Block others from Overwriting your WordPress

Computers and software are not perfect. We’ve all seen them make errors. That’s why it’s very important to but up blocks for when (not if) software messes up.

Did you know that if your WordPress’s database becomes corrupt, blanked, dropped, or otherwise wiped, that the next visitor can reinstall it? Yes, that’s right, in the event that your database has an major issue, the next visitor will get the installation prompt, allowing them to set the admin password, and then start building a site (with phishing links and the whole 9 yards) where yours used to be.

Well, that’s awful, right? Oh, and you won’t get a notice about it. You’ll just come back x number of days after it happens and see a new site where yours used to be.

Block it

There’s an easy way to stop that from happening. The file that performs a WordPress installation is wp-admin/install.php, so blocking access to it will stop a reinstall attempt. (You could delete the file, but it will be remade with the next upgrade).

Apache

To block it, create/add this to your site’s wp-admin/.htaccess file. If your site has a custom named wp-admin or is using a subdirectory, change it accordingly.

# block reinstall 
# wp-admin/.htaccess
# works on both Apache 2.2 and 2.4+
<Files install.php>
  <IfModule mod_authz_core.c>
    Require all denied
  </IfModule>
  <IfModule !mod_authz_core.c>
    Order allow,deny
    Deny from all
  </IfModule>
</files>

The above assumes that your Apache AllowOverride settings are allowing the .htaccess file to block file access. If you don’t have this, you will need to either allow it, or add the above to the site’s VirtualHost config.

NGINX

For NGINX, use this in your server config:

location = wp-admin/install.php {
        deny all;
}

Test it out

Now, we need to test it to make sure it’s working. First, test your site and make sure it’s running. If it’s not review the .htaccess file, and check your logs.

If your site works, then make sure you can’t go the install.php url. In a new window, type in your website’s url, followed by /wp-admin/install.php so it looks like https://www.example.com/wp-admin/install.php.

If you are using a subdirectory, make sure you include that subdirectory (https://www.example.com/subdirectory/wp-admin/install.php).

You should get an Access Denied message, like this:

Huh? You really want to see that? Are you sure…?

… Sorry, no can do … (Error 403: Forbidden)

(That’s my custom 403 error page. For more on how to setup your own custom error pages, go here.)

If you get a message saying “WordPress is already installed, then it’s not working correctly. Check that the .htaccess file is placed correctly, has the right permissions, then check the logs and your httpd.conf/VirtualHost settings.

Conclusion

It’s an easy fix. Once you have this in place, any major issue with the database will make your site show errors, but stop others from uploading another site. It helps to have a website uptime service in place, letting you know if you have any downtime issues.