Posts tagged ‘htaccess’

WordPress 2.6 to disable XML-RPC out of the box

June 21, 2008, 6:09 pm

Peter Westwood, a WordPress developer, recently announced a planned change that will disable Atom and XML-RPC publishing by default. I’m thrilled at this direction: many of my corporate and professional installations of WordPress require significant tweaking to disable remote publishing.

In the meantime, I’ve actually had no ill effects from removing xmlrpc.php from the default WordPress installation.

Another tweak I usually employ is applying a .htaccess file to the wp-admin directory. Using a set of Allow/Deny directives, you can restrict access to your administration panel to local machines only. For example, creating a new file /wp-admin/.htaccess:

Order allow,deny
Allow from 192.168.1
Deny from all

This example file ensures that only users coming from 192.168.1.x addresses can access the administration dashboard. It’s very useful because regardless of password compromise, only internal users will ever be able to access the login prompt.

Another solution that would still allow remote access by trusted users would include a dual-layered authentication system. Using the htpasswd utility and the .htaccess tutorial from Apache, create a separate login to access the administration panel. This prompt will appear before the default WordPress login. Roaming web spiders and malicious bots will have a more difficult time accessing the wp-admin directory with appropriate access restrictions in place.

Tags: , , , , , ,
Category: news, tech  |  Comments

DreamHost statistics with a root WordPress installation

March 5, 2007, 1:32 am

If you own one or more of the 350K domains hosted with Dreamhost, you may be interested in using their statistics tracking system. However, if you have WordPress installed at the root of your domain, the /stats/ URL is inaccessible and only results in a 404 error, as WordPress tries to parse /stats/ as a permalink to a post or page. This is due to the .htaccess directives that WordPress employs.

The solution is on the DreamHost wiki and can be added to the top of your .htaccess file fairly quickly:

<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_URI} ^/(stats|failed_auth\.html)/?(.*)$ [NC]
RewriteRule ^.*$ - [L]
</IfModule>

This code comes before the WordPress commented line:
# BEGIN WordPress

Alternatively, if you’re concerned about people possibly bruteforcing your statistics username and password (since it uses simple HTTP authentication), you can deny public access to /stats/ and access the logfiles from an SSH session. Keep in mind that this will be a text-based view of your statistics.


ssh user@yourdomain.com
cd logs/yourdomain.com/http/html
links index.html

The logs directory is accessible under your home directory (~). You could also always run a tar/gzip command on the ~/logs/yourdomain.com/http/html directory and SFTP/FTP the file, then view the stats locally.

For more information, such as performing the same operation with Ruby on Rails apps or TextPattern, check the wiki.

Tags: , , , , ,
Category: tech  |  Comments