Tags: disable directory listing, WP-content/uploads, WP-includes, WP-login

Naman Rastogi

Naman Rastogi

Naman Rastogi is a Growth hacker and digital marketer at Astra security. Working actively in cybersecurity for more than than a year, Naman shares the passion for spreading awareness about cybersecurity amongst netizens. He is a regular reader of anything cybersecurity which he channelizes through the Astra blog. Naman is also a jack of all trade. He is certified in market analytics, content strategy, financial markets and more while working parallelly towards his passion i.due east cybersecurity. When not hustling to notice newer means to spread awareness almost cybersecurity, he can exist found enjoying a game of ping pong or CSGO.

parrishclor1977.blogspot.com

Source: https://www.getastra.com/blog/cms/wordpress-security/hide-wp-includes-wp-content-uploads-from-your-wordpress-site/

0 Response to "How to Disable Uploads to My Website"

Post a Comment

Subscribe to: Post Comments (Atom)

Iklan Atas Artikel

Iklan Tengah Artikel 1

Iklan Tengah Artikel 2

Iklan Bawah Artikel